Home
Blog
Investigations
July 11, 2024
7
min read

Rediscover threat hunting and investigations

Command Zero set out to solve the most significant bottleneck for security operations: investigations. There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders. In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.

investigations
Alfred Huger
Cofounder & CPO
In this article
H2 Title
H3 Title

Introduction & Our problem space

Command Zero set out to solve the most significant bottleneck for security operations: investigations.  

There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders.  (Read more about the problem we’re solving and our unique approach on Dov’s blog post)

To achieve this hefty goal, we’ve built an expert investigations platform for every user. (read more about some of the principles and architectural decisions we’ve made so far on Dean’s blog post)

We do this by encoding the research, the investigatory expertise along with the deep understanding of every unique data source into the platform.

In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.  

To demonstrate this, I will walk you through a hypothetical flow that starts with an investigation stemming from multiple alerts, a brief touch on threat hunting and an overview of a complex investigation using the Command Zero platform.  

Alert-driven investigations

Command Zero has been deployed in production environments of our early adopters and is being put to the test every day. With this usage, we observed that many investigations start with alerts from security solutions today.  

So, building a feature where users can review alerts from the key systems and kick off investigations based on multiple alerts was a natural step for us.  

The alert view provides an overview of alerts from multiple connected systems.
Users can initiate investigation based on an alert or multiple alerts.

When a user starts an investigation based on alerts, Command Zero automatically takes the initial steps and asks the most relevant questions to the data sources involved. This not only saves time for the investigation, but also it helps analyst understand the context more quickly.

Command Zero automatically takes initial steps and renames each investigation based on context.

The platform renames the investigation based on discovered context. It also builds a short summary and potential leads for the analyst.  

Once an investigation starts, the user has multiple capabilities at their fingertips:  

  1. See the investigation summary, review investigation leads.
You can get an overview of the investigation and a summary.
  1. Query multiple sources using pre-built questions to further investigate leads.
Interrogating multiple data sources is done by using pre-built investigation questions.
  1. View previous investigations and notes about the leads in scope.
Past investigations on leads help get up to speed on the historical context.
Notes taken by the analyst or the team help build institutional memory on leads.
  1. Run facets to replicate best practices and save time.
Facets are dynamic playbooks that save time, ensure consistency and build organizational knowledge.
  1. Add questions to timeline.
Users can add noteworthy questions and answers to the timeline for building the narrative of a case.
  1. Each question receives an LLM-generated summary that not only reduces the labor for reporting, but also it ensures that no detail gets missed or overlooked.
Question summaries help better understand results and save time with reporting.
  1. See timeline with notes, add additional notes for reporting.
Auto-generated timelines help communicate the narrative with stakeholders.
  1. See the complete summary of the investigation.
Investigation summaries combine all questions, patterns and timelines.

Reviewing past investigations or current alert-driven investigations on Command Zero is a great way to educate your teams on where the heat map of threats, gaps and overall risk are for our environments.  

Wherever you see the most escalated cases is generally where your team needs to hunt more and take a more proactive stance against these threats.  

Threat hunting

We all agree that threat hunting is a highly impactful activity for organizations. That stated, unless you have a dedicated team for threat hunting, it is an activity that we’re all doing less frequently than we need.  

And when we do threat hunt, we hardly know where to look and which patterns to look  for.  

Threat hunting has three impediments to properly adopt:  

1) Threat hunting expertise,  

2) access to systems in the environment,

3) technical expertise on diverse systems in the environment.

Command Zero tackles all three barriers as an expert platform with federated access to universal data sources.  

Users can interrogate security and non-security data sources in their environments with pre-built expert questions. They no longer need direct access to data sources at the individual level or be administrator level experts for technologies within the scope of the hunt.  

Users can threat hunt across data sources by using pre-built questions.

Traditionally threat hunting was (and still is) an elite activity exclusive to the highly experienced teams. And since these team members are oversubscribed with manual investigations, threat hunting often gets de-prioritized in most organizations.  

Command Zero’s fresh approach democratizes threat hunting to all your analysts, regardless of experience levels and technical expertise for target systems.  

We believe these capabilities will encourage implementation of more threat hunting programs at all organizations, helping the industry shift to a more proactive stance.  

Users can review the responses and identify patterns of interest. They can either interrogate potential leads more before they decide, or they can promote these objects as leads for further investigation.  

Users can promote leads in threat hunts to be further investigated.

By utilizing Command Zero for investigation and threat hunts, analysts not only get a better understanding of the overall picture, but they also gain the ability to focus more on problem areas.  

The threat hunting and investigation experiences above are significant improvements over the manual, chaotic and labor-intensive experiences for these activities today.  

The transformative investigation experience

For each investigation run on the Command Zero platform, every step of the case is documented, visualized and summarized. These capabilities enable transparent collaboration between multiple analysts or teams, coaching opportunities between team members and smooth handovers between teams.  

Command Zero is not a case management system. And we don’t intend to build case management capabilities in the platform. Instead, we are integrating with the leading systems in this space like ServiceNow to facilitate the normal workflow.  

Command Zero works in tandem with case management solutions, yet the platform provides a record of all current and past investigations to help analyst teams do their best work, within the scope of investigations.  

Analysts can review current and past investigations all on one dashboard.

The platform runs autonomous investigations and threat hunts. These activities also appear on the list of investigations. Users can review autonomous investigations, dive deeper into them with additional questions or facets (dynamic playbooks).

Conclusion

To conclude, Command Zero speeds up threat hunting and investigation processes, delivers consistency and enables collaboration for tier-2+ teams. The platform has been a game-changer for our early adopters, and we believe it will make a huge impact for any organization handling investigations.  

Please check out www.cmdzero.io to learn more or watch our platform overview video.  

Alfred Huger
Cofounder & CPO

Continue reading

Investigations
Highlight

Email Investigations: The Epicenter of Security Analysis

Email remains at the heart of most security investigations, from phishing alerts, insider threats to business email compromise (BEC for both internal and third-party emails) incidents. While many teams focus solely on whether a malicious link was clicked, the real challenge lies in understanding email activities and other user behaviors in the big picture - what users do after an incident occurs. This post explores how email credentials represent full user identities and why this makes them prime targets for attackers. Using real examples, like the case of an Acme Corp administrator with extensive system access, we demonstrate how attackers can easily identify and target high-value accounts through LinkedIn and other public sources. Traditional email investigations face significant challenges: time-consuming manual correlation, complex access requirements across multiple systems, and difficulty in assessing the full blast radius of compromised accounts. Command Zero addresses these challenges through unified data analysis, AI-guided investigations, automated timeline analysis, and intelligent narrative building. The post concludes by emphasizing that email investigations can't be treated as checkbox exercises - they require sophisticated tools that can handle complex data correlation while guiding investigators toward meaningful conclusions. This approach transforms email investigations from time-consuming manual processes into rapid, comprehensive analyses that any investigator can conduct effectively.
Alfred Huger
Feb 20, 2025
12
min read
Investigations
Highlight

Investigate password spray attacks with accuracy and speed

Password spray attacks remain a persistent threat to enterprise environments, serving as a crucial barometer of an organization's security health. These attacks, while common, offer valuable insights into an organization's authentication posture and prompt important questions about targeted identities, potential unnoticed breaches, and possible data leaks from previous breaches. Traditional investigation methods pose challenges when it comes to analyzing password spray: Time constraints, multiple system navigation and potentially superficial investigations. Command Zero transforms password spray investigations by: increasing efficiency and automation, ensuring comprehensive analysis and transparent reporting.
Alfred Huger
Jan 22, 2025
6
min read
Investigations
Highlight

2024 Learnings and 2025 Predictions Through Frequently Asked Questions

Disclaimer: This is not yet another 2025 predictions post where the author states the obvious (or the outrageous). Instead, we cover three frequently asked questions about Command Zero, what these questions taught us about 2024 and how they shaped our predictions for 2025. In this post, we will cover three frequently asked questions and responses: Who is Command Zero is for? How does Command Zero complement existing security operations investments? How is Command Zero similar to or different from AI-powered SOC analysts? AI-powered chatbots? We will also share our three predictions for 2025 based on these questions and observations. Happy holidays and we hope you enjoy this format!
Erdem Menges
Dec 19, 2024
7
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All