Identity events in SIEM: what it means for security teams

TL;DR: Connecting identity authorization events with SIEM telemetry helps security teams correlate access changes, suspicious activity, and compliance evidence in one place, according to Opal Security. The real value is not a new dashboard but the removal of an old blind spot between identity governance and incident detection.

NHIMG editorial — based on content published by Opal Security: Unifying Identity Security in Your SIEM: How Opal and RunReveal Create Complete Security Visibility

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

Questions worth separating out

Q: How should security teams correlate identity changes with SIEM alerts?

A: Security teams should send identity state changes such as token creation, group edits, MFA resets, and emergency access events into the SIEM and join them to behavioural logs in detection rules.

Q: When does identity data improve detection rather than just reporting?

A: Identity data improves detection when it is available at the same time as activity data and can be used to trigger or enrich alerts.

Q: What do security teams get wrong about access governance and SIEM tooling?

A: Teams often treat access governance and SIEM as separate control domains, which leaves a blind spot between permission change and behaviour.

Practitioner guidance

• Stream high-risk identity events into the SIEM Send API token creation, MFA reset, break-glass use, and sensitive group membership changes into the same detection pipeline as security logs.
• Build correlation rules around entitlement change Write detections that join privilege changes to subsequent access patterns so investigators can see whether a newly granted entitlement was used immediately and unusually.
• Prioritise sensitive identities for joined monitoring Focus first on privileged users, break-glass accounts, and service accounts whose actions can change security posture faster than manual review can catch.

What's in the full article

Opal Security's full post covers the operational detail this post intentionally leaves for the source:

• Specific event types streamed into RunReveal, including API token creation, MFA reset, break-glass access, and group membership changes.
• How the integration supports pre-built detections and queries in the RunReveal detections library.
• The native AI chat workflow for searching identity events and security logs during investigations.
• Implementation details for mutual customers who want to start streaming Opal events into a SIEM workflow.

👉 Read Opal Security’s analysis of identity event correlation in SIEM →

Identity events in SIEM: what it means for security teams?

Explore further

View Full Forum →  |  NHI Foundation Course →