Investigations

What You’ll See Here

• Investigations by priority Tabs showing Dropzone’s recommendation on what to review first:

  • Urgent

  • Notable

  • Informational

  These priority levels can be influenced using Custom Strategies.

• Not yet processed investigation status

  • Queued Alerts that have been ingested by Dropzone and are waiting to be investigated.

    • This stage is used when there are already 10 investigations running at once (the current system limit).

  • Running Alerts that are currently being investigated by your Dropzone analyst.

  • Stopped Alerts that have been ingested but not investigated by Dropzone for a variety of reasons, such as exceeding thresholds set in System Info or encountering an error.

    • To investigate these alerts, click Stopped and then Retry.

    • Stopped alerts do not count against your license.

    Best practice: Want to know when an investigation is stopped? Work with your Dropzone team member to set up a notification Response Action.

• Full investigation write-ups

  • Click into any investigation to see:

    • The overall Summary

    • Detailed investigative context in Findings

    • Supporting artifacts in the Evidence Locker

    • Recommended Remediations (for Malicious, Suspicious, and Inconclusive alerts only)

    • A Notes section for team collaboration

    • A Changelog showing the full investigation lifecycle from ingestion to approval

  Best practice: Check out our guide on how to review an investigation and leave context memory.