Home
Blog
Investigations
December 11, 2024
5
min read

Navigating complexity with structure: Using pre-built sequences for security investigations

What analysts consistently do during complex investigations makes the difference between consistent, thorough analyses and spinning their wheels in the sand. While sophisticated investigation processes require bespoke steps by definition, security operations teams need to standardize best practices where possible to save valuable cycles and deliver consistent outcomes. Command Zero delivers structure to help navigate complexity by delivering expertise via questions and facets. Facets are pre-built sequences for investigations, and they transform security analysis because: Analysts of any skill level can build them as needed without coding or scripting.

investigations
Product
Facets
Alfred Huger
Cofounder & CPO
In this article
H2 Title
H3 Title

What analysts do during complex investigations makes the difference between consistent, thorough analyses and spinning their wheels in the sand. While sophisticated investigation processes require bespoke steps by definition, security operations teams need to standardize best practices where possible to save valuable cycles and deliver consistent outcomes.  

Command Zero delivers structure to help navigate complexity by delivering expertise via questions and facets. Facets are pre-built sequences for investigations, and they transform security analysis because:  

  • Analysts of any skill level can build them as needed without coding or scripting. Our benchmark to build new facets is 2-3 minutes.
  • You don’t have to rely on the SOAR/content team for new capabilities. You can build, modify, test, and run as you go within an investigation.  
  • Facets are easy to analyze; you can run them and get a report specifically for facet branches.
  • They collect, extract and report on the data for investigations, reducing the toil for each investigation. For example, some data sources are complicated to work with, automatically pulling all emails or all devices for a user can save cycles for each identity-focused investigation.
  • The more facets you build, the more tools you have in your tool bag. Each facet increases speed and accuracy for investigations.

The Challenges of Modern Security Investigations

It’s almost 2025, we are all juggling multi-cloud, SaaS apps, hybrid environments and likely a lot of technical debt. As a result, securing the infrastructure and running investigations in these environments are as complex as they’ve been (so far). Daily, security analysts are battling:

  • Information overload from multiple data sources
  • Time-consuming manual data collection, timeline generation and reporting
  • Inconsistent investigation steps
  • Time pressure induced human errors - overlooking critical details

Combined with the ever-present universal talent gap, steep learning curves for junior analysts and difficulties in building/maintaining institutional knowledge, almost every investigation becomes a new adventure full of uncertainty.  

These challenges with investigation processes lead to:

  • Longer exposure to threats: This translates to increased risk for the organization and is caused by a myriad of operational factors including:  
  • Increased response times
  • Missed threat indicators
  • Inefficient resource utilization: In business terms, this is increased cost for the organization, caused by lack of standardization and predictability:  
  • Inconsistent threat analysis
  • Knowledge silos within security teams
  • Frustration and high turnover rates with analysts

By removing repetitive, low-value steps from the investigation process and standardizing the investigation flow, we can significantly improve outcomes of security analysis and reduce risk, all while reducing cost.  

Enter Facets: Prebuilt sequences for structured investigations

Prebuilt sequences are called facets in Command Zero. The platform comes with outcome-focused sequences and offers a no-code way to build and update your own facets. Running structured sequences have proven to be a game-changing approach to address critical security operations challenges. By providing a structured, repeatable framework for investigations, facets transform how security teams approach threat analysis and incident response.

What Are Facets?

Facets are pre-built investigation frameworks that guide analysts through a systematic approach to gathering and analyzing information. Think of them as intelligent roadmaps that ensure no critical questions or data are overlooked during an investigation.

Facets are sequences of questions that get the data needed to deliver specific investigation outcomes. For example, in an investigation where you are validating the hypothesis: “We are receiving password spray attacks from this IP”, you can run the Okta or Entra Password Spray facet.  

The password spray facet runs relevant sequences (depending on the data sources) to validate or disprove the hypothesis and asks follow-up questions as needed.

Depending on the results of this investigative branch, the Command Zero platform automatically asks follow-up questions to identify the full scope of the case at hand. Similarly, analysts can ask additional questions to deepen the investigation on these branches.  

Other frequently used facets include a user’s last day, suspicious login activity, impossible travel and account compromise. The Command Zero security research team ship new facets every week.

When the analysis is complete, Analysts can generate a report for the complete investigation, or a report covering the outcome of the selected facet.

Command Zero delivers end-to-end investigation reporting and facet reporting.

 

Analysts can use:  

  • the default facets on the Command Zero platform,  
  • their organization’s custom facets,
  • their own personal custom facets.  

They can also build their own facets as needed, adding them to the shared toolkit for their organization.

How to build facets

Analysts can easily build their own facets by selecting the sequence of questions to be asked to the connected data sources. Building a facet is as simple as running a user-led investigation on Command Zero.  

Located under the management tab, the Facet Manager is your central hub for working with facets. Here, you'll find:

  • Organizational facets
  • Pre-existing Command Zero facets
  • The ability to preview, duplicate, and create new facets
Users can review/edit/clone existing facets and create new facets using the Facet Manager.

A step-by-step guide to building facets

1. Creating a New Facet

  • Start by adding a root lead (this can be an IP address, username, email, SHA1 hash value or any other data type supported by the connected data sources)
  • Select the lead type
  • Choose specific questions related to that lead type

Facets can start with any lead type and follow up questions can be asked to data returned as answers. This flow allows creating sequences that follow through investigation branches as new data is added to analysis.

2. Customizing Your Investigation Flow

The Facet Builder allows you to:

  • Follow specific lead types (data received as answer to any question can be followed on for additional questions, allowing for branching to follow these new leads)
  • Add multiple questions
  • Create a tailored investigative path

Running facets within investigations

Facets can be applied at any point in an investigation by:

  • Selecting a lead
  • Click the ellipsis menu
  • Choose "Facets"
  • Browse and apply the appropriate facet

Analysts can run facets on any lead during an investigation.  

Pro tips for facet building

  • Preview facets before applying.
  • Save drafts of your facets to continue working on them later.  
  • Use the "view facet" option to review detailed investigation flows.  
  • Highlight and select leads to continue executing branches of your investigation.

Key benefits of facets

Facets save time and improve the accuracy of investigations for every analyst.  

  1. Standardization: Facets ensure a consistent investigative approach across all analysts, shifts and teams.  
  1. Flexibility: Facets can be applied to any lead type (so analysts can dive deep into rabbit holes in a structured way) and analysts can build new facets while investigating a specific case (without having to wait for the SOAR/content team).  
  1. Guided Execution: Facets automatically execute a structured sequence of questions and highlights the investigation flow. So all analysts follow the best practices and avoid time-consuming repetitive tasks.  
  1. Collaborative: Facets can easily be shared across your organization, helping build institutional knowledge with every investigation.  

Conclusion

Command Zero facets transform investigative work from a potentially chaotic process to a structured, methodical approach. By providing a standard framework that can be customized, they empower analysts to conduct more thorough and efficient investigations. You can watch a 3+ minute demo of facets below: 

Interested?

Schedule a demo with our team to see the power of facets and the Command Zero platform.  

Alfred Huger
Cofounder & CPO

Continue reading

Investigations
Highlight

Control Validation: Uncovering Tactical Drift in SecOps

Control validation addresses a critical vulnerability in modern security operations—the gap between deployed security measures and their actual effectiveness. This post explores how tactical drift occurs when security controls appear compliant but fail in practice due to system updates, infrastructure changes, and oversight. Security teams face overwhelming volume, knowledge barriers, and process complexity that prevent effective validation. Command Zero transforms this landscape by democratizing expertise, connecting cross-system data, and accelerating investigations through AI-powered tools. Organizations without robust control validation operate with a false sense of security, leaving critical vulnerabilities exposed. The most dangerous security gaps aren't those you're monitoring—they're the control failures hiding in plain sight that you haven't validated.
Eric Hulse
Mar 20, 2025
5
min read
Investigations
Highlight

GitHub Investigations: Securing the Foundation of Modern Innovation

As software development accelerates through DevOps processes, GitHub repositories have become both invaluable intellectual property stores and potential attack vectors. Threat actors increasingly exploit these environments through sophisticated techniques—from hijacking GitHub Actions for cryptocurrency mining to poisoning open-source libraries with backdoors. Security analysts face significant challenges when investigating GitHub activities: logs designed for developers rather than security teams, uncertainty about effective investigation approaches, and overwhelming noise from normal development activities. Command Zero addresses these challenges through an innovative platform that transforms complex investigations into accessible questions, enables seamless pivoting between data sources, and accelerates investigations through AI-powered analysis. By democratizing GitHub security expertise, Command Zero empowers every analyst to conduct sophisticated investigations without specialized knowledge—closing critical security gaps in the DevOps pipeline and establishing comprehensive visibility across interconnected systems.
Eric Hulse
Feb 27, 2025
5
min read
Investigations
Highlight

Email Investigations: The Epicenter of Security Analysis

Email remains at the heart of most security investigations, from phishing alerts, insider threats to business email compromise (BEC for both internal and third-party emails) incidents. While many teams focus solely on whether a malicious link was clicked, the real challenge lies in understanding email activities and other user behaviors in the big picture - what users do after an incident occurs. This post explores how email credentials represent full user identities and why this makes them prime targets for attackers. Using real examples, like the case of an Acme Corp administrator with extensive system access, we demonstrate how attackers can easily identify and target high-value accounts through LinkedIn and other public sources. Traditional email investigations face significant challenges: time-consuming manual correlation, complex access requirements across multiple systems, and difficulty in assessing the full blast radius of compromised accounts. Command Zero addresses these challenges through unified data analysis, AI-guided investigations, automated timeline analysis, and intelligent narrative building. The post concludes by emphasizing that email investigations can't be treated as checkbox exercises - they require sophisticated tools that can handle complex data correlation while guiding investigators toward meaningful conclusions. This approach transforms email investigations from time-consuming manual processes into rapid, comprehensive analyses that any investigator can conduct effectively.
Alfred Huger
Feb 20, 2025
12
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All