The deliberate selection and shaping of log and event data before analysis. It is not just storage optimisation. Done well, it preserves high-value security evidence and discards noise without blinding investigators to identity-driven abuse.
Expanded Definition
telemetry curation is the controlled filtering, normalization, and prioritization of log and event streams before they are sent to analysis, retention, or detection systems. In NHI operations, it is used to preserve evidence about service accounts, API keys, tokens, certificates, and agent actions while removing repetitive or low-value noise.
This is different from simple log retention or storage optimization. Good curation decides which events must remain verbatim, which can be enriched, and which can be safely sampled. The goal is to keep identity-relevant telemetry intact enough for investigation, correlation, and governance. That often includes authentication events, privilege changes, secret access, token issuance, and suspicious tool use. The NIST Cybersecurity Framework 2.0 treats this kind of visibility work as part of operational detection and response, but no single standard governs telemetry curation itself yet.
Definitions vary across vendors when they describe filtering, parsing, enrichment, and data minimization as if they were the same thing. In practice, telemetry curation must be tuned to the identity layer, because NHI abuse often looks normal at volume but stands out in sequence, destination, or privilege context. The most common misapplication is aggressive noise reduction, which occurs when teams drop authentication and token-use events before they can be correlated across systems.
Examples and Use Cases
Implementing telemetry curation rigorously often introduces a tradeoff between lower analytics cost and higher investigative fidelity, requiring organisations to weigh fast detection pipelines against the risk of deleting the one event that proves compromise.
- Keeping full-fidelity logs for secret access and token minting, while sampling routine health-check events from the same service account.
- Normalizing identity fields across cloud and CI/CD logs so an API key, workload identity, and agent execution trace can be correlated in one incident timeline.
- Using curated event sets to preserve privilege escalation records, especially when a service account moves from read-only behavior to deployment access.
- Filtering duplicate heartbeat telemetry from agents while retaining command execution, tool invocation, and configuration-change events for later review.
- Applying curation rules informed by the Ultimate Guide to NHIs so service-account visibility remains usable without overwhelming analysts.
For identity-heavy environments, curated telemetry is often most valuable when paired with identity governance and detection logic described in the NIST Cybersecurity Framework 2.0. The point is not to keep everything, but to keep the right evidence at the right fidelity.
Why It Matters in NHI Security
Telemetry curation is a security control because NHI compromise is frequently subtle, distributed, and high-volume. When service accounts, tokens, or AI agents are operating across cloud, code, and infrastructure layers, raw logs can be too noisy to support timely detection unless they are deliberately shaped for identity investigation. That matters even more when organisations lack basic visibility into service accounts, a gap highlighted in NHIMG research where only 5.7% of organisations have full visibility into their service accounts.
Telemetry curation also supports governance by preserving the events needed to verify offboarding, rotation, and privilege reduction. Without it, teams may know a secret was used, but not where it was used, by which workload, or whether that use was legitimate. That makes incident scoping, containment, and post-incident review much harder. It also increases the chance that defenders will miss patterns tied to lateral movement or dormant credential abuse.
Organisations typically encounter the cost of poor telemetry curation only after a compromise or audit failure, at which point the missing evidence becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-08 | Telemetry curation supports detection and visibility for non-human identity abuse. |
| NIST CSF 2.0 | DE.CM | Continuous monitoring depends on curated telemetry that is useful for detection. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires strong visibility into identity actions and trust decisions. | |
| NIST SP 800-63 | Digital identity evidence depends on reliable event capture and traceability. |
Curate telemetry so trust decisions and identity activity can be verified across systems.
Related resources from NHI Mgmt Group
- When should organisations treat runtime telemetry as a primary control?
- Should organisations require security telemetry before adopting SaaS tools?
- Who should own trust telemetry when reporting spans NHI and cryptography controls?
- What should organisations control before exposing identity telemetry to AI assistants?