Home
Blog
Identity-investigations
May 21, 2025
4
min read

Command Zero & Okta Identity Threat Protection: Level-up Identity Investigations

The integration between Command Zero and Okta Identity Threat Protection (ITP) delivers a transformative solution for security operations teams facing evolving identity-based threats. This powerful partnership connects Okta's real-time identity risk signals with Command Zero's comprehensive investigation capabilities, creating a unified workflow that dramatically enhances threat response. Security teams gain the ability to instantly launch investigations from Okta alerts, correlate identity events across their security stack, leverage automated investigation workflows, and access comprehensive user risk profiles. The integration transforms how organizations respond to identity threats—including phishing, credential stuffing, and session hijacking—which the 2025 Verizon DBIR identifies as central to 22% of breaches. By operationalizing Okta ITP within Command Zero's platform, security teams accelerate response times, investigate complete user journeys, and implement targeted remediation based on comprehensive intelligence. This integration serves as a force multiplier for SecOps teams, reducing mean time to respond while providing the contextual insights needed to counter modern identity-based attacks efficiently.

Okta
identity investigations
investigations
CTI
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Introduction

Identity lies at the heart of every security investigation. As attackers increasingly target credentials and user accounts, security teams require tools that not only alert on threats but also facilitate rapid understanding and response to identity-based risks. The strategic integration between Command Zero and Okta Identity Threat Protection (ITP) represents a transformative advancement for security operations teams.

Bridging Investigation and Identity Context

This integration empowers analysts to instantly correlate identity risk signals from Okta with broader security investigations in Command Zero. The result is a unified workflow that seamlessly combines identity insights, threat intelligence, and automated response capabilities.

Users can view Okta Identity Threat Protection alerts in the Alert tab of the Command Zero platform.

With this integration, security teams can:

  • Launch investigations from Okta risk alerts: When Okta ITP detects risky sign-ins, behavioral anomalies, or policy violations, these signals become immediately actionable within Command Zero. Analysts can initiate comprehensive investigations autonomously (via policy) or with a single click. Investigations automatically incorporate user details, device context, and historical activity patterns.
  • Correlate identity events across the security stack: Command Zero aggregates data from Okta and other sources, providing visibility into how identity interactions manifest across cloud environments, email systems, endpoints, SaaS and additional security infrastructure.
  • Facets: Leverage automated investigation workflows: Pre-built and customizable workflows guide analysts through identity-centric investigations, ensuring consistent and thorough response procedures. Automated sequences can trigger critical actions including session termination, multi-factor authentication challenges, or incident escalation.
  • Access comprehensive user risk profiles: Analysts can instantly review crucial contextual information including usernames, user titles, group memberships, device inventory, MFA settings and previous investigation history—providing essential context for informed decision-making.

Operationalizing Okta Identity Threat Protection

Identity-based attacks—including phishing, credential stuffing, and session hijacking—remain predominant vectors for data breaches. Okta's Identity Threat Protection continuously evaluates user sessions, risk signals, and device context to detect threats in real time, not merely at the login stage. By integrating these signals into Command Zero, security teams can:

  • Accelerate response to identity threats with enhanced confidence
  • Investigate across complete user journeys, seeing the complete impact radius
  • Decide which remediation actions to take based on the full picture

The 2025 Verizon Data Breach Investigations Report highlights that 22% breaches involve credential abuse, while likely all breaches touch identities at some point of execution. The integration between Okta and Command Zero removes the potential blind spot around identities and turns identity threat alerts into actionable intelligence.

Sample Investigation Flow

The integration allows streamlined processes to make the most of Okta’s identity insights. Here is a sample operational flow:  

  1. Okta ITP identifies a risky event (anomalous sign-in, device risk, policy violation)
  1. Alert data and comprehensive user context are transmitted to Command Zero
Analysts can view identity information and historical context for all atomic leads in investigations.
  1. The platform or analysts initiate investigations (depending on policy), automatically gathering relevant data from Okta and connected systems
Users can run investigations in a visual way using the encoded knowledge base in the platform, or build on autonomous investigations run by expert LLMs.
  1. Guided workflows identify the right response, from in-depth analysis to containment actions or escalation procedures.
Reports generated by the platform highlight the reasoning, evidence and recommended remediation actions.

Level-up identity investigations

Command Zero's integration with Okta Identity Threat Protection serves as a force multiplier for SecOps teams. By combining continuous identity risk assessment with autonomous investigation capabilities, security teams can effectively counter modern threats – reducing the mean time to understand and respond to cases.  

Book a demo today to see how Command Zero can transform your identity investigations.

Eric Hulse
Director of Security Research

Continue reading

Identity-investigations
Highlight

Microsoft Teams Becomes the New Vishing Battleground

Microsoft Teams has recently emerged as a critical attack vector for sophisticated ransomware campaigns, with threat actors weaponizing enterprise communication platforms through coordinated vishing operations. This strategic analysis examines the three-stage attack methodology—email flooding, social engineering via Teams calls, and remote access tool deployment—that has enabled groups like Black Basta, Storm-1811, and Midnight Blizzard to achieve unprecedented operational success. Recent intelligence reveals over 15 documented incidents in three months, with attack frequency accelerating significantly. The exploitation centers on default Microsoft Teams configurations that permit external communications, creating opportunities for attackers to impersonate IT support during manufactured crises. Command Zero's post-Black Hat platform enhancements deliver comprehensive investigative capabilities across Microsoft Teams, Entra, and Graph environments, providing security teams with advanced detection and response tools. Organizations must implement systematic defense frameworks combining technical infrastructure controls with human-centric security operations to address this paradigmatic shift in adversarial methodology that blurs traditional boundaries between technical exploitation and social engineering mastery.
Eric Hulse
Sep 23, 2025
5
min read
Identity-investigations
Highlight

Investigating Risky Sign-ins: Getting to the right answers fast

Entra risky sign-ins—suspicious login activities that can often indicate account compromise. We examine the sophisticated detection mechanisms that identify authentication anomalies, from impossible travel scenarios to password spray attacks, and reveal the critical investigation challenges security analysts face. The post showcases how Command Zero's integrated platform transforms these investigations through cross-product visibility, facet-based investigation frameworks, and identity correlation capabilities. By combining an encoded knowledge base with expert language models and strategic automation, security teams can dramatically accelerate threat response times, standardize investigation quality, and gain comprehensive visibility across fragmented technology stacks—ultimately transforming how organizations detect and respond to potential identity compromises.
Natalie Dean
Mar 26, 2025
6
min read
Identity-investigations
Highlight

Investigating Locked Accounts: Making sense of the canary in the coal mine

Locked accounts, often overlooked in security operations, can be crucial indicators of larger security threats. This blog post explores why these common occurrences matter and how they serve as early warning signs for potential issues like brute force attempts, credential stuffing, insider threats, and misconfigured systems. The post also covers how Command Zero streamlines investigations by offering visual analysis, unified data sources, and automated timeline generation. By centralizing the process and leveraging advanced tools, security teams can more efficiently identify and respond to potential threats. The future of threat hunting lies in automation and autonomous investigations, pushing the boundaries of what's possible in cybersecurity.
Alfred Huger
Mar 13, 2025
5
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All