Security teams do not need more disconnected alerts. They need better context.
That’s especially true in identity security, where the difference between a suspicious event and a real threat often comes down to understanding exposure, privilege, attack paths, and what matters most operationally. If your SOC can see an alert but can’t quickly understand how that identity connects to critical assets, you haven’t improved response. You’ve just added another screen to look at.
That’s why I am excited about the work Semperis has done with Microsoft Sentinel and Security Copilot.
We now have a working, field-ready integration that brings Semperis Lightning Intelligence into the Microsoft security ecosystem using Microsoft-native building blocks, including Azure Functions, DCE/DCR, Log Analytics workspace tables, KQL, Security Copilot, and MCP.
From the outside, that may sound like an integration story. In practice, it is something more important: a way to make identity risk actionable inside the workflows security teams already use every day.
Why integrate Semperis with Sentinel and Copilot?
The real problem isn’t alert volume. It’s missing identity context.
For years, defenders have struggled with a gap between identity visibility and operational response. You might know that a user is risky, or that an environment has dangerous exposure, but that knowledge often lives in a separate console, separate dataset, or separate team conversation.
Meanwhile, the SOC is moving fast. Analysts need to investigate incidents, hunt for threats, and answer critical questions without losing time by constantly switching tools. That’s where identity security too often breaks down.
Our approach with Lightning Intelligence has always been to focus on what matters most from the defender’s perspective, especially the paths that lead to critical Tier 0 assets.
The Microsoft integration extends that philosophy into the SOC workflow by making Lightning data available directly in Sentinel, where analysts can query it, correlate it, and use it in active investigations.
That matters because identity is no longer a niche security domain. It is central to modern attack paths across hybrid environments.
How the integration works: Microsoft-native, built for real operations
One thing I care about in any security integration is whether it is practical.
- Can it scale?
- Can it fit the customer’s existing architecture?
- Can teams actually use it in production?
In this case, all the answers are yes.
The integration uses a production-grade Azure Function–based connector to pull data from the Lightning REST APIs on a configurable schedule and stream it into Sentinel via DCE/DCR. That gives customers a more robust option than relying on the codeless connector framework alone, while still staying fully Azure-native.
It also matters that this is not limited to a narrow subset of telemetry. The integration ingests all Lightning data types and supported identity providers exposed by the API, including Active Directory, Entra ID, and other supported sources. In other words, Sentinel gets a broader, more complete picture of hybrid identity posture and attack paths, not just a partial view of AD-specific events.
Each Lightning data type is mapped to its own custom table in the Log Analytics workspace, which means teams can use that data as a first-class input for KQL queries, dashboards, hunting scenarios, and analytics rules. That is an important design choice.
Good integrations do not just move data. They make data usable.
What does the Semperis integration change for the SOC?
The most immediate value is in incident response and threat hunting.
When an analyst receives an alert on an identity, they can pivot directly in Sentinel to Lightning-derived context such as attack paths, Tier 0 exposure, and posture indicators, without leaving the Microsoft security environment. That reduces friction at the exact moment when speed and clarity matter most.
The data model also supports both current-state triage and historical investigation. Because the data is append-only and time-stamped—and because retention can be tuned across analytics and data lake tiers—teams can use it for live investigations as well as lookbacks and trend analysis. Deduplication can then be handled at the query or agent level.
Operationally, the default hourly sync strikes a practical balance between freshness and cost, while still allowing polling to be adjusted based on customer requirements. That is the kind of tradeoff mature security teams appreciate.
You do not need theoretical perfection. You need usable data, timely enough to matter, in a format that fits your workflows and budget.
Where AI becomes genuinely useful
There is a lot of noise in the market around AI in security. My view is simple:
AI is useful only when it helps analysts move faster with better judgment.
That is why I see the Security Copilot part of this story as especially compelling.
Semperis has built and demonstrated custom Security Copilot agents that operate entirely within the Microsoft security stack, using KQL-based tools over Lightning tables in Sentinel.
- These agents can work in both task-based and conversational modes. They can take an identity as input and return a structured risk and posture summary, including exposed paths, Tier 0 proximity, and risky indicators.
- They can also handle typos and fuzzy matches by searching for similar identities and retrying automatically—which sounds small until you think about how often that kind of friction slows investigations down in the real world.
- More important, they can answer higher-order questions that matter to defenders, such as who the riskiest attackers are or which Tier 0 targets are most exposed, by using additional KQL tools over the integrated data.
That is where AI starts to move from novelty to operational value. It is not replacing the analyst. It is accelerating the analyst’s ability to turn identity telemetry into insight.
And because these agents can be published through the Microsoft Security Store, joint customers can discover, deploy, and operate the connector and agents directly from within Microsoft’s ecosystem.
Why this matters strategically
At a higher level, this integration reflects where security architecture is going.
- Sentinel becomes the central analytics and hunting plane. Tiered storage supports operational flexibility and cost control.
- Security Copilot adds an AI orchestration layer on top for analysts and responders.
For organizations already standardizing on Security Copilot, the model also aligns with Microsoft’s approach to secure, customer-provisioned AI compute and metering.
That combination is powerful because it does not force defenders to choose between identity depth and platform consistency. They can have both.
Security teams already know identity is a critical battleground. The next step is making identity intelligence available where decisions get made. With Semperis Lightning Intelligence, Microsoft Sentinel, and Security Copilot working together, that future is already taking shape.
Learn more about Lightning Intelligence and see videos of it in action.
Want to understand specifically how Lightning Intelligence can benefit your organization? Request a demo. We’re here to help.
