Identity risk in Sentinel and Copilot: what SOC teams gain

TL;DR: Investigation speed now depends on whether identity telemetry is usable at decision time, not just visible somewhere else, according to Semperis. It describes a Microsoft-native integration that streams Lightning Intelligence into Sentinel and Security Copilot, giving SOC teams identity context on exposure, Tier 0 paths, and posture inside existing workflows rather than in a separate console.

NHIMG editorial — based on content published by Semperis: Why integrate Semperis with Sentinel and Security Copilot?

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should SOC teams use identity intelligence in incident response workflows?

A: SOC teams should put identity intelligence into the same investigation workflow they use for alerts and threat hunting.

Q: Why does identity context matter more than raw alert volume?

A: Raw alerts do not tell analysts which identity can reach critical assets, which privileges are exposed, or which paths matter most.

Q: How do organisations know if identity integrations are actually helping?

A: They should measure whether analysts can resolve identity-related alerts faster, whether hunts require fewer tool switches, and whether exposure findings become containment actions within the same workflow.

Practitioner guidance

• Map identity telemetry to SOC workflows Validate that attack-path, exposure, and posture data are available in the same investigation path analysts use for alerts, hunting, and case handling.
• Design KQL tables for operational use Confirm that each identity data type lands in its own queryable table with consistent timestamps so analysts can build reusable hunts and alerts.
• Set retention by investigation need Tune analytics and data lake retention to support lookback analysis, deduplication, and trend review without forcing unnecessary storage cost.

What's in the full article

Semperis's full analysis covers the operational detail this post intentionally leaves for the source:

• Azure Function connector implementation details for streaming Lightning data into Sentinel
• KQL patterns and custom table mapping examples for hunting across identity telemetry
• Security Copilot agent workflow examples for identity lookup, summarisation, and fuzzy matching
• Configuration considerations for retention, deduplication, and schedule tuning

👉 Read Semperis's analysis of Lightning Intelligence in Microsoft Sentinel and Security Copilot →

Identity risk in Sentinel and Copilot: what SOC teams gain?

Explore further

View Full Forum →  |  NHI Foundation Course →