Notifications
Clear all
Topic starter
09/06/2026 11:28 pm
TL;DR: Visibility into Azure Files activity, high-risk Exchange Online mailbox actions, Microsoft Copilot activity, and Azure SQL is added through new add-ons, with a live demo showing how faster filtering and cancellation can speed response and investigation, according to Netwrix. The governance question is not whether visibility improves, but whether identity teams can turn that telemetry into timely control decisions before risky changes become incidents.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams monitor risky identity activity across cloud services?
A: Security teams should define the specific actions that matter in each service, then correlate them into one review path.
Q: When does visibility become effective identity governance?
A: Visibility becomes governance when the telemetry leads to a faster, defensible decision about whether activity is normal, risky, or out of bounds.
Practitioner guidance
- Define high-risk identity actions by service and context Build a list of actions that should always be reviewed in Azure Files, Exchange Online, Copilot interactions, and Azure SQL.
- Correlate activity across collaboration, storage, and data planes Validate that your monitoring stack can link mailbox changes, file activity, and database access into one investigation view.
- Tune search filters around response, not volume Use precise filtering criteria to reduce alert noise and make cancellation or triage decisions faster.
What to expect at the briefing
Netwrix's full on-demand webinar covers the operational detail this post intentionally leaves for the source:
- Live demonstration of Azure Files activity tracking and how to use it to spot risky changes before they spread.
- Walkthrough of Exchange Online mailbox monitoring for mass deletions and inbox rule changes.
- Examples of enhanced search controls, including precise filtering and on-the-fly cancellation.
- Free add-ons showing activity tracking in Microsoft Copilot and Azure SQL.
👉 Watch Netwrix's webinar on Auditor 10.8 visibility and risk monitoring →
Netwrix Auditor 10.8 visibility updates: what IAM teams should check?
Explore further
10/06/2026 1:48 am
Visibility is now an identity control surface, not a reporting feature. Netwrix is pointing at a problem practitioners already feel: if risky activity cannot be filtered, prioritised, and interpreted quickly, the organisation has telemetry but not control. In IAM and NHI programmes, that is the difference between observability and governance. The practical conclusion is that monitoring tools should be judged by whether they shorten decision time, not by whether they produce more events.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one identity weakness can become a repeatable pattern.
A question worth separating out:
Q: How can teams use AI-assisted activity data without overcomplicating governance?
A: Treat AI-assisted activity as another access path that can affect sensitive data, not as a separate governance universe. If Copilot or a similar assistant can trigger actions in storage or databases, the same ownership, review, and escalation rules should apply. That keeps the programme consistent and avoids blind spots.
👉 Read our full editorial: Netwrix Auditor 10.8 adds visibility gaps identity teams need to watch
