Introduction
Identity-based investigations are one of the most common analyses for security operations. These leads get under the spotlight because of an HR event (various watchlists or user’s last day), a potential compromise (as a result of business email compromise, phishing, password spray or other vectors) or suspicious behavior. Swiftly understanding who or what (for non-human users) these identities belong to, the historical context and recent behavior are key to conducting effective investigations.
User identities live on multiple systems supported by Command Zero, including identity providers, cyber and non-cyber solutions and SaaS. One of the powers of the platform is enabling cross-system interrogation to paint the complete narrative for any user. Interrogating universal data sources using the pre-built questions and sequences on Command Zero improves efficiency for all analysts and lowers the barrier of entry for less-known data sources.
In this blog post, I’ll walk you through a sample watchlist investigation on Microsoft EntraID. While we can expand any investigation to other data sources, I'll keep the focus on EntraID to simplify this example flow.
Act1: Inbound HR request & first observations
It’s 8.43 on Thursday morning, you receive a new ServiceNow request from HR: “Review permissions and recent activity of Steven and Natalie”. Instead of digging into Splunk, EntraID, Graph and five other systems, or having to schedule working sessions with identity administrators, you decide to run this analysis using Command Zero.
You start by looking at the information about Steven and Natalie. This overview of users reveals important information including the groups they belong to, their usernames, emails and registered devices.
As you review summaries about Steven and Natalie, you find that these users also have Okta and GitHub users and add these identities as additional leads to the investigation, along with the registered devices and IP addresses these users are associated with.
Before diving back into the investigation, you review failed MFA challenges and risky sign in activities about Steven:
Act2: Digging into user behavior
Now that we’ve got the overview of Natalie and Steven, we can start digging into their recent user behaviors. We can interrogate all connected resources (such as CrowdStrike for endpoint, Okta for other associated identities, or GitHub for code repository activities) for these users, for the sake of this example, we’ll limit our focus to Microsoft EntraID.
Initially, we can ask the following questions to identify suspicious behavior:
- Was there a failed attempt to change the user’s password?
- What account administration actions were performed by this user?
- What application consents have been granted by this user?
In this case, the answer to these questions was no. Meaning, none of these potentially malicious behaviors were observed in the given time frame. We can expand time frame to re-run the same questions and look for more answers:
Assuming the answers are still no – meaning no rabbit holes to dig further into, we can now run facets (pre-built question sequences) to ask more questions and get to interesting patterns more quickly:
In this case, let’s run an “impossible travel” facet to see if we can find suspicious activities focused on IP addresses and geolocation.
Act 3: Chasing the involved IP addresses
Now, we must confirm these three IP addresses are trusted. To do this, we run facets on these IP addresses. Two out of three turn out to be office IP addresses. The third one is more interesting:
The same unfamiliar sign-in facet reveals that this IP has multiple failed and successful logins:
Now we will expand the investigation further into Natalie’s user and add Johanna to the investigation as a new lead. Once these leads are fully exhausted, you can build the incident timelines, generate summaries and share with the HR team to close this request in minutes.
Conclusion
Command Zero augments tier-2 and tier-3 analysts, threat hunters and incident responders by doing the heavy lifting. In this example, an analyst was able to review two users on the watchlist, confirm that one user didn’t have suspicious behavior and find suspicious activities for the other user, along with a new lead (Johanna) to expand the investigation.
It is now 8.47 AM on Thursday, and the initial investigation for Natalie and Steven is complete: All in 4 minutes, without technology specific expertise or direct access to EntraID or other systems involved in this flow. Next in this series, well cover a sample use case for Okta as the identity provider.
Please check out our identity-based investigations page and use case demo to learn more.