Investigate Microsoft EntraID identities in minutes

Identity-based investigations are one of the most common analyses for security operations. These leads get under the spotlight because of an HR event (various watchlists or user’s last day), a potential compromise (as a result of business email compromise, phishing, password spray or other vectors) or suspicious behavior. Swiftly understanding who or what (for non-human users) these identities belong to, the historical context and recent behavior are key to conducting effective investigations. In this blog post, I’ll walk you through a sample watchlist investigation on Microsoft EntraID.

Introduction

User identities live on multiple systems supported by Command Zero, including identity providers, cyber and non-cyber solutions and SaaS. One of the powers of the platform is enabling cross-system interrogation to paint the complete narrative for any user. Interrogating universal data sources using the pre-built questions and sequences on Command Zero improves efficiency for all analysts and lowers the barrier of entry for less-known data sources.

In this blog post, I’ll walk you through a sample watchlist investigation on Microsoft EntraID. While we can expand any investigation to other data sources, I'll keep the focus on EntraID to simplify this example flow.

Act1: Inbound HR request & first observations

It’s 8.43 on Thursday morning, you receive a new ServiceNow request from HR: “Review permissions and recent activity of Steven and Natalie”. Instead of digging into Splunk, EntraID, Graph and five other systems, or having to schedule working sessions with identity administrators, you decide to run this analysis using Command Zero.

You start by looking at the information about Steven and Natalie. This overview of users reveals important information including the groups they belong to, their usernames, emails and registered devices.

*Analysts can review all groups a user belongs to and expand the investigation into these groups if necessary.*

*Analysts can go through the notes for Steven and get up to speed on the historical context and findings.*

*Current and past investigations that have the same lead can help better understand the complete context on identities.*

As you review summaries about Steven and Natalie, you find that these users also have Okta and GitHub users and add these identities as additional leads to the investigation, along with the registered devices and IP addresses these users are associated with.

Before diving back into the investigation, you review failed MFA challenges and risky sign in activities about Steven:

Bingo! You find two IP addresses from the risk sign-in activities, both of which you also promote in the investigation.

Act2: Digging into user behavior

Now that we’ve got the overview of Natalie and Steven, we can start digging into their recent user behaviors. We can interrogate all connected resources (such as CrowdStrike for endpoint, Okta for other associated identities, or GitHub for code repository activities) for these users, for the sake of this example, we’ll limit our focus to Microsoft EntraID.

Initially, we can ask the following questions to identify suspicious behavior:

Was there a failed attempt to change the user’s password?

What account administration actions were performed by this user?

What application consents have been granted by this user?

*Interrogating identities using pre-built questions helps speed up analysis and standardize the flow.*

In this case, the answer to these questions was no. Meaning, none of these potentially malicious behaviors were observed in the given time frame. We can expand time frame to re-run the same questions and look for more answers:

*Analysts can easily update the time range of questions and re-run questions to get a broad set of results.*

Assuming the answers are still no – meaning no rabbit holes to dig further into, we can now run facets (pre-built question sequences) to ask more questions and get to interesting patterns more quickly:

*Facets are dynamic playbooks. They can run fully blown investigations or can kickstart analysis by executing a sequence of questions.*

In this case, let’s run an “impossible travel” facet to see if we can find suspicious activities focused on IP addresses and geolocation.

*The impossible travel facet returns three distinct IPs which were already part of our investigation.*

*For each repeated lead, you can review the connections and where else this lead surfaced.*

Act 3: Chasing the involved IP addresses

Now, we must confirm these three IP addresses are trusted. To do this, we run facets on these IP addresses. Two out of three turn out to be office IP addresses. The third one is more interesting:

This is an unknown IP address from a foreign country we don’t operate in. This is suspicious!

The same unfamiliar sign-in facet reveals that this IP has multiple failed and successful logins:

This foreign IP has successfully logged into Natalie’s and Johanna’s users.

Now we will expand the investigation further into Natalie’s user and add Johanna to the investigation as a new lead. Once these leads are fully exhausted, you can build the incident timelines, generate summaries and share with the HR team to close this request in minutes.

Conclusion

Command Zero augments tier-2 and tier-3 analysts, threat hunters and incident responders by doing the heavy lifting. In this example, an analyst was able to review two users on the watchlist, confirm that one user didn’t have suspicious behavior and find suspicious activities for the other user, along with a new lead (Johanna) to expand the investigation.

It is now 8.47 AM on Thursday, and the initial investigation for Natalie and Steven is complete: All in 4 minutes, without technology specific expertise or direct access to EntraID or other systems involved in this flow. Next in this series, well cover a sample use case for Okta as the identity provider.

Please check out our identity-based investigations page and use case demo to learn more.

Identity-investigations

Highlight

Shadow Identities: The Common Attack Target You Can't See

Shadow identities represent a critical security blind spot, with 80% of enterprise SaaS logins invisible to IT and security teams. Unlike shadow IT, which focuses on unauthorized applications, shadow identities are unmanaged user accounts, service principals, OAuth tokens, and API keys that exist outside your identity provider. These hidden credentials create three major risks: security blind spots from unmonitored authentication, compliance violations from untracked data access, and forensic black holes during incident investigations. Security teams need systematic discovery of application registrations, service principals, personal access tokens, and third-party integrations across their infrastructure. Command Zero provides the visibility and investigation capabilities to identify shadow identities across Microsoft Entra, Okta, GitHub, AWS, and other systems, enabling rapid correlation of identity activity during security incidents when response time is critical.

Eric Hulse

Oct 16, 2025

•

min read

Identity-investigations

Highlight

Microsoft Teams Becomes the New Vishing Battleground

Microsoft Teams has recently emerged as a critical attack vector for sophisticated ransomware campaigns, with threat actors weaponizing enterprise communication platforms through coordinated vishing operations. This strategic analysis examines the three-stage attack methodology—email flooding, social engineering via Teams calls, and remote access tool deployment—that has enabled groups like Black Basta, Storm-1811, and Midnight Blizzard to achieve unprecedented operational success. Recent intelligence reveals over 15 documented incidents in three months, with attack frequency accelerating significantly. The exploitation centers on default Microsoft Teams configurations that permit external communications, creating opportunities for attackers to impersonate IT support during manufactured crises. Command Zero's post-Black Hat platform enhancements deliver comprehensive investigative capabilities across Microsoft Teams, Entra, and Graph environments, providing security teams with advanced detection and response tools. Organizations must implement systematic defense frameworks combining technical infrastructure controls with human-centric security operations to address this paradigmatic shift in adversarial methodology that blurs traditional boundaries between technical exploitation and social engineering mastery.

Eric Hulse

Sep 23, 2025

•

min read

Identity-investigations

Highlight

Command Zero & Okta Identity Threat Protection: Level-up Identity Investigations

The integration between Command Zero and Okta Identity Threat Protection (ITP) delivers a transformative solution for security operations teams facing evolving identity-based threats. This powerful partnership connects Okta's real-time identity risk signals with Command Zero's comprehensive investigation capabilities, creating a unified workflow that dramatically enhances threat response. Security teams gain the ability to instantly launch investigations from Okta alerts, correlate identity events across their security stack, leverage automated investigation workflows, and access comprehensive user risk profiles. The integration transforms how organizations respond to identity threats—including phishing, credential stuffing, and session hijacking—which the 2025 Verizon DBIR identifies as central to 22% of breaches. By operationalizing Okta ITP within Command Zero's platform, security teams accelerate response times, investigate complete user journeys, and implement targeted remediation based on comprehensive intelligence. This integration serves as a force multiplier for SecOps teams, reducing mean time to respond while providing the contextual insights needed to counter modern identity-based attacks efficiently.

Eric Hulse

May 21, 2025

•

min read