Step 01
Signal Ingestion
Pull events from every identity layer: Okta, Entra ID, Google Workspace, AWS IAM, on-prem AD, and SaaS audit logs, unified into one investigation pipeline.
Identity & Access
Every identity layer. One investigation.
Go beyond endpoint. Command Zero correlates across identity providers, SaaS, cloud, and on-prem to surface account compromise, privilege abuse, and access anomalies. Every investigation comes with the evidence trail attached.
The Problem
Identity is the perimeter. It's also the blind spot.
Identity now underpins every attack path. Yet most security teams investigate identity events in isolation: checking Okta for one signal, Entra ID for another, SaaS audit logs manually. Correlating across identity systems takes hours. By the time analysts connect the dots, attackers have already pivoted.
80%
of breaches involve compromised or stolen credentials
4+
identity systems the average analyst pivots through per investigation
72 hrs
average time to detect an identity-based attack
How It Works
From anomalous login to full investigation. Autonomously.
Unlike SIEM correlation rules that flag events in isolation, Command Zero investigates the full access chain across every identity system, and delivers a structured narrative before a human analyst opens the ticket.
02
Step 02
Behavioral Baseline
Map normal access patterns per user, group, and role. Flag deviations: impossible travel, off-hours access, MFA fatigue, and privilege escalation.
03
Step 03
Cross-System Correlation
Trace a compromised credential from the initial phish through IdP authentication, the SaaS pivot, and cloud resource access in a single automated investigation.
04
Step 04
Verified Verdict
Not a raw alert or a risk score. A complete access investigation narrative: what happened, which accounts were affected, what was accessed, and recommended containment.
Key Benefits
Investigate identity. Don't just alert on it.
01
Unified Identity Visibility
IdP, SaaS, cloud, and on-prem in a single investigation. No more manual pivots across five consoles.
02
Behavioral Anomaly Detection
Detect impossible travel, off-hours logins, MFA fatigue, and privilege escalation automatically, with full context on what followed.
03
Rapid Compromise Response
From suspicious login to complete investigation in under 2 minutes. Contain compromised accounts before attackers pivot to sensitive resources.
04
Compliance-Ready Evidence
Structured evidence chains for SOC 2, HIPAA, SOX, and regulatory investigations. Every access decision documented, every step auditable.
Spotlight Scenario
Compromised credential investigation.
Before
An Okta alert fires for a login from an unusual country. The analyst manually checks Okta for the session, pivots to Entra ID to verify MFA status, pulls M365 audit logs to see what was accessed, checks the endpoint for the device, and finally reviews SaaS activity for data exfiltration indicators.
Elapsed time: 45–90 minutes across five systems, if it gets investigated at all.
After
Command Zero ingests the Okta anomaly and autonomously correlates across Entra ID, M365, and SaaS audit logs in parallel. It maps the full access chain (credential theft, MFA bypass, SharePoint file access) and surfaces a complete investigation narrative with containment recommendations.
Elapsed time: Under 2 minutes. Before a human opens the ticket.
Coverage
Every identity system. Fully investigated.
IAM & Identity Providers
Okta, Azure AD / Entra ID, Ping, Google Workspace. Login anomalies, MFA abuse, session hijacking, privilege changes.
SaaS Applications
M365, Salesforce, GitHub, Slack. Data access, file sharing, OAuth grants, admin escalation, and bulk export events.
Cloud Infrastructure
AWS IAM, Azure RBAC, GCP. Role assumption, service account abuse, resource access, and policy modifications.
On-Premises Active Directory
Kerberoasting, pass-the-hash, LDAP enumeration, GPO changes, lateral movement, and domain persistence techniques.
Federated investigation: Command Zero queries your identity systems where the data lives. No ingestion pipelines, no data movement, no storage contracts. Connect a new IdP or SaaS app and it's in scope for every future investigation.
Encoded Expertise
Questions are the unit of expertise.
Every investigation starts with a question. Command Zero ships with thousands. All built from real SOC workflows, mapped to your tools.
What site access requests were approved in Microsoft 365 SharePoint or OneDrive?
Understand and monitor approved SharePoint site access requests for identifying security risks and ensuring compliance with organizational policies.
SharePoint
What secure sharing links were created in Microsoft 365 SharePoint or OneDrive by this user?
The creation of secure sharing links by a specific user in Microsoft 365 SharePoint or OneDrive, to assess security risks and detect anomalies.
SharePoint
What files were copied by this user in Microsoft 365 SharePoint or OneDrive?
Investigate and identify files copied by a user in Microsoft 365 SharePoint or OneDrive for detecting unusual behavior or security breaches.
SharePoint
What users had full access delegate permissions for their mailbox removed in Microsoft 365 Exchange?
Understand the security implications of removing full access delegate permissions and to identify the users affected by such changes.
M365 Exchange
What users had full access delegate permissions for their mailbox added in Microsoft 365 Exchange?
Which users had Full Access delegate permissions added to their mailboxes in Microsoft 365 Exchange, to determine if these additions were legitimate or indicative of a security issue.
M365 Exchange
What files were accessed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files accessed by a user in Microsoft 365 SharePoint or OneDrive to assess potential security risks and understand the user's or attacker's actions.
SharePoint
What secure sharing links were deleted in Microsoft 365 SharePoint or OneDrive by this user?
Which secure sharing links have been deleted by a specific user in Microsoft 365's SharePoint or OneDrive, to identify potential security breaches or unusual behavior.
SharePoint
What IP addresses accessed this Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific Microsoft 365 Exchange mailbox.
M365 Exchange
What Microsoft 365 SharePoint sites were visited by this user?
Investigate the SharePoint sites visited by a specific user to detect any unusual or unauthorized activity.
SharePoint
What resource access requests were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made by a user to access requests in SharePoint or OneDrive, which could reveal unauthorized or suspicious activities.
SharePoint
What groups were added in Microsoft Entra ID?
Gather information about newly added groups in Microsoft Entra ID to assess for any unusual or unauthorized changes.
Microsoft Entra ID
What groups were created by this user in Microsoft Entra ID?
The groups created by a specific user in Microsoft Entra ID to identify any potential security incidents.
Microsoft Entra ID
What files were downloaded from Microsoft 365 SharePoint or OneDrive by this user?
Understand the user's activities or actions of a potentially compromised account by analyzing downloaded files.
SharePoint
What sign-in activity originated from this user in Microsoft Entra ID?
The sign-in activity associated with a specific user in Microsoft Entra ID for security analysis purposes.
Microsoft Entra ID
What transport forwarding rules were created or enabled in Microsoft 365 Exchange?
Highlight the significance of investigating transport forwarding rules to uncover potential unauthorized activities and security breaches.
M365 Exchange
What transport forwarding rules were created or enabled by this user in Microsoft 365 Exchange?
The creation or enabling of transport forwarding rules by a user, which could indicate potential security issues.
M365 Exchange
What secure links were used to access this resource in Microsoft 365 SharePoint or OneDrive?
The usage of secure links for accessing resources in Microsoft 365 SharePoint or OneDrive for security investigation purposes.
SharePoint
What email forwarding rules were created for mailboxes in Microsoft 365 Exchange?
Guide analysts on how to investigate and determine the legitimacy of email forwarding rules that could be part of a BEC attack.
M365 Exchange
What anonymous sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to anonymous sharing links by a specific user in Microsoft 365 SharePoint or OneDrive.
SharePoint
What secure sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to secure sharing links in SharePoint or OneDrive by a specific user, which can indicate suspicious activities.
SharePoint
What site access requests were approved in Microsoft 365 SharePoint or OneDrive?
Understand and monitor approved SharePoint site access requests for identifying security risks and ensuring compliance with organizational policies.
SharePoint
What secure sharing links were created in Microsoft 365 SharePoint or OneDrive by this user?
The creation of secure sharing links by a specific user in Microsoft 365 SharePoint or OneDrive, to assess security risks and detect anomalies.
SharePoint
What files were copied by this user in Microsoft 365 SharePoint or OneDrive?
Investigate and identify files copied by a user in Microsoft 365 SharePoint or OneDrive for detecting unusual behavior or security breaches.
SharePoint
What users had full access delegate permissions for their mailbox removed in Microsoft 365 Exchange?
Understand the security implications of removing full access delegate permissions and to identify the users affected by such changes.
M365 Exchange
What users had full access delegate permissions for their mailbox added in Microsoft 365 Exchange?
Which users had Full Access delegate permissions added to their mailboxes in Microsoft 365 Exchange, to determine if these additions were legitimate or indicative of a security issue.
M365 Exchange
What files were accessed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files accessed by a user in Microsoft 365 SharePoint or OneDrive to assess potential security risks and understand the user's or attacker's actions.
SharePoint
What secure sharing links were deleted in Microsoft 365 SharePoint or OneDrive by this user?
Which secure sharing links have been deleted by a specific user in Microsoft 365's SharePoint or OneDrive, to identify potential security breaches or unusual behavior.
SharePoint
What IP addresses accessed this Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific Microsoft 365 Exchange mailbox.
M365 Exchange
What Microsoft 365 SharePoint sites were visited by this user?
Investigate the SharePoint sites visited by a specific user to detect any unusual or unauthorized activity.
SharePoint
What resource access requests were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made by a user to access requests in SharePoint or OneDrive, which could reveal unauthorized or suspicious activities.
SharePoint
What groups were added in Microsoft Entra ID?
Gather information about newly added groups in Microsoft Entra ID to assess for any unusual or unauthorized changes.
Microsoft Entra ID
What groups were created by this user in Microsoft Entra ID?
The groups created by a specific user in Microsoft Entra ID to identify any potential security incidents.
Microsoft Entra ID
What files were downloaded from Microsoft 365 SharePoint or OneDrive by this user?
Understand the user's activities or actions of a potentially compromised account by analyzing downloaded files.
SharePoint
What sign-in activity originated from this user in Microsoft Entra ID?
The sign-in activity associated with a specific user in Microsoft Entra ID for security analysis purposes.
Microsoft Entra ID
What transport forwarding rules were created or enabled in Microsoft 365 Exchange?
Highlight the significance of investigating transport forwarding rules to uncover potential unauthorized activities and security breaches.
M365 Exchange
What transport forwarding rules were created or enabled by this user in Microsoft 365 Exchange?
The creation or enabling of transport forwarding rules by a user, which could indicate potential security issues.
M365 Exchange
What secure links were used to access this resource in Microsoft 365 SharePoint or OneDrive?
The usage of secure links for accessing resources in Microsoft 365 SharePoint or OneDrive for security investigation purposes.
SharePoint
What email forwarding rules were created for mailboxes in Microsoft 365 Exchange?
Guide analysts on how to investigate and determine the legitimacy of email forwarding rules that could be part of a BEC attack.
M365 Exchange
What anonymous sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to anonymous sharing links by a specific user in Microsoft 365 SharePoint or OneDrive.
SharePoint
What secure sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to secure sharing links in SharePoint or OneDrive by a specific user, which can indicate suspicious activities.
SharePoint
What files were moved in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has moved within Microsoft 365's SharePoint or OneDrive, which is critical for a cybersecurity investigation.
SharePoint
What IP addresses accessed this user's Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific user's Microsoft 365 Exchange mailbox.
M365 Exchange
What folders were moved to the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific folders a user has moved to the recycle bin in Microsoft 365 SharePoint or OneDrive and to assess whether these actions were authorized or potentially malicious.
SharePoint
What files were renamed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has renamed in Microsoft 365 SharePoint or OneDrive to assess potential security risks.
SharePoint
What transport forwarding rules were deleted or disabled in Microsoft 365 Exchange?
Understand the significance of deleted or disabled transport forwarding rules in Microsoft 365 Exchange and the steps required to investigate such events.
M365 Exchange
What transport forwarding rules were deleted or disabled by this user in Microsoft 365 Exchange?
Which transport forwarding rules were deleted or disabled by a specific user in Microsoft 365 Exchange.
M365 Exchange
What search queries were performed against Microsoft 365 SharePoint or OneDrive by this user?
The search queries performed by a specific user in Microsoft 365 SharePoint or OneDrive to identify any unusual or potentially malicious activity.
SharePoint
What groups were updated in Microsoft Entra ID?
Which groups have been updated in Microsoft Entra ID during a specific investigation timeframe.
Microsoft Entra ID
What properties of this group were updated in Microsoft Entra ID?
The specific properties of a user group that were updated in Microsoft Entra ID to assess the security implications of those changes.
Microsoft Entra ID
What previously deleted users were restored in Microsoft Entra ID?
Which user accounts that had been previously deleted have been restored in Microsoft Entra ID, in order to identify potential security issues.
Microsoft Entra ID
What resource access requests were denied in Microsoft 365 SharePoint or OneDrive?
Identify denied access requests to SharePoint or OneDrive resources to uncover potential security risks and user behavior anomalies.
SharePoint
What users were added in Microsoft Entra ID?
The new users added to Microsoft Entra ID to identify any unusual or potentially malicious activity.
Microsoft Entra ID
What users were created by this user in Microsoft Entra ID?
The user accounts created by a specific user in Microsoft Entra ID, to investigate potential security issues.
Microsoft Entra ID
What users were removed from a group in Microsoft Entra ID?
Which users have been removed from a group in Microsoft Entra ID, which could signal a security breach.
Microsoft Entra ID
What members were removed from this group in Microsoft Entra ID?
The members who were recently removed from a specific Microsoft Entra group.
Microsoft Entra ID
What groups was this user removed from in Microsoft Entra ID?
The specific Microsoft Entra groups from which a user has been removed, which could indicate malicious activity.
Microsoft Entra ID
What files were emptied from the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific files a user has deleted from the recycling bin in Microsoft 365 SharePoint or OneDrive.
SharePoint
What emails were sent by a delegate from this user's Microsoft 365 Exchange mailbox?
The process of identifying emails sent by a delegate from a user's Microsoft 365 Exchange mailbox to assess potential security risks.
M365 Exchange
What service principals were added in Microsoft Entra ID?
Detect potential security breaches and understand the context of new service principal additions in Microsoft Entra.
Microsoft Entra ID
What files were uploaded to Microsoft 365 SharePoint or OneDrive by this user?
The details of files uploaded by a specific user to SharePoint or OneDrive in the context of a cybersecurity investigation.
SharePoint
What files were moved in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has moved within Microsoft 365's SharePoint or OneDrive, which is critical for a cybersecurity investigation.
SharePoint
What IP addresses accessed this user's Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific user's Microsoft 365 Exchange mailbox.
M365 Exchange
What folders were moved to the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific folders a user has moved to the recycle bin in Microsoft 365 SharePoint or OneDrive and to assess whether these actions were authorized or potentially malicious.
SharePoint
What files were renamed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has renamed in Microsoft 365 SharePoint or OneDrive to assess potential security risks.
SharePoint
What transport forwarding rules were deleted or disabled in Microsoft 365 Exchange?
Understand the significance of deleted or disabled transport forwarding rules in Microsoft 365 Exchange and the steps required to investigate such events.
M365 Exchange
What transport forwarding rules were deleted or disabled by this user in Microsoft 365 Exchange?
Which transport forwarding rules were deleted or disabled by a specific user in Microsoft 365 Exchange.
M365 Exchange
What search queries were performed against Microsoft 365 SharePoint or OneDrive by this user?
The search queries performed by a specific user in Microsoft 365 SharePoint or OneDrive to identify any unusual or potentially malicious activity.
SharePoint
What groups were updated in Microsoft Entra ID?
Which groups have been updated in Microsoft Entra ID during a specific investigation timeframe.
Microsoft Entra ID
What properties of this group were updated in Microsoft Entra ID?
The specific properties of a user group that were updated in Microsoft Entra ID to assess the security implications of those changes.
Microsoft Entra ID
What previously deleted users were restored in Microsoft Entra ID?
Which user accounts that had been previously deleted have been restored in Microsoft Entra ID, in order to identify potential security issues.
Microsoft Entra ID
What resource access requests were denied in Microsoft 365 SharePoint or OneDrive?
Identify denied access requests to SharePoint or OneDrive resources to uncover potential security risks and user behavior anomalies.
SharePoint
What users were added in Microsoft Entra ID?
The new users added to Microsoft Entra ID to identify any unusual or potentially malicious activity.
Microsoft Entra ID
What users were created by this user in Microsoft Entra ID?
The user accounts created by a specific user in Microsoft Entra ID, to investigate potential security issues.
Microsoft Entra ID
What users were removed from a group in Microsoft Entra ID?
Which users have been removed from a group in Microsoft Entra ID, which could signal a security breach.
Microsoft Entra ID
What members were removed from this group in Microsoft Entra ID?
The members who were recently removed from a specific Microsoft Entra group.
Microsoft Entra ID
What groups was this user removed from in Microsoft Entra ID?
The specific Microsoft Entra groups from which a user has been removed, which could indicate malicious activity.
Microsoft Entra ID
What files were emptied from the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific files a user has deleted from the recycling bin in Microsoft 365 SharePoint or OneDrive.
SharePoint
What emails were sent by a delegate from this user's Microsoft 365 Exchange mailbox?
The process of identifying emails sent by a delegate from a user's Microsoft 365 Exchange mailbox to assess potential security risks.
M365 Exchange
What service principals were added in Microsoft Entra ID?
Detect potential security breaches and understand the context of new service principal additions in Microsoft Entra.
Microsoft Entra ID
What files were uploaded to Microsoft 365 SharePoint or OneDrive by this user?
The details of files uploaded by a specific user to SharePoint or OneDrive in the context of a cybersecurity investigation.
SharePoint
Investigate Every Identity Event
See how Command Zero maps the full access chain, automatically.
Connect your identity stack and get complete investigations across every IdP, SaaS, and cloud resource from day one.
Book a DemoOkta · Entra ID · Google WorkspaceM365 · AWS · Azure · GCPUnder 2 min to verdict