Home
Blog
Identity-investigations
May 21, 2025
4
min read

Command Zero & Okta Identity Threat Protection: Level-up Identity Investigations

The integration between Command Zero and Okta Identity Threat Protection (ITP) delivers a transformative solution for security operations teams facing evolving identity-based threats. This powerful partnership connects Okta's real-time identity risk signals with Command Zero's comprehensive investigation capabilities, creating a unified workflow that dramatically enhances threat response. Security teams gain the ability to instantly launch investigations from Okta alerts, correlate identity events across their security stack, leverage automated investigation workflows, and access comprehensive user risk profiles. The integration transforms how organizations respond to identity threats—including phishing, credential stuffing, and session hijacking—which the 2025 Verizon DBIR identifies as central to 22% of breaches. By operationalizing Okta ITP within Command Zero's platform, security teams accelerate response times, investigate complete user journeys, and implement targeted remediation based on comprehensive intelligence. This integration serves as a force multiplier for SecOps teams, reducing mean time to respond while providing the contextual insights needed to counter modern identity-based attacks efficiently.

Okta
identity investigations
investigations
CTI
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Introduction

Identity lies at the heart of every security investigation. As attackers increasingly target credentials and user accounts, security teams require tools that not only alert on threats but also facilitate rapid understanding and response to identity-based risks. The strategic integration between Command Zero and Okta Identity Threat Protection (ITP) represents a transformative advancement for security operations teams.

Bridging Investigation and Identity Context

This integration empowers analysts to instantly correlate identity risk signals from Okta with broader security investigations in Command Zero. The result is a unified workflow that seamlessly combines identity insights, threat intelligence, and automated response capabilities.

Users can view Okta Identity Threat Protection alerts in the Alert tab of the Command Zero platform.

With this integration, security teams can:

  • Launch investigations from Okta risk alerts: When Okta ITP detects risky sign-ins, behavioral anomalies, or policy violations, these signals become immediately actionable within Command Zero. Analysts can initiate comprehensive investigations autonomously (via policy) or with a single click. Investigations automatically incorporate user details, device context, and historical activity patterns.
  • Correlate identity events across the security stack: Command Zero aggregates data from Okta and other sources, providing visibility into how identity interactions manifest across cloud environments, email systems, endpoints, SaaS and additional security infrastructure.
  • Facets: Leverage automated investigation workflows: Pre-built and customizable workflows guide analysts through identity-centric investigations, ensuring consistent and thorough response procedures. Automated sequences can trigger critical actions including session termination, multi-factor authentication challenges, or incident escalation.
  • Access comprehensive user risk profiles: Analysts can instantly review crucial contextual information including usernames, user titles, group memberships, device inventory, MFA settings and previous investigation history—providing essential context for informed decision-making.

Operationalizing Okta Identity Threat Protection

Identity-based attacks—including phishing, credential stuffing, and session hijacking—remain predominant vectors for data breaches. Okta's Identity Threat Protection continuously evaluates user sessions, risk signals, and device context to detect threats in real time, not merely at the login stage. By integrating these signals into Command Zero, security teams can:

  • Accelerate response to identity threats with enhanced confidence
  • Investigate across complete user journeys, seeing the complete impact radius
  • Decide which remediation actions to take based on the full picture

The 2025 Verizon Data Breach Investigations Report highlights that 22% breaches involve credential abuse, while likely all breaches touch identities at some point of execution. The integration between Okta and Command Zero removes the potential blind spot around identities and turns identity threat alerts into actionable intelligence.

Sample Investigation Flow

The integration allows streamlined processes to make the most of Okta’s identity insights. Here is a sample operational flow:  

  1. Okta ITP identifies a risky event (anomalous sign-in, device risk, policy violation)
  1. Alert data and comprehensive user context are transmitted to Command Zero
Analysts can view identity information and historical context for all atomic leads in investigations.
  1. The platform or analysts initiate investigations (depending on policy), automatically gathering relevant data from Okta and connected systems
Users can run investigations in a visual way using the encoded knowledge base in the platform, or build on autonomous investigations run by expert LLMs.
  1. Guided workflows identify the right response, from in-depth analysis to containment actions or escalation procedures.
Reports generated by the platform highlight the reasoning, evidence and recommended remediation actions.

Level-up identity investigations

Command Zero's integration with Okta Identity Threat Protection serves as a force multiplier for SecOps teams. By combining continuous identity risk assessment with autonomous investigation capabilities, security teams can effectively counter modern threats – reducing the mean time to understand and respond to cases.  

Book a demo today to see how Command Zero can transform your identity investigations.

Eric Hulse
Director of Security Research

Continue reading

Identity-investigations
Highlight

When Brute Force Still Works: The 80 Billion Credential Problem Nobody's Talking About

Brute force attacks remain a critical threat in 2025, with 80 billion credentials compromised from stealer logs in a single year. Despite modern security controls, credential stuffing attacks succeed because users reuse passwords across services—and threat actors have unprecedented access to breach databases. Security teams struggle to detect these attacks because failed login attempts blend into normal activity, lacking the context to distinguish legitimate user errors from active reconnaissance. In this post, we explore how credential-based attacks exploit password reuse at scale, why traditional security stacks miss these patterns, and what security operations teams can do to investigate and respond effectively. Learn how to correlate authentication logs with breach exposure data, identify high-risk accounts under attack, and implement structured investigation workflows that transform credential threat hunting from manual, time-intensive analysis into standardized, repeatable processes accessible to tier-2+ analysts across your security team.
Eric Hulse
Nov 21, 2025
6
min read
Identity-investigations
Highlight

Investigating Microsoft 365 Direct Send Abuse: When Convenience Becomes a Vulnerability

Microsoft 365 Exchange Online's Direct Send feature has become a critical vulnerability exploited by threat actors for phishing and business email compromise campaigns. This legitimate operational feature bypasses standard email authentication protocols (DKIM, SPF, DMARC), enabling adversaries to send spoofed messages that appear to originate from trusted internal sources. The primary challenge isn't detection—it's investigation complexity. Security operations teams face extensive context switching across Office 365, identity providers, EDR systems, and network infrastructure, often requiring 90+ minutes per incident. Traditional SIEM platforms struggle with these cross-system investigations, particularly for analysts lacking specialized Exchange Online expertise. Command Zero's Custom Questions feature transforms Direct Send investigations from hours to minutes by codifying expert investigative knowledge into automated workflows. This approach enables tier-2 analysts to conduct comprehensive investigations spanning email routing, identity context, and endpoint telemetry without manual correlation—turning investigation bottlenecks into organizational strengths while building institutional knowledge for long-term security resilience.
Eric Hulse
Oct 29, 2025
min read
Identity-investigations
Highlight

Investigating Business Email Compromise: How Modern Attacks Exploit Trust in 2025

Business Email Compromise (BEC) attacks in 2025 have evolved into sophisticated campaigns that exploit Microsoft 365 collaboration tools and organizational trust relationships. Modern attackers use OAuth application abuse, mail flow manipulation, and SharePoint phishing to bypass MFA and establish persistent access. Traditional SOC investigations struggle with fragmented data sources across Microsoft Entra ID, Exchange Online, and SharePoint—requiring complex KQL queries and Graph API expertise that delays incident response. Command Zero's investigation framework solves this by providing pre-built questions that automatically query relevant data sources and map to BEC attack patterns. This approach enables tier-2 analysts to investigate at specialist level without memorizing API endpoints or query languages. Combined with defensive controls like disabling user OAuth consent, implementing phishing-resistant MFA, and monitoring suspicious mail flow patterns, organizations can transform their BEC response from reactive firefighting to proactive threat hunting.
Eric Hulse
Oct 22, 2025
8
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All