TL;DR: Investigation speed now depends on whether identity telemetry is usable at decision time, not just visible somewhere else, according to Semperis. It describes a Microsoft-native integration that streams Lightning Intelligence into Sentinel and Security Copilot, giving SOC teams identity context on exposure, Tier 0 paths, and posture inside existing workflows rather than in a separate console.
NHIMG editorial — based on content published by Semperis: Why integrate Semperis with Sentinel and Security Copilot?
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should SOC teams use identity intelligence in incident response workflows?
A: SOC teams should put identity intelligence into the same investigation workflow they use for alerts and threat hunting.
Q: Why does identity context matter more than raw alert volume?
A: Raw alerts do not tell analysts which identity can reach critical assets, which privileges are exposed, or which paths matter most.
Q: How do organisations know if identity integrations are actually helping?
A: They should measure whether analysts can resolve identity-related alerts faster, whether hunts require fewer tool switches, and whether exposure findings become containment actions within the same workflow.
Practitioner guidance
- Map identity telemetry to SOC workflows Validate that attack-path, exposure, and posture data are available in the same investigation path analysts use for alerts, hunting, and case handling.
- Design KQL tables for operational use Confirm that each identity data type lands in its own queryable table with consistent timestamps so analysts can build reusable hunts and alerts.
- Set retention by investigation need Tune analytics and data lake retention to support lookback analysis, deduplication, and trend review without forcing unnecessary storage cost.
What's in the full article
Semperis's full analysis covers the operational detail this post intentionally leaves for the source:
- Azure Function connector implementation details for streaming Lightning data into Sentinel
- KQL patterns and custom table mapping examples for hunting across identity telemetry
- Security Copilot agent workflow examples for identity lookup, summarisation, and fuzzy matching
- Configuration considerations for retention, deduplication, and schedule tuning
👉 Read Semperis's analysis of Lightning Intelligence in Microsoft Sentinel and Security Copilot →
Identity risk in Sentinel and Copilot: what SOC teams gain?
Explore further
Identity intelligence only matters when it is available at the point of response. This integration reflects a broader market shift from standalone identity visibility to operational identity intelligence inside the SOC. The value is not another dashboard. It is reduced context switching when analysts need exposure, privilege, and attack-path data in one place. Practitioners should judge identity tooling by how well it shortens decision cycles, not by how much data it can export.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should own identity risk once it appears in the SOC?
A: Ownership should sit with the team that can act on the finding in context, usually SOC operations working alongside IAM or identity engineering. The key is a clear handoff model, so identity risk does not become trapped between detection and remediation.
👉 Read our full editorial: Semperis, Sentinel and Copilot put identity risk into SOC flow