Navigating complexity with structure: Using pre-built sequences for security investigations

What analysts do during complex investigations makes the difference between consistent, thorough analyses and spinning their wheels in the sand. While sophisticated investigation processes require bespoke steps by definition, security operations teams need to standardize best practices where possible to save valuable cycles and deliver consistent outcomes.  

Command Zero delivers structure to help navigate complexity by delivering expertise via questions and facets. Facets are pre-built sequences for investigations, and they transform security analysis because:  

• Analysts of any skill level can build them as needed without coding or scripting. Our benchmark to build new facets is 2-3 minutes.

• You don’t have to rely on the SOAR/content team for new capabilities. You can build, modify, test, and run as you go within an investigation.  

• Facets are easy to analyze; you can run them and get a report specifically for facet branches.

• They collect, extract and report on the data for investigations, reducing the toil for each investigation. For example, some data sources are complicated to work with, automatically pulling all emails or all devices for a user can save cycles for each identity-focused investigation.

• The more facets you build, the more tools you have in your tool bag. Each facet increases speed and accuracy for investigations.

The Challenges of Modern Security Investigations

It’s almost 2025, we are all juggling multi-cloud, SaaS apps, hybrid environments and likely a lot of technical debt. As a result, securing the infrastructure and running investigations in these environments are as complex as they’ve been (so far). Daily, security analysts are battling:

• Information overload from multiple data sources

• Time-consuming manual data collection, timeline generation and reporting

• Inconsistent investigation steps

• Time pressure induced human errors - overlooking critical details

Combined with the ever-present universal talent gap, steep learning curves for junior analysts and difficulties in building/maintaining institutional knowledge, almost every investigation becomes a new adventure full of uncertainty.  

These challenges with investigation processes lead to:

• Longer exposure to threats: This translates to increased risk for the organization and is caused by a myriad of operational factors including:  

• Increased response times

• Missed threat indicators

• Inefficient resource utilization: In business terms, this is increased cost for the organization, caused by lack of standardization and predictability:  

• Inconsistent threat analysis

• Knowledge silos within security teams

• Frustration and high turnover rates with analysts

By removing repetitive, low-value steps from the investigation process and standardizing the investigation flow, we can significantly improve outcomes of security analysis and reduce risk, all while reducing cost.  

Enter Facets: Prebuilt sequences for structured investigations

Prebuilt sequences are called facets in Command Zero. The platform comes with outcome-focused sequences and offers a no-code way to build and update your own facets. Running structured sequences have proven to be a game-changing approach to address critical security operations challenges. By providing a structured, repeatable framework for investigations, facets transform how security teams approach threat analysis and incident response.

What Are Facets?

Facets are pre-built investigation frameworks that guide analysts through a systematic approach to gathering and analyzing information. Think of them as intelligent roadmaps that ensure no critical questions or data are overlooked during an investigation.

Facets are sequences of questions that get the data needed to deliver specific investigation outcomes. For example, in an investigation where you are validating the hypothesis: “We are receiving password spray attacks from this IP”, you can run the Okta or Entra Password Spray facet.  

Depending on the results of this investigative branch, the Command Zero platform automatically asks follow-up questions to identify the full scope of the case at hand. Similarly, analysts can ask additional questions to deepen the investigation on these branches.  

Other frequently used facets include a user’s last day, suspicious login activity, impossible travel and account compromise. The Command Zero security research team ship new facets every week.

When the analysis is complete, Analysts can generate a report for the complete investigation, or a report covering the outcome of the selected facet.

Analysts can use:  

• the default facets on the Command Zero platform,  

• their organization’s custom facets,

• their own personal custom facets.  

They can also build their own facets as needed, adding them to the shared toolkit for their organization.

How to build facets

Analysts can easily build their own facets by selecting the sequence of questions to be asked to the connected data sources. Building a facet is as simple as running a user-led investigation on Command Zero.  

Located under the management tab, the Facet Manager is your central hub for working with facets. Here, you'll find:

• Organizational facets

• Pre-existing Command Zero facets

• The ability to preview, duplicate, and create new facets

A step-by-step guide to building facets

1. Creating a New Facet

• Start by adding a root lead (this can be an IP address, username, email, SHA1 hash value or any other data type supported by the connected data sources)

• Select the lead type

• Choose specific questions related to that lead type

2. Customizing Your Investigation Flow

The Facet Builder allows you to:

• Follow specific lead types (data received as answer to any question can be followed on for additional questions, allowing for branching to follow these new leads)

• Add multiple questions

• Create a tailored investigative path

Running facets within investigations

Facets can be applied at any point in an investigation by:

• Selecting a lead

• Click the ellipsis menu

• Choose "Facets"

• Browse and apply the appropriate facet

Pro tips for facet building

• Preview facets before applying.

• Save drafts of your facets to continue working on them later.  

• Use the "view facet" option to review detailed investigation flows.  

• Highlight and select leads to continue executing branches of your investigation.

Key benefits of facets

Facets save time and improve the accuracy of investigations for every analyst.  

1. Standardization: Facets ensure a consistent investigative approach across all analysts, shifts and teams.  

2. Flexibility: Facets can be applied to any lead type (so analysts can dive deep into rabbit holes in a structured way) and analysts can build new facets while investigating a specific case (without having to wait for the SOAR/content team).  

3. Guided Execution: Facets automatically execute a structured sequence of questions and highlights the investigation flow. So all analysts follow the best practices and avoid time-consuming repetitive tasks.  

4. Collaborative: Facets can easily be shared across your organization, helping build institutional knowledge with every investigation.  

Conclusion

Command Zero facets transform investigative work from a potentially chaotic process to a structured, methodical approach. By providing a standard framework that can be customized, they empower analysts to conduct more thorough and efficient investigations. You can watch a 3+ minute demo of facets below: 

Interested?

Schedule a demo with our team to see the power of facets and the Command Zero platform.