Semperis, Sentinel and Copilot put identity risk into SOC flow

At a glance

What this is: This is an analysis of how Semperis integrates Lightning Intelligence with Microsoft Sentinel and Security Copilot to make identity risk operational inside SOC workflows.

Why it matters: It matters because IAM, NHI, and human identity programmes all fail when visibility exists but analysts still cannot connect exposure, privilege, and attack paths quickly enough to act.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Semperis's analysis of Lightning Intelligence in Microsoft Sentinel and Security Copilot

Context

Identity security only helps the SOC when identity data is usable in the same place analysts investigate, hunt, and respond. The problem here is not alert volume by itself. It is the operational gap between exposure data, privilege context, and the tools a SOC already uses to make decisions.

Semperis is positioning Lightning Intelligence as a way to close that gap inside Microsoft Sentinel and Security Copilot. The core idea is straightforward: if analysts can correlate Tier 0 exposure, attack paths, and posture without leaving the workflow, identity risk becomes part of incident response rather than a separate follow-up task.

Key questions

Q: How should SOC teams use identity intelligence in incident response workflows?

A: SOC teams should put identity intelligence into the same investigation workflow they use for alerts and threat hunting. That means analysts should be able to correlate exposure, privilege, and attack paths without switching consoles. The goal is faster triage, clearer scoping, and better containment decisions, not more telemetry for its own sake.

Q: Why does identity context matter more than raw alert volume?

A: Raw alerts do not tell analysts which identity can reach critical assets, which privileges are exposed, or which paths matter most. Identity context turns noisy detection into actionable evidence. Without it, teams spend time chasing events that are visible but not operationally meaningful.

Q: How do organisations know if identity integrations are actually helping?

A: They should measure whether analysts can resolve identity-related alerts faster, whether hunts require fewer tool switches, and whether exposure findings become containment actions within the same workflow. If the integration only adds data but does not reduce decision time, it is not improving operations.

Q: Who should own identity risk once it appears in the SOC?

A: Ownership should sit with the team that can act on the finding in context, usually SOC operations working alongside IAM or identity engineering. The key is a clear handoff model, so identity risk does not become trapped between detection and remediation.

Technical breakdown

How Sentinel ingests identity context from Lightning Intelligence

The integration uses an Azure Function connector to pull data from Lightning REST APIs on a configurable schedule and stream it into Sentinel through DCE and DCR. That design keeps the pipeline Microsoft-native while avoiding reliance on a codeless connector alone. Each Lightning data type maps to its own Log Analytics table, which preserves structure for KQL, hunting, analytics rules, and dashboards. The important architectural point is that identity telemetry becomes queryable operational data, not a secondary export that analysts must manually reconcile.

Practical implication: treat the connector as a data-model decision, not just an ingestion task, and validate that identity tables support the hunting and alerting queries SOC teams actually run.

Why identity context changes incident response in the SOC

SOC teams lose time when they can see an alert but cannot quickly understand which identity connects to critical assets, what exposure exists, or whether the account sits near Tier 0. The integration addresses that by putting attack-path and posture context in the same analytics plane used for investigation. The append-only, time-stamped model also supports lookback analysis, while tunable retention across analytics and data lake tiers gives teams a way to balance cost and historical depth. That combination matters because identity incidents are often retrospective as much as real-time.

Practical implication: align retention, deduplication, and query patterns with investigation needs, not with generic log retention defaults.

Where Security Copilot adds value to identity hunting

Security Copilot becomes useful when it can ask structured questions over identity telemetry instead of summarising vague context. In this integration, custom agents use KQL-based tools over Lightning tables to return risk summaries, Tier 0 proximity, exposed paths, and other actionable posture indicators. They can also handle fuzzy identity matching, which reduces friction when analysts search with partial or imperfect input. That is not autonomous decision-making. It is guided analyst acceleration built on controlled access to curated identity data.

Practical implication: use Copilot to compress investigation time, but keep human review in the decision loop for remediation and escalation.

NHI Mgmt Group analysis

Identity intelligence only matters when it is available at the point of response. This integration reflects a broader market shift from standalone identity visibility to operational identity intelligence inside the SOC. The value is not another dashboard. It is reduced context switching when analysts need exposure, privilege, and attack-path data in one place. Practitioners should judge identity tooling by how well it shortens decision cycles, not by how much data it can export.

Exposure without workflow integration becomes deferred risk. Many programmes can discover risky identities, but the information remains stranded in separate consoles or specialist teams. That creates a governance lag where risk is known but not operationalised. The implication is that identity security programmes must be measured by how quickly exposure findings become investigation inputs and containment actions.

Cross-plane correlation is now a SOC requirement, not a luxury. Identity, endpoint, cloud, and detection data are no longer separable in mature environments because attack paths often traverse all four. An analyst who cannot correlate identity context to critical assets is working with incomplete evidence. Practitioners should prioritise integrations that preserve context across those planes rather than adding another isolated feed.

Operational AI in identity security is only useful when it accelerates judgment, not when it replaces it. The Security Copilot layer is most valuable when it turns KQL-backed identity data into structured answers for analysts. That is a different model from autonomous decision-making. The implication for practitioners is to keep AI constrained to guided investigation and summary, while preserving human accountability for action.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• For a broader view of why exposure and lifecycle controls matter, see 52 NHI Breaches Analysis for real-world root cause patterns across identity incidents.

What this signals

Identity context is becoming the control plane for investigation. As SOC teams standardise on platforms like Sentinel and Copilot, the question is no longer whether identity data exists. It is whether the data is structured well enough to support fast correlation across exposure, privilege, and critical assets. Practitioners should expect identity integrations to be judged by response efficiency, not by feed count.

Identity blast radius: the practical measure is how far a risky account can move before a human can intervene. When identity telemetry is queryable in the SOC, blast radius becomes visible earlier and containment becomes more precise. Teams that still separate identity evidence from incident handling will keep paying a context-switching tax.

With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, operational visibility alone is not enough. Security teams need workflows that turn entitlement and exposure data into action during the same investigative session.

For practitioners

• Map identity telemetry to SOC workflows Validate that attack-path, exposure, and posture data are available in the same investigation path analysts use for alerts, hunting, and case handling.
• Design KQL tables for operational use Confirm that each identity data type lands in its own queryable table with consistent timestamps so analysts can build reusable hunts and alerts.
• Set retention by investigation need Tune analytics and data lake retention to support lookback analysis, deduplication, and trend review without forcing unnecessary storage cost.
• Constrain AI to guided investigation Use Security Copilot for structured summarisation and identity lookup, but keep remediation, escalation, and access change decisions with human analysts.

Key takeaways

• Identity risk becomes materially more useful when analysts can work on it inside the SOC workflow instead of in a separate console.
• The integration is significant because it converts exposure and attack-path data into queryable investigation context, not just extra telemetry.
• Security teams should evaluate identity integrations by whether they reduce decision time, narrow blast radius, and speed containment.

Key terms

• Identity intelligence: Identity intelligence is contextual identity data packaged so analysts can use it during investigation and response. It combines exposure, privilege, and path information with operational metadata, allowing teams to make faster decisions without leaving the SOC workflow.
• Tier 0 assets: Tier 0 assets are the most sensitive identity and control resources in an environment, such as domain controllers, privileged directories, and systems that govern authentication or administration. Access paths to these assets are often the highest-value route in an attack chain.
• Attack path: An attack path is the sequence of permissions, dependencies, and exposures that can let an adversary move from one identity or system to a high-value target. In identity governance, it shows where privilege and trust combine to create exploitable reach.
• Security Copilot agent: A Security Copilot agent is a guided assistant that uses security data and tools to answer analyst questions or automate bounded investigation steps. It is useful when it shortens analysis time, but it still depends on controlled data sources and human decision-making.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Semperis: Why integrate Semperis with Sentinel and Security Copilot? Read the original.