Status
Category
Use Cases
Table of contents
Overview
Exaforce connects to Microsoft Entra ID to bring identity and access context into every detection and investigation. The platform ingests sign in activity, conditional access decisions, device and compliance signals, directory and group changes, and user risk evaluations, then correlates that data with application, cloud, and endpoint activity. Security teams get a single place to understand who did what, from where, and under which level of trust.
How it works
Exaforce installs through a least-privilege application in Entra ID and requests permissions to access identity and activity logs, using Azure Event Hub to securely stream this telemetry into the platform. Within minutes, high-fidelity Entra ID events such as sign-ins, conditional access outcomes, device posture, and policy evaluations flow into Exaforce for correlation and analysis. The platform maps Entra ID users and groups to accounts across developer platforms, cloud consoles, productivity suites, and endpoints, blending its own analytics with Microsoft signals such as Identity Protection and sign-in risk to deliver precise detections while suppressing noise. By ingesting logs directly through Event Hub, Exaforce provides real-time visibility, guided investigations, and rich context for every identity event.
Core capabilities
Exaforce uses Entra ID as the spine of the enterprise identity graph. It ties a user in Entra ID to accounts in other systems, correlates device and network context, and adds business metadata such as employment status or team membership. The platform runs detections that include unusual session creation, factor misuse, risky new devices, sign in anomalies from new locations or autonomous systems, and sudden permission or group changes. Microsoft signals enrich each finding with the latest intelligence on known bad addresses and automation patterns. Analysts can pivot through identity, application, and network views without leaving the investigation.
Examples of attacks caught
Exaforce frequently intercepts a threat actor who passes the password step but is stopped at the multifactor step. The platform spots multifactor fatigue campaigns by tracking rapid push prompts, repeated denials, and inconsistent device behavior. It identifies password spray activity by correlating high volume login failures from noisy addresses and automatically suppresses repeated attempts from those sources. When these behaviors appear, Exaforce links them to the targeted identities, the applications at risk, and the geographies involved, then recommends the right action.
Response actions
Security teams can reset multifactor for a user or a group when a compromise is suspected. They can reset a password and invalidate sessions to contain an account takeover. They can block an address or a range if it is used for spray or automated abuse. Optional response permissions allow approval gated actions, so teams can move quickly with control and auditability.
Continuous posture and risk assessments
In addition to activity correlation, Exaforce continuously evaluates identity posture to detect configuration and operational risks within Entra environments. These posture findings include issues such as users missing multifactor authentication, users capable of privilege escalation, accounts with passwords not rotated for extended periods like 90 days, and inactive Azure AD applications that may introduce exposure. These risk detections help teams identify and remediate weaknesses before they are exploited.
Benefits
Identity context shrinks the time it takes to understand an alert and reduces false positives. Correlation across tools provides a complete picture of user behavior and risk. Automation shortens the path from detection to containment. Continuous posture evaluation keeps policies aligned with best practice and reduces exposure.
