Home
Blog
Investigations
December 11, 2024
5
min read

Navigating complexity with structure: Using pre-built sequences for security investigations

What analysts consistently do during complex investigations makes the difference between consistent, thorough analyses and spinning their wheels in the sand. While sophisticated investigation processes require bespoke steps by definition, security operations teams need to standardize best practices where possible to save valuable cycles and deliver consistent outcomes. Command Zero delivers structure to help navigate complexity by delivering expertise via questions and facets. Facets are pre-built sequences for investigations, and they transform security analysis because: Analysts of any skill level can build them as needed without coding or scripting.

investigations
Product
Facets
Alfred Huger
Cofounder & CPO
In this article
H2 Title
H3 Title

What analysts do during complex investigations makes the difference between consistent, thorough analyses and spinning their wheels in the sand. While sophisticated investigation processes require bespoke steps by definition, security operations teams need to standardize best practices where possible to save valuable cycles and deliver consistent outcomes.  

Command Zero delivers structure to help navigate complexity by delivering expertise via questions and facets. Facets are pre-built sequences for investigations, and they transform security analysis because:  

  • Analysts of any skill level can build them as needed without coding or scripting. Our benchmark to build new facets is 2-3 minutes.
  • You don’t have to rely on the SOAR/content team for new capabilities. You can build, modify, test, and run as you go within an investigation.  
  • Facets are easy to analyze; you can run them and get a report specifically for facet branches.
  • They collect, extract and report on the data for investigations, reducing the toil for each investigation. For example, some data sources are complicated to work with, automatically pulling all emails or all devices for a user can save cycles for each identity-focused investigation.
  • The more facets you build, the more tools you have in your tool bag. Each facet increases speed and accuracy for investigations.

The Challenges of Modern Security Investigations

It’s almost 2025, we are all juggling multi-cloud, SaaS apps, hybrid environments and likely a lot of technical debt. As a result, securing the infrastructure and running investigations in these environments are as complex as they’ve been (so far). Daily, security analysts are battling:

  • Information overload from multiple data sources
  • Time-consuming manual data collection, timeline generation and reporting
  • Inconsistent investigation steps
  • Time pressure induced human errors - overlooking critical details

Combined with the ever-present universal talent gap, steep learning curves for junior analysts and difficulties in building/maintaining institutional knowledge, almost every investigation becomes a new adventure full of uncertainty.  

These challenges with investigation processes lead to:

  • Longer exposure to threats: This translates to increased risk for the organization and is caused by a myriad of operational factors including:  
  • Increased response times
  • Missed threat indicators
  • Inefficient resource utilization: In business terms, this is increased cost for the organization, caused by lack of standardization and predictability:  
  • Inconsistent threat analysis
  • Knowledge silos within security teams
  • Frustration and high turnover rates with analysts

By removing repetitive, low-value steps from the investigation process and standardizing the investigation flow, we can significantly improve outcomes of security analysis and reduce risk, all while reducing cost.  

Enter Facets: Prebuilt sequences for structured investigations

Prebuilt sequences are called facets in Command Zero. The platform comes with outcome-focused sequences and offers a no-code way to build and update your own facets. Running structured sequences have proven to be a game-changing approach to address critical security operations challenges. By providing a structured, repeatable framework for investigations, facets transform how security teams approach threat analysis and incident response.

What Are Facets?

Facets are pre-built investigation frameworks that guide analysts through a systematic approach to gathering and analyzing information. Think of them as intelligent roadmaps that ensure no critical questions or data are overlooked during an investigation.

Facets are sequences of questions that get the data needed to deliver specific investigation outcomes. For example, in an investigation where you are validating the hypothesis: “We are receiving password spray attacks from this IP”, you can run the Okta or Entra Password Spray facet.  

The password spray facet runs relevant sequences (depending on the data sources) to validate or disprove the hypothesis and asks follow-up questions as needed.

Depending on the results of this investigative branch, the Command Zero platform automatically asks follow-up questions to identify the full scope of the case at hand. Similarly, analysts can ask additional questions to deepen the investigation on these branches.  

Other frequently used facets include a user’s last day, suspicious login activity, impossible travel and account compromise. The Command Zero security research team ship new facets every week.

When the analysis is complete, Analysts can generate a report for the complete investigation, or a report covering the outcome of the selected facet.

Command Zero delivers end-to-end investigation reporting and facet reporting.

 

Analysts can use:  

  • the default facets on the Command Zero platform,  
  • their organization’s custom facets,
  • their own personal custom facets.  

They can also build their own facets as needed, adding them to the shared toolkit for their organization.

How to build facets

Analysts can easily build their own facets by selecting the sequence of questions to be asked to the connected data sources. Building a facet is as simple as running a user-led investigation on Command Zero.  

Located under the management tab, the Facet Manager is your central hub for working with facets. Here, you'll find:

  • Organizational facets
  • Pre-existing Command Zero facets
  • The ability to preview, duplicate, and create new facets
Users can review/edit/clone existing facets and create new facets using the Facet Manager.

A step-by-step guide to building facets

1. Creating a New Facet

  • Start by adding a root lead (this can be an IP address, username, email, SHA1 hash value or any other data type supported by the connected data sources)
  • Select the lead type
  • Choose specific questions related to that lead type

Facets can start with any lead type and follow up questions can be asked to data returned as answers. This flow allows creating sequences that follow through investigation branches as new data is added to analysis.

2. Customizing Your Investigation Flow

The Facet Builder allows you to:

  • Follow specific lead types (data received as answer to any question can be followed on for additional questions, allowing for branching to follow these new leads)
  • Add multiple questions
  • Create a tailored investigative path

Running facets within investigations

Facets can be applied at any point in an investigation by:

  • Selecting a lead
  • Click the ellipsis menu
  • Choose "Facets"
  • Browse and apply the appropriate facet

Analysts can run facets on any lead during an investigation.  

Pro tips for facet building

  • Preview facets before applying.
  • Save drafts of your facets to continue working on them later.  
  • Use the "view facet" option to review detailed investigation flows.  
  • Highlight and select leads to continue executing branches of your investigation.

Key benefits of facets

Facets save time and improve the accuracy of investigations for every analyst.  

  1. Standardization: Facets ensure a consistent investigative approach across all analysts, shifts and teams.  
  1. Flexibility: Facets can be applied to any lead type (so analysts can dive deep into rabbit holes in a structured way) and analysts can build new facets while investigating a specific case (without having to wait for the SOAR/content team).  
  1. Guided Execution: Facets automatically execute a structured sequence of questions and highlights the investigation flow. So all analysts follow the best practices and avoid time-consuming repetitive tasks.  
  1. Collaborative: Facets can easily be shared across your organization, helping build institutional knowledge with every investigation.  

Conclusion

Command Zero facets transform investigative work from a potentially chaotic process to a structured, methodical approach. By providing a standard framework that can be customized, they empower analysts to conduct more thorough and efficient investigations. You can watch a 3+ minute demo of facets below: 

Interested?

Schedule a demo with our team to see the power of facets and the Command Zero platform.  

Alfred Huger
Cofounder & CPO

Continue reading

Investigations
Highlight

2024 Learnings and 2025 Predictions Through Frequently Asked Questions

Disclaimer: This is not yet another 2025 predictions post where the author states the obvious (or the outrageous). Instead, we cover three frequently asked questions about Command Zero, what these questions taught us about 2024 and how they shaped our predictions for 2025. In this post, we will cover three frequently asked questions and responses: Who is Command Zero is for? How does Command Zero complement existing security operations investments? How is Command Zero similar to or different from AI-powered SOC analysts? AI-powered chatbots? We will also share our three predictions for 2025 based on these questions and observations. Happy holidays and we hope you enjoy this format!
Erdem Menges
Dec 19, 2024
7
min read
Investigations
Highlight

Current SecOps tools are hard to operate and investigate

Despite the early and sincere focus on search/investigations, modern SIEM and SOAR capabilities have evolved to satisfy compliance/regulatory requirements. Today, these technologies do not provide dedicated investigation tools and the right user experience for an effective flow. In this post, we dive into findings from our research, discover sample use cases and recommend solutions to common issues for investigations.
Dean De Beer
Oct 30, 2024
8
min read
Investigations
Highlight

An interview with Eric Hulse: Insights from recent Command Zero engagements

In this interview, we dive deep into the world of cybersecurity investigations with Eric Hulse, Head of Research at Command Zero. Eric shares invaluable insights from some of the recent customer engagements, explaining how Command Zero is revolutionizing the way security teams operate, from drastically reducing investigation times to empowering analysts at all levels. He reveals how the platform can integrate with common tools like Microsoft Entra ID, Okta, Office 365, CrowdStrike, Proofpoint and other data sources in as little as 15 minutes. He also covers how it's helping teams tackle the overwhelming volume of alerts and incidents. Eric talks about Command Zero's unique approach to AI implementation, moving beyond simple chatbots to provide context-rich, actionable insights. From streamlining HR-led investigations to providing comprehensive identity visibility across multiple platforms, Eric illustrates how the platform is addressing the industry-wide challenge of doing more with less in cybersecurity.
Eric Hulse
Oct 24, 2024
7
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All