Home
Blog
Investigations
April 2, 2025
4
min read

Why SIEMs and data lakes do not deliver the optimal experience for security investigations

Centralized data systems like SIEMs and data lakes excel at detection, reporting and compliance, but fall short for complex security investigations. These tools weren’t designed for dynamic workflows, forcing analysts to write complex queries and manually retrieve data, wasting critical time during incidents. Command Zero redefines investigative workflows by combining automation with expert-driven AI capabilities. The platform automates routine tasks, summarizes complex artifacts, and proactively suggests next steps, enabling analysts to focus on high-impact activities like root cause analysis and risk mitigation. For example, a Tier 1 analyst investigating phishing campaigns can bypass hours of manual log retrieval and cross-referencing thanks to automated processes that deliver actionable insights. Unlike generic chatbots or tier-1 focused agentic AI, Command Zero’s LLM implementation supplements analysts by bridging knowledge gaps and enhancing decision-making across all experience levels. This pragmatic approach empowers security teams to work smarter, reducing noise and inefficiencies while delivering faster, clearer results for both analysts and executives.

AI security
investigations
Product
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Introduction

Centralized data stores, like SIEMs and data lakes, are excellent at aggregating information for detection, but they fall short when it comes to investigations. These tools weren’t designed with investigative workflows in mind, and trying to use them for this purpose often leads to inefficiencies that slow analysts down when time is critical.

Security analysts face a fundamental daily challenge: they're oversubscribed, constantly distracted by incoming alerts, messages, and cases, yet expected to focus on high-priority incidents that require deep investigation. The traditional approach forces them to become part-time security engineers, spending valuable time crafting complex queries instead of analyzing security threats.

Why centralized data stores struggle with investigations

SIEMs, security data lakes and similar platforms are optimized for alert generation, not dynamic exploration. Investigations require analysts to pivot quickly between data sources, uncover patterns, and drill down into specific areas—all tasks that centralized systems make unnecessarily complex.

Take SIEMs as an example. Analysts often need to write intricate queries in proprietary languages like KQL to retrieve relevant data. This process is cumbersome and error-prone, especially during live incidents where speed and accuracy are paramount. If an investigation reveals a false positive or narrows in scope early on, the analyst may have already wasted hours navigating a system that wasn’t built for the task.

Consider this common scenario: A Tier 1 analyst receives an alert about suspicious activity in AWS. Despite having Azure expertise, they now face hours of research followed by extensive consultations with system administrators just to retrieve basic data points. This creates a bottleneck where technical query knowledge becomes a prerequisite for effective security analysis.

When investigating a potential incident, analysts often need to:

  • Learn specialized query languages for each data source
  • Craft complex queries across multiple systems
  • Manually retrieve and correlate data from disparate sources
  • Communicate findings using inconsistent formats

These operational inefficiencies prevent analysts from focusing on their primary responsibility: determining whether security risks exist and what actions to take.

Another challenge is access to diverse data sources. For instance, investigating a GitHub Enterprise-related incident might require pulling logs from GitHub’s API—a task that could involve multiple steps and coordination with administrators. Centralized systems rarely streamline these workflows, leaving analysts stuck performing manual tasks that should be automated.

Analysts are overwhelmed by noise every day

Security operations centers (SOCs) are inundated with alerts, cases, and requests from leadership. Analysts often spend more time managing tools than solving problems. This fragmentation of attention leads to inefficiencies and missed opportunities to address high-impact threats.

For example, a Tier-1 analyst investigating a phishing campaign might spend hours piecing together email logs manually, cross-referencing them with identity data, and crafting reports for leadership—all while juggling other cases and incoming alerts. The result is wasted time on repetitive tasks instead of focusing on identifying root causes or assessing risk.

Using AI as an enabler: Supplementing analysts instead of replacing them

AI in security operations often comes with unrealistic expectations—promises of fully autonomous investigations or “magic” solutions that replace human expertise. The reality is far more practical: AI should supplement analysts by automating routine tasks and providing actionable insights that enhance decision-making.

At Command Zero, we’ve taken a pragmatic approach to AI implementation:

  • Automation: Routine tasks like retrieving logs or scoping alerts are automated to save analysts time and reduce friction during investigations.
  • Summarization: Large language models (LLMs) distill complex artifacts into concise summaries tailored to the analyst’s experience level—whether they’re Tier 1 or Tier 3 experts.
  • Proactive Suggestions: The platform highlights overlooked areas or recommends next steps based on expert-driven best practices, ensuring investigations stay thorough without relying on analysts to ask the “perfect” questions upfront.

This implementation philosophy centers on supplementation rather than replacement. The goal isn't to remove analysts from the equation but to enhance their capabilities and efficiency.

Real-World applications: Faster insights and better communication

The impact of this approach is clear in real-world scenarios. Imagine an analyst investigating suspicious activity in AWS who isn’t familiar with its intricacies because they’ve primarily worked in Azure environments. Instead of spending hours learning AWS-specific nuances or crafting queries manually, Command Zero automates these processes and provides summarized findings tailored to their needs.

Even executives benefit from this streamlined workflow. Reports generated by the platform avoid technical jargon, making it easier for leadership to understand key findings without endless clarification cycles.

Moving Beyond Centralized Data Repositories

Centralized data repositories will always play a role in detection workflows, but they aren’t the answer for investigations. By combining automation with expert-driven AI capabilities, we can eliminate inefficiencies and empower analysts to focus on what matters most—mitigating risk and protecting the organization.

The future of security operations isn't about replacing human expertise with artificial intelligence. It's about creating symbiotic relationships where technology handles repetitive tasks while augmenting human decision-making capabilities.

As we continue developing these capabilities, our focus remains firmly on delivering practical value today rather than promising hypothetical benefits tomorrow. By anchoring our approach in pragmatic solutions to real-world challenges, we're helping security teams maximize their impact with existing resources.

The most effective AI implementations in security aren't those that attempt to replace analysts, but those that make analysts better at what they already do.

Book a demo with our team to see how Command Zero can complement your SIEM and data lake - supercharging tier-2+ analysis for your organization.

Eric Hulse
Director of Security Research

Continue reading

Investigations
Highlight

Control Validation: Uncovering Tactical Drift in SecOps

Control validation addresses a critical vulnerability in modern security operations—the gap between deployed security measures and their actual effectiveness. This post explores how tactical drift occurs when security controls appear compliant but fail in practice due to system updates, infrastructure changes, and oversight. Security teams face overwhelming volume, knowledge barriers, and process complexity that prevent effective validation. Command Zero transforms this landscape by democratizing expertise, connecting cross-system data, and accelerating investigations through AI-powered tools. Organizations without robust control validation operate with a false sense of security, leaving critical vulnerabilities exposed. The most dangerous security gaps aren't those you're monitoring—they're the control failures hiding in plain sight that you haven't validated.
Eric Hulse
Mar 20, 2025
5
min read
Investigations
Highlight

GitHub Investigations: Securing the Foundation of Modern Innovation

As software development accelerates through DevOps processes, GitHub repositories have become both invaluable intellectual property stores and potential attack vectors. Threat actors increasingly exploit these environments through sophisticated techniques—from hijacking GitHub Actions for cryptocurrency mining to poisoning open-source libraries with backdoors. Security analysts face significant challenges when investigating GitHub activities: logs designed for developers rather than security teams, uncertainty about effective investigation approaches, and overwhelming noise from normal development activities. Command Zero addresses these challenges through an innovative platform that transforms complex investigations into accessible questions, enables seamless pivoting between data sources, and accelerates investigations through AI-powered analysis. By democratizing GitHub security expertise, Command Zero empowers every analyst to conduct sophisticated investigations without specialized knowledge—closing critical security gaps in the DevOps pipeline and establishing comprehensive visibility across interconnected systems.
Eric Hulse
Feb 27, 2025
5
min read
Investigations
Highlight

Email Investigations: The Epicenter of Security Analysis

Email remains at the heart of most security investigations, from phishing alerts, insider threats to business email compromise (BEC for both internal and third-party emails) incidents. While many teams focus solely on whether a malicious link was clicked, the real challenge lies in understanding email activities and other user behaviors in the big picture - what users do after an incident occurs. This post explores how email credentials represent full user identities and why this makes them prime targets for attackers. Using real examples, like the case of an Acme Corp administrator with extensive system access, we demonstrate how attackers can easily identify and target high-value accounts through LinkedIn and other public sources. Traditional email investigations face significant challenges: time-consuming manual correlation, complex access requirements across multiple systems, and difficulty in assessing the full blast radius of compromised accounts. Command Zero addresses these challenges through unified data analysis, AI-guided investigations, automated timeline analysis, and intelligent narrative building. The post concludes by emphasizing that email investigations can't be treated as checkbox exercises - they require sophisticated tools that can handle complex data correlation while guiding investigators toward meaningful conclusions. This approach transforms email investigations from time-consuming manual processes into rapid, comprehensive analyses that any investigator can conduct effectively.
Alfred Huger
Feb 20, 2025
12
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All