Investigate Microsoft EntraID identities in minutes

Identity-based investigations are one of the most common analyses for security operations. These leads get under the spotlight because of an HR event (various watchlists or user’s last day), a potential compromise (as a result of business email compromise, phishing, password spray or other vectors) or suspicious behavior. Swiftly understanding who or what (for non-human users) these identities belong to, the historical context and recent behavior are key to conducting effective investigations. In this blog post, I’ll walk you through a sample watchlist investigation on Microsoft EntraID.

Introduction

User identities live on multiple systems supported by Command Zero, including identity providers, cyber and non-cyber solutions and SaaS. One of the powers of the platform is enabling cross-system interrogation to paint the complete narrative for any user. Interrogating universal data sources using the pre-built questions and sequences on Command Zero improves efficiency for all analysts and lowers the barrier of entry for less-known data sources.

In this blog post, I’ll walk you through a sample watchlist investigation on Microsoft EntraID. While we can expand any investigation to other data sources, I'll keep the focus on EntraID to simplify this example flow.

Act1: Inbound HR request & first observations

It’s 8.43 on Thursday morning, you receive a new ServiceNow request from HR: “Review permissions and recent activity of Steven and Natalie”. Instead of digging into Splunk, EntraID, Graph and five other systems, or having to schedule working sessions with identity administrators, you decide to run this analysis using Command Zero.

You start by looking at the information about Steven and Natalie. This overview of users reveals important information including the groups they belong to, their usernames, emails and registered devices.

*Analysts can review all groups a user belongs to and expand the investigation into these groups if necessary.*

*Analysts can go through the notes for Steven and get up to speed on the historical context and findings.*

*Current and past investigations that have the same lead can help better understand the complete context on identities.*

As you review summaries about Steven and Natalie, you find that these users also have Okta and GitHub users and add these identities as additional leads to the investigation, along with the registered devices and IP addresses these users are associated with.

Before diving back into the investigation, you review failed MFA challenges and risky sign in activities about Steven:

Bingo! You find two IP addresses from the risk sign-in activities, both of which you also promote in the investigation.

Act2: Digging into user behavior

Now that we’ve got the overview of Natalie and Steven, we can start digging into their recent user behaviors. We can interrogate all connected resources (such as CrowdStrike for endpoint, Okta for other associated identities, or GitHub for code repository activities) for these users, for the sake of this example, we’ll limit our focus to Microsoft EntraID.

Initially, we can ask the following questions to identify suspicious behavior:

Was there a failed attempt to change the user’s password?

What account administration actions were performed by this user?

What application consents have been granted by this user?

*Interrogating identities using pre-built questions helps speed up analysis and standardize the flow.*

In this case, the answer to these questions was no. Meaning, none of these potentially malicious behaviors were observed in the given time frame. We can expand time frame to re-run the same questions and look for more answers:

*Analysts can easily update the time range of questions and re-run questions to get a broad set of results.*

Assuming the answers are still no – meaning no rabbit holes to dig further into, we can now run facets (pre-built question sequences) to ask more questions and get to interesting patterns more quickly:

*Facets are dynamic playbooks. They can run fully blown investigations or can kickstart analysis by executing a sequence of questions.*

In this case, let’s run an “impossible travel” facet to see if we can find suspicious activities focused on IP addresses and geolocation.

*The impossible travel facet returns three distinct IPs which were already part of our investigation.*

*For each repeated lead, you can review the connections and where else this lead surfaced.*

Act 3: Chasing the involved IP addresses

Now, we must confirm these three IP addresses are trusted. To do this, we run facets on these IP addresses. Two out of three turn out to be office IP addresses. The third one is more interesting:

This is an unknown IP address from a foreign country we don’t operate in. This is suspicious!

The same unfamiliar sign-in facet reveals that this IP has multiple failed and successful logins:

This foreign IP has successfully logged into Natalie’s and Johanna’s users.

Now we will expand the investigation further into Natalie’s user and add Johanna to the investigation as a new lead. Once these leads are fully exhausted, you can build the incident timelines, generate summaries and share with the HR team to close this request in minutes.

Conclusion

Command Zero augments tier-2 and tier-3 analysts, threat hunters and incident responders by doing the heavy lifting. In this example, an analyst was able to review two users on the watchlist, confirm that one user didn’t have suspicious behavior and find suspicious activities for the other user, along with a new lead (Johanna) to expand the investigation.

It is now 8.47 AM on Thursday, and the initial investigation for Natalie and Steven is complete: All in 4 minutes, without technology specific expertise or direct access to EntraID or other systems involved in this flow. Next in this series, well cover a sample use case for Okta as the identity provider.

Please check out our identity-based investigations page and use case demo to learn more.

Identity-investigations

Highlight

When Brute Force Still Works: The 80 Billion Credential Problem Nobody's Talking About

Brute force attacks remain a critical threat in 2025, with 80 billion credentials compromised from stealer logs in a single year. Despite modern security controls, credential stuffing attacks succeed because users reuse passwords across services—and threat actors have unprecedented access to breach databases. Security teams struggle to detect these attacks because failed login attempts blend into normal activity, lacking the context to distinguish legitimate user errors from active reconnaissance. In this post, we explore how credential-based attacks exploit password reuse at scale, why traditional security stacks miss these patterns, and what security operations teams can do to investigate and respond effectively. Learn how to correlate authentication logs with breach exposure data, identify high-risk accounts under attack, and implement structured investigation workflows that transform credential threat hunting from manual, time-intensive analysis into standardized, repeatable processes accessible to tier-2+ analysts across your security team.

Eric Hulse

Nov 21, 2025

•

min read

Identity-investigations

Highlight

Investigating Microsoft 365 Direct Send Abuse: When Convenience Becomes a Vulnerability

Microsoft 365 Exchange Online's Direct Send feature has become a critical vulnerability exploited by threat actors for phishing and business email compromise campaigns. This legitimate operational feature bypasses standard email authentication protocols (DKIM, SPF, DMARC), enabling adversaries to send spoofed messages that appear to originate from trusted internal sources. The primary challenge isn't detection—it's investigation complexity. Security operations teams face extensive context switching across Office 365, identity providers, EDR systems, and network infrastructure, often requiring 90+ minutes per incident. Traditional SIEM platforms struggle with these cross-system investigations, particularly for analysts lacking specialized Exchange Online expertise. Command Zero's Custom Questions feature transforms Direct Send investigations from hours to minutes by codifying expert investigative knowledge into automated workflows. This approach enables tier-2 analysts to conduct comprehensive investigations spanning email routing, identity context, and endpoint telemetry without manual correlation—turning investigation bottlenecks into organizational strengths while building institutional knowledge for long-term security resilience.

Eric Hulse

Oct 29, 2025

•

min read

Identity-investigations

Highlight

Investigating Business Email Compromise: How Modern Attacks Exploit Trust in 2025

Business Email Compromise (BEC) attacks in 2025 have evolved into sophisticated campaigns that exploit Microsoft 365 collaboration tools and organizational trust relationships. Modern attackers use OAuth application abuse, mail flow manipulation, and SharePoint phishing to bypass MFA and establish persistent access. Traditional SOC investigations struggle with fragmented data sources across Microsoft Entra ID, Exchange Online, and SharePoint—requiring complex KQL queries and Graph API expertise that delays incident response. Command Zero's investigation framework solves this by providing pre-built questions that automatically query relevant data sources and map to BEC attack patterns. This approach enables tier-2 analysts to investigate at specialist level without memorizing API endpoints or query languages. Combined with defensive controls like disabling user OAuth consent, implementing phishing-resistant MFA, and monitoring suspicious mail flow patterns, organizations can transform their BEC response from reactive firefighting to proactive threat hunting.

Eric Hulse

Oct 22, 2025

•

min read