Home
Blog
Investigations
December 11, 2024
5
min read

Navigating complexity with structure: Using pre-built sequences for security investigations

What analysts consistently do during complex investigations makes the difference between consistent, thorough analyses and spinning their wheels in the sand. While sophisticated investigation processes require bespoke steps by definition, security operations teams need to standardize best practices where possible to save valuable cycles and deliver consistent outcomes. Command Zero delivers structure to help navigate complexity by delivering expertise via questions and facets. Facets are pre-built sequences for investigations, and they transform security analysis because: Analysts of any skill level can build them as needed without coding or scripting.

investigations
Product
Facets
Alfred Huger
Cofounder & CPO
In this article
H2 Title
H3 Title

What analysts do during complex investigations makes the difference between consistent, thorough analyses and spinning their wheels in the sand. While sophisticated investigation processes require bespoke steps by definition, security operations teams need to standardize best practices where possible to save valuable cycles and deliver consistent outcomes.  

Command Zero delivers structure to help navigate complexity by delivering expertise via questions and facets. Facets are pre-built sequences for investigations, and they transform security analysis because:  

  • Analysts of any skill level can build them as needed without coding or scripting. Our benchmark to build new facets is 2-3 minutes.
  • You don’t have to rely on the SOAR/content team for new capabilities. You can build, modify, test, and run as you go within an investigation.  
  • Facets are easy to analyze; you can run them and get a report specifically for facet branches.
  • They collect, extract and report on the data for investigations, reducing the toil for each investigation. For example, some data sources are complicated to work with, automatically pulling all emails or all devices for a user can save cycles for each identity-focused investigation.
  • The more facets you build, the more tools you have in your tool bag. Each facet increases speed and accuracy for investigations.

The Challenges of Modern Security Investigations

It’s almost 2025, we are all juggling multi-cloud, SaaS apps, hybrid environments and likely a lot of technical debt. As a result, securing the infrastructure and running investigations in these environments are as complex as they’ve been (so far). Daily, security analysts are battling:

  • Information overload from multiple data sources
  • Time-consuming manual data collection, timeline generation and reporting
  • Inconsistent investigation steps
  • Time pressure induced human errors - overlooking critical details

Combined with the ever-present universal talent gap, steep learning curves for junior analysts and difficulties in building/maintaining institutional knowledge, almost every investigation becomes a new adventure full of uncertainty.  

These challenges with investigation processes lead to:

  • Longer exposure to threats: This translates to increased risk for the organization and is caused by a myriad of operational factors including:  
  • Increased response times
  • Missed threat indicators
  • Inefficient resource utilization: In business terms, this is increased cost for the organization, caused by lack of standardization and predictability:  
  • Inconsistent threat analysis
  • Knowledge silos within security teams
  • Frustration and high turnover rates with analysts

By removing repetitive, low-value steps from the investigation process and standardizing the investigation flow, we can significantly improve outcomes of security analysis and reduce risk, all while reducing cost.  

Enter Facets: Prebuilt sequences for structured investigations

Prebuilt sequences are called facets in Command Zero. The platform comes with outcome-focused sequences and offers a no-code way to build and update your own facets. Running structured sequences have proven to be a game-changing approach to address critical security operations challenges. By providing a structured, repeatable framework for investigations, facets transform how security teams approach threat analysis and incident response.

What Are Facets?

Facets are pre-built investigation frameworks that guide analysts through a systematic approach to gathering and analyzing information. Think of them as intelligent roadmaps that ensure no critical questions or data are overlooked during an investigation.

Facets are sequences of questions that get the data needed to deliver specific investigation outcomes. For example, in an investigation where you are validating the hypothesis: “We are receiving password spray attacks from this IP”, you can run the Okta or Entra Password Spray facet.  

The password spray facet runs relevant sequences (depending on the data sources) to validate or disprove the hypothesis and asks follow-up questions as needed.

Depending on the results of this investigative branch, the Command Zero platform automatically asks follow-up questions to identify the full scope of the case at hand. Similarly, analysts can ask additional questions to deepen the investigation on these branches.  

Other frequently used facets include a user’s last day, suspicious login activity, impossible travel and account compromise. The Command Zero security research team ship new facets every week.

When the analysis is complete, Analysts can generate a report for the complete investigation, or a report covering the outcome of the selected facet.

Command Zero delivers end-to-end investigation reporting and facet reporting.

 

Analysts can use:  

  • the default facets on the Command Zero platform,  
  • their organization’s custom facets,
  • their own personal custom facets.  

They can also build their own facets as needed, adding them to the shared toolkit for their organization.

How to build facets

Analysts can easily build their own facets by selecting the sequence of questions to be asked to the connected data sources. Building a facet is as simple as running a user-led investigation on Command Zero.  

Located under the management tab, the Facet Manager is your central hub for working with facets. Here, you'll find:

  • Organizational facets
  • Pre-existing Command Zero facets
  • The ability to preview, duplicate, and create new facets
Users can review/edit/clone existing facets and create new facets using the Facet Manager.

A step-by-step guide to building facets

1. Creating a New Facet

  • Start by adding a root lead (this can be an IP address, username, email, SHA1 hash value or any other data type supported by the connected data sources)
  • Select the lead type
  • Choose specific questions related to that lead type

Facets can start with any lead type and follow up questions can be asked to data returned as answers. This flow allows creating sequences that follow through investigation branches as new data is added to analysis.

2. Customizing Your Investigation Flow

The Facet Builder allows you to:

  • Follow specific lead types (data received as answer to any question can be followed on for additional questions, allowing for branching to follow these new leads)
  • Add multiple questions
  • Create a tailored investigative path

Running facets within investigations

Facets can be applied at any point in an investigation by:

  • Selecting a lead
  • Click the ellipsis menu
  • Choose "Facets"
  • Browse and apply the appropriate facet

Analysts can run facets on any lead during an investigation.  

Pro tips for facet building

  • Preview facets before applying.
  • Save drafts of your facets to continue working on them later.  
  • Use the "view facet" option to review detailed investigation flows.  
  • Highlight and select leads to continue executing branches of your investigation.

Key benefits of facets

Facets save time and improve the accuracy of investigations for every analyst.  

  1. Standardization: Facets ensure a consistent investigative approach across all analysts, shifts and teams.  
  1. Flexibility: Facets can be applied to any lead type (so analysts can dive deep into rabbit holes in a structured way) and analysts can build new facets while investigating a specific case (without having to wait for the SOAR/content team).  
  1. Guided Execution: Facets automatically execute a structured sequence of questions and highlights the investigation flow. So all analysts follow the best practices and avoid time-consuming repetitive tasks.  
  1. Collaborative: Facets can easily be shared across your organization, helping build institutional knowledge with every investigation.  

Conclusion

Command Zero facets transform investigative work from a potentially chaotic process to a structured, methodical approach. By providing a standard framework that can be customized, they empower analysts to conduct more thorough and efficient investigations. You can watch a 3+ minute demo of facets below: 

Interested?

Schedule a demo with our team to see the power of facets and the Command Zero platform.  

Alfred Huger
Cofounder & CPO

Continue reading

Investigations
Highlight

Email Investigations: The Epicenter of Security Analysis

Email remains at the heart of most security investigations, from phishing alerts, insider threats to business email compromise (BEC for both internal and third-party emails) incidents. While many teams focus solely on whether a malicious link was clicked, the real challenge lies in understanding email activities and other user behaviors in the big picture - what users do after an incident occurs. This post explores how email credentials represent full user identities and why this makes them prime targets for attackers. Using real examples, like the case of an Acme Corp administrator with extensive system access, we demonstrate how attackers can easily identify and target high-value accounts through LinkedIn and other public sources. Traditional email investigations face significant challenges: time-consuming manual correlation, complex access requirements across multiple systems, and difficulty in assessing the full blast radius of compromised accounts. Command Zero addresses these challenges through unified data analysis, AI-guided investigations, automated timeline analysis, and intelligent narrative building. The post concludes by emphasizing that email investigations can't be treated as checkbox exercises - they require sophisticated tools that can handle complex data correlation while guiding investigators toward meaningful conclusions. This approach transforms email investigations from time-consuming manual processes into rapid, comprehensive analyses that any investigator can conduct effectively.
Alfred Huger
Feb 20, 2025
12
min read
Investigations
Highlight

Investigate password spray attacks with accuracy and speed

Password spray attacks remain a persistent threat to enterprise environments, serving as a crucial barometer of an organization's security health. These attacks, while common, offer valuable insights into an organization's authentication posture and prompt important questions about targeted identities, potential unnoticed breaches, and possible data leaks from previous breaches. Traditional investigation methods pose challenges when it comes to analyzing password spray: Time constraints, multiple system navigation and potentially superficial investigations. Command Zero transforms password spray investigations by: increasing efficiency and automation, ensuring comprehensive analysis and transparent reporting.
Alfred Huger
Jan 22, 2025
6
min read
Investigations
Highlight

2024 Learnings and 2025 Predictions Through Frequently Asked Questions

Disclaimer: This is not yet another 2025 predictions post where the author states the obvious (or the outrageous). Instead, we cover three frequently asked questions about Command Zero, what these questions taught us about 2024 and how they shaped our predictions for 2025. In this post, we will cover three frequently asked questions and responses: Who is Command Zero is for? How does Command Zero complement existing security operations investments? How is Command Zero similar to or different from AI-powered SOC analysts? AI-powered chatbots? We will also share our three predictions for 2025 based on these questions and observations. Happy holidays and we hope you enjoy this format!
Erdem Menges
Dec 19, 2024
7
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All