In the world of cybersecurity, information has a very short expiration date. When a Security Operations Center (SOC) team is alerted to a suspicious connection, relying on outdated data can lead to dramatic conclusions. This is the fundamental problem with traditional SIEM architectures: they query data that was indexed 5, 10 or 15 minutes ago.
Faced with lightning-fast attacks targeting identities (like token theft or AiTM phishing), investigation cannot afford to wait. This is where the approach ofJIT (Just-In-Time) analysis. Learn how real-time querying of Microsoft APIs transforms risky identity management.
The problem of Stale Data
Let's imagine the following scenario: Microsoft Entra ID detects an anomaly and sends the event to a traditional log collector. The SIEM ingests the log, applies its correlation rules and triggers an alert on the analyst dashboard. This process introduces unavoidable latency.
When the analyst begins his investigation, he bases himself on the “photograph” of the incident as it was at the time of the alert. But what happens if, in the meantime, the attacker has changed his IP address? What if the user's risk level has skyrocketed because a new connection from a Tor node (anonymized network) just happened right now?
By investigating Stale Data, SOC N1 risks classifying the incident as a false positive, leaving the door open to a cybercriminal.
The concept of Just-In-Time (JIT) Analysis
The JIT (Just-In-Time) approach reverses this paradigm. Instead of storing and indexing gigabytes of context logs, the security orchestrator queries the absolute source of truth (the Microsoft cloud)exactly when the analyst needs it.
This is the native operation of the identity management component within Akuity SOC.
How does this translate into the interface?
On the page listing suspicious Microsoft Entra ID accounts ("Identities at risk"), the analyst has a button represented by an icon in the shape of an eye. This button doesn't just open a window with pre-loaded data.
Clicking on this icon triggers a direct API request (Live Fetch) to Microsoft Graph (/identityProtection/riskyUsers/{id}/history). The side panel (UserRiskDetections.tsx) which opens then displays the status of the threatto the nearest second.
The operational advantages of JIT
- Absolute reliability:The analyst sees the latest weak signals. If the hacker attempts to connect during the investigation, the event appears immediately.
- Performance and lightness:The Akuity database (PostgreSQL) is not weighed down by millions of context logs that will never be consulted. Only user data under investigation is cached.
- Auditability (SOC 2):Even simply viewing a risk profile generates a certified logging event (
JITRISKDETECTIONS_CONSULTATION), ensuring that any investigative action is documented and complies with the strictest audit standards.
Win the race against time
Coupled with IP reputation assessment (AlienVault OTX) and Gemini AI, JIT analysis brings decisive information asymmetry to your defensive team. Once the freshest data is confirmed, the analyst can trigger SOAR remediation actions (Session Revocation, Password Reset) from the same unified interface, guaranteeing the immediate eradication of the threat.
No longer base your investigations on obsolete data.> Experience the power of real-time analysis with ourIdentity Management at Risk Entra ID.