1
00:00:03,600 --> 00:00:05,759
Welcome to episode 412
2
00:00:05,759 --> 00:00:08,820
of the Microsoft Cloud IT Pro podcast recorded
3
00:00:08,880 --> 00:00:11,460
live on 10/03/2025.
4
00:00:11,599 --> 00:00:14,000
This is a show about Microsoft three sixty
5
00:00:14,000 --> 00:00:16,125
five and Azure from the perspective of IT
6
00:00:16,125 --> 00:00:18,364
pros and end users, where we discuss a
7
00:00:18,364 --> 00:00:20,605
topic or recent news and how it relates
8
00:00:20,605 --> 00:00:23,484
to you. Microsoft Sentinel gets its own data
9
00:00:23,484 --> 00:00:26,765
lake, graph, and MCP server, and we have
10
00:00:26,765 --> 00:00:29,085
all the details. Whether you're a seasoned SOC
11
00:00:29,085 --> 00:00:31,929
analyst or just getting started with cloud security,
12
00:00:32,070 --> 00:00:34,070
you don't want to miss the powerful new
13
00:00:34,070 --> 00:00:37,770
ways to detect threats, investigate incidents, and understand
14
00:00:37,829 --> 00:00:41,289
your security posture that these new features offer.
15
00:00:43,510 --> 00:00:45,350
I have a problem, Scott. Is that the
16
00:00:45,350 --> 00:00:47,655
first thing to having a problem is admitting
17
00:00:47,655 --> 00:00:49,335
you have a problem? It's part of the
18
00:00:49,335 --> 00:00:51,414
steps. Yeah. Oh, weird. Now Teams is kinda
19
00:00:51,414 --> 00:00:52,774
doing it for me, but I only see
20
00:00:52,774 --> 00:00:54,554
it in Teams, like, with your video.
21
00:00:56,295 --> 00:00:59,494
Microsoft is gonna Microsoft. No. I squirrel yeah.
22
00:00:59,494 --> 00:01:01,034
Squirrel. Logitech MX
23
00:01:01,469 --> 00:01:03,950
Master four came out the other day, and
24
00:01:03,950 --> 00:01:05,310
I may have bought two, like, the day
25
00:01:05,310 --> 00:01:06,909
it came out for same day delivery on
26
00:01:06,909 --> 00:01:08,450
Amazon. I have a problem.
27
00:01:10,030 --> 00:01:11,709
I needed one for my desk and one
28
00:01:11,709 --> 00:01:13,150
for when I'm not at my desk. Okay.
29
00:01:13,150 --> 00:01:15,170
So you're gonna be living that haptic
30
00:01:15,734 --> 00:01:16,715
mouse lifestyle,
31
00:01:17,174 --> 00:01:18,935
I'm looking at my mouse as I talk
32
00:01:18,935 --> 00:01:21,114
about it. The haptic to me is like,
33
00:01:21,814 --> 00:01:23,494
whatever. I like the way they move the
34
00:01:23,494 --> 00:01:26,215
button though because I had the Logitech MX
35
00:01:26,215 --> 00:01:27,814
Master three s two, and they had, like,
36
00:01:27,814 --> 00:01:29,334
the thumb button that was like under your
37
00:01:29,334 --> 00:01:31,209
thumb knuckle, and that was just a weird
38
00:01:31,209 --> 00:01:32,810
motion for me to push down on the
39
00:01:32,810 --> 00:01:34,810
thumb knuckle. They kinda moved it up so
40
00:01:34,810 --> 00:01:36,729
you can now push in with your thumb
41
00:01:36,729 --> 00:01:39,229
to get that button, which is kinda nice.
42
00:01:39,289 --> 00:01:40,429
But I'm still
43
00:01:41,129 --> 00:01:43,314
it feels different than the three s, and
44
00:01:43,314 --> 00:01:45,314
I've seen some other comments about this. I
45
00:01:45,314 --> 00:01:47,734
don't know if it's a little bit thinner
46
00:01:47,795 --> 00:01:49,174
or if it's not the rubbery.
47
00:01:49,474 --> 00:01:51,314
But do you when you use a mouse,
48
00:01:51,314 --> 00:01:53,155
do you, like, squeeze it and pick it
49
00:01:53,155 --> 00:01:54,674
up sometimes and move it around on your
50
00:01:54,674 --> 00:01:56,834
desk because you run into your keyboard or
51
00:01:56,834 --> 00:01:57,575
run into
52
00:01:58,030 --> 00:01:59,490
something else on your desk.
53
00:02:00,030 --> 00:02:02,049
All the time. I couldn't tell you why.
54
00:02:02,189 --> 00:02:05,469
That feels different on this mouse, and it's,
55
00:02:05,469 --> 00:02:07,630
like, not as comfortable different. Like, it's a
56
00:02:07,630 --> 00:02:09,710
little bit harder for me to grab and
57
00:02:09,710 --> 00:02:12,144
pick up, and I couldn't tell you exactly
58
00:02:12,144 --> 00:02:13,504
why. I'd have to, like, get them and
59
00:02:13,504 --> 00:02:15,185
put them side by side. But I've seen
60
00:02:15,185 --> 00:02:17,424
some other people make some similar comments about
61
00:02:17,424 --> 00:02:20,305
it. I've got a three an MX Master
62
00:02:20,305 --> 00:02:22,704
three and a three s, and because same
63
00:02:22,704 --> 00:02:25,025
thing. Like, hey, like day mouse, night mouse,
64
00:02:25,025 --> 00:02:25,525
or
65
00:02:25,870 --> 00:02:27,389
you need one in your backpack when you
66
00:02:27,389 --> 00:02:29,550
travel, things like that. I don't like how
67
00:02:29,550 --> 00:02:31,629
the rubber always, like, gives way on them,
68
00:02:31,629 --> 00:02:33,710
and they are actually kind of big. So
69
00:02:33,710 --> 00:02:35,230
I think what I'm gonna do is rather
70
00:02:35,230 --> 00:02:36,370
than go into the MX4,
71
00:02:36,830 --> 00:02:38,189
I'm gonna go to maybe one of, like,
72
00:02:38,189 --> 00:02:40,805
the gaming mice, like a high DPI gaming
73
00:02:40,805 --> 00:02:42,745
mouse, and so so Logitech
74
00:02:43,284 --> 00:02:45,525
has some of those as well. And then
75
00:02:45,525 --> 00:02:49,305
my honestly, my biggest nit about the MX
76
00:02:49,365 --> 00:02:49,865
Master
77
00:02:50,485 --> 00:02:52,085
in general is, like, it's got, like, great
78
00:02:52,085 --> 00:02:55,090
ergonomics with this, like, slant on the front
79
00:02:55,090 --> 00:02:57,330
of it. But the slant for the right
80
00:02:57,330 --> 00:02:57,830
button,
81
00:02:58,129 --> 00:03:00,689
it slides right underneath the charging mat for
82
00:03:00,689 --> 00:03:02,849
my Ember Mug. So, like, if I'm sliding
83
00:03:02,849 --> 00:03:04,370
my hand up because I'm gonna go grab
84
00:03:04,370 --> 00:03:05,969
my coffee and then but then I've got
85
00:03:05,969 --> 00:03:07,490
my mouse there too, and I'm just gonna,
86
00:03:07,490 --> 00:03:09,754
like, park my mouse up there, It gets
87
00:03:09,754 --> 00:03:12,094
all the way up, and it goes underneath,
88
00:03:12,314 --> 00:03:13,514
like, the little charging
89
00:03:14,314 --> 00:03:16,314
like, the charging pad for the ember mug
90
00:03:16,314 --> 00:03:17,995
kinda thing. And then it gets stuck there
91
00:03:17,995 --> 00:03:20,814
or it just clicks, and every single time.
92
00:03:21,819 --> 00:03:23,020
So I need a mouse that's, like, a
93
00:03:23,020 --> 00:03:25,419
little bit taller or where both the buttons
94
00:03:25,419 --> 00:03:27,340
are shorter, and then I can just I
95
00:03:27,340 --> 00:03:29,659
can live a different life. First world problems
96
00:03:29,659 --> 00:03:31,500
when your mouse and your It's hard to
97
00:03:31,500 --> 00:03:34,235
be over here. Yeah. First world problems, for
98
00:03:34,235 --> 00:03:36,395
sure. Your ember mug and your mouse are
99
00:03:36,395 --> 00:03:38,555
not compatible. They're not. Yeah. So the one
100
00:03:38,555 --> 00:03:40,875
thing I like, I've tried other mice before.
101
00:03:40,875 --> 00:03:43,514
I've played with different ones. I haven't looked
102
00:03:43,514 --> 00:03:45,034
enough at the gaming mice. Do any of
103
00:03:45,034 --> 00:03:46,655
the gaming mice have the horizontal
104
00:03:47,194 --> 00:03:47,694
scroll
105
00:03:48,395 --> 00:03:50,239
it's not real I guess it's a scroll
106
00:03:50,239 --> 00:03:51,939
wheel, the horizontal scroll
107
00:03:52,400 --> 00:03:54,479
wheel thing on them. Some do. So I've
108
00:03:54,479 --> 00:03:56,400
mostly looked at, like, the not I'm not
109
00:03:56,400 --> 00:03:58,159
talking all about, like, a Razer gaming mouse,
110
00:03:58,159 --> 00:04:00,479
but Logitech makes, like, a G series. So
111
00:04:00,479 --> 00:04:01,759
if you go look at, like, the G
112
00:04:01,759 --> 00:04:03,439
series, they have the same thing with the
113
00:04:03,439 --> 00:04:04,685
infinite scroll
114
00:04:05,784 --> 00:04:07,885
and all they have a lot of similarities
115
00:04:08,504 --> 00:04:11,325
to the MX masters just without
116
00:04:11,784 --> 00:04:13,004
the ergonomics
117
00:04:13,305 --> 00:04:13,805
slash
118
00:04:14,185 --> 00:04:16,585
productivity thing. And then I guess one other
119
00:04:16,585 --> 00:04:18,740
question for you before we move on. So
120
00:04:19,040 --> 00:04:20,180
Logitech makes
121
00:04:20,480 --> 00:04:20,980
absolutely
122
00:04:21,360 --> 00:04:25,120
horrible software. Like their software is the worst
123
00:04:25,120 --> 00:04:28,240
in Logi options and things like that. My
124
00:04:28,240 --> 00:04:30,480
understanding was for the MX4 and what I
125
00:04:30,480 --> 00:04:32,694
saw in the reviews was for that haptic
126
00:04:32,694 --> 00:04:35,574
trackpad with the little, like, pioneer ish circle
127
00:04:35,574 --> 00:04:37,894
that that that comes up, that requires Logi
128
00:04:37,894 --> 00:04:38,394
options.
129
00:04:38,855 --> 00:04:41,115
And I don't think I'm willing to reinstall
130
00:04:41,254 --> 00:04:43,574
Logi options on my Mac. Like, I've ripped
131
00:04:43,574 --> 00:04:45,415
it off so many times and just don't
132
00:04:45,415 --> 00:04:47,529
use it. See, I've always had it on
133
00:04:47,529 --> 00:04:48,029
because
134
00:04:48,330 --> 00:04:50,269
I use it for, like, my spotlight
135
00:04:50,730 --> 00:04:51,230
presenter
136
00:04:51,689 --> 00:04:52,189
and,
137
00:04:52,569 --> 00:04:55,610
yeah, I've just resigned myself to the fact
138
00:04:55,610 --> 00:04:57,769
that I need it on there. So but
139
00:04:57,769 --> 00:04:59,615
that is I've seen the same thing, and
140
00:04:59,615 --> 00:05:01,535
I've had Logi options, so I haven't tried
141
00:05:01,535 --> 00:05:02,915
it without it. But
142
00:05:03,375 --> 00:05:06,254
given how it works, it feels like it
143
00:05:06,254 --> 00:05:08,495
would not work without the software. But the
144
00:05:08,495 --> 00:05:10,495
rubber thing that you said, that's the other
145
00:05:10,495 --> 00:05:14,009
thing that people have not liked. Well, mixed
146
00:05:14,009 --> 00:05:16,089
reviews on it is that this one, they
147
00:05:16,089 --> 00:05:18,170
took away a lot of the rubber. It's
148
00:05:18,170 --> 00:05:20,810
much more hard plastic than rubber on the
149
00:05:20,810 --> 00:05:23,389
four. That's good though. Like, because the rubber
150
00:05:23,449 --> 00:05:25,209
the other thing is, like, if you I
151
00:05:25,209 --> 00:05:27,769
mean, if you just Mine looks Yeah. It's
152
00:05:27,769 --> 00:05:28,509
pretty bad.
153
00:05:28,985 --> 00:05:30,584
Like, I'd be willing to throw them out
154
00:05:30,584 --> 00:05:32,665
just based on the and you can't really
155
00:05:32,665 --> 00:05:34,745
clean them either. Like, they start to, like,
156
00:05:34,745 --> 00:05:36,745
eat away and disintegrate, and, yeah, they're just
157
00:05:36,745 --> 00:05:38,105
not Doctor. Because it's rubber. Like Doctor. Not
158
00:05:38,185 --> 00:05:39,865
Doctor. Whatever you'd use to clean it would
159
00:05:39,865 --> 00:05:42,745
disintegrate the rubber, make it worse, and yeah.
160
00:05:42,745 --> 00:05:44,789
So it is much more hard plastic with
161
00:05:44,789 --> 00:05:47,189
the four. But it again, because of that,
162
00:05:47,189 --> 00:05:48,550
I'm so used to the rubber on the
163
00:05:48,550 --> 00:05:50,550
three s. It does it just feels different,
164
00:05:50,550 --> 00:05:51,909
and that might even be part of the
165
00:05:51,909 --> 00:05:54,409
grip thing as it just isn't as sticky.
166
00:05:54,550 --> 00:05:55,750
I don't know. I don't know if you
167
00:05:55,750 --> 00:05:57,269
want your mouse to be sticky or if
168
00:05:57,269 --> 00:05:58,949
that's just gross if you have a sticky
169
00:05:58,949 --> 00:06:01,194
mouse. Not the way that you said sticky
170
00:06:01,334 --> 00:06:03,274
the first time, but, you you know.
171
00:06:04,055 --> 00:06:05,735
Yeah. Okay. New mice are out there. So
172
00:06:05,735 --> 00:06:08,295
if anybody has a suggestion for Scott on
173
00:06:08,295 --> 00:06:10,954
a mouse that is not the MX Master
174
00:06:11,814 --> 00:06:13,814
four or the MX Master three or the
175
00:06:13,814 --> 00:06:16,269
three s, but, you you know, maybe something
176
00:06:16,269 --> 00:06:18,189
to move on to next. The other one
177
00:06:18,189 --> 00:06:20,529
I've been toying with, and not that I
178
00:06:20,829 --> 00:06:22,750
have it, I haven't had RSI for a
179
00:06:22,750 --> 00:06:25,709
long time, but thankfully, but I was thinking
180
00:06:25,709 --> 00:06:27,389
about, like, maybe going back to a vertical
181
00:06:27,389 --> 00:06:29,284
mouse for a little bit and trying some
182
00:06:29,284 --> 00:06:31,704
of that. Doesn't Keychron I feel like Keychron
183
00:06:32,004 --> 00:06:35,865
did Keychron make, like, an knockoff MX Master?
184
00:06:36,564 --> 00:06:39,064
They made something. Yeah. It's not that one.
185
00:06:39,125 --> 00:06:40,425
Yeah. They have some
186
00:06:40,805 --> 00:06:42,485
I haven't tried theirs. This one, like, the
187
00:06:42,485 --> 00:06:44,550
Keychron m six
188
00:06:44,930 --> 00:06:47,430
wireless totally looks like a knockoff of the
189
00:06:47,490 --> 00:06:48,389
MX Master.
190
00:06:49,410 --> 00:06:51,730
Yeah. They've got some. Anyways, yes. Give Scott
191
00:06:51,730 --> 00:06:54,550
a suggestion. Reach out to Scott on LinkedIn.
192
00:06:54,770 --> 00:06:56,689
Let him know which mouse he should get,
193
00:06:56,689 --> 00:06:59,110
and we can talk about it. Alright. News.
194
00:06:59,224 --> 00:07:01,224
Your news, my news, all the news. We
195
00:07:01,224 --> 00:07:02,985
have, like I wouldn't say a bunch of
196
00:07:02,985 --> 00:07:04,904
news. There were I wasn't sure what I
197
00:07:04,904 --> 00:07:06,504
was gonna talk about, and then yesterday, there
198
00:07:06,504 --> 00:07:07,564
were a bunch of announcements
199
00:07:07,944 --> 00:07:09,865
around a certain topic that I was like,
200
00:07:09,865 --> 00:07:11,305
oh, this is fun. But then you had
201
00:07:11,305 --> 00:07:12,664
some too. What do you wanna talk about
202
00:07:12,664 --> 00:07:14,410
first? We start wherever
203
00:07:14,949 --> 00:07:16,550
you would like. You want to start on
204
00:07:16,550 --> 00:07:18,089
the Azure side or
205
00:07:18,389 --> 00:07:20,389
the M365 side? Or I guess kind of
206
00:07:20,389 --> 00:07:22,230
both, right? So you had some Sentinel stuff
207
00:07:22,230 --> 00:07:24,330
in there, but Yeah. Mine is more like
208
00:07:24,550 --> 00:07:26,709
crossover. It's all Sentinel stuff, which could be
209
00:07:26,709 --> 00:07:28,214
either or. Why don't we start with some
210
00:07:28,214 --> 00:07:30,055
Sentinel stuff and see where it takes us?
211
00:07:30,055 --> 00:07:32,134
The first one, this is one let me
212
00:07:32,134 --> 00:07:34,214
go up to here. Sentinel Data Lake. Have
213
00:07:34,214 --> 00:07:36,214
you seen how you can start, like, just
214
00:07:36,214 --> 00:07:37,894
turning on Sentinel now to go into Data
215
00:07:37,894 --> 00:07:39,574
Lake? This was in preview for the last
216
00:07:39,574 --> 00:07:41,735
couple months or so. Lots of services are
217
00:07:41,735 --> 00:07:44,319
starting to do this, right? They're taking their
218
00:07:44,379 --> 00:07:48,379
kinda their more formal structured data and then
219
00:07:48,379 --> 00:07:51,180
giving you the opportunity to, like, either export
220
00:07:51,180 --> 00:07:53,580
that structured data. So, like, maybe Yep. Like
221
00:07:53,580 --> 00:07:55,020
if Sentinel is being driven by a graph
222
00:07:55,020 --> 00:07:56,779
and a bunch of parquet files, things like
223
00:07:56,779 --> 00:07:58,675
that, or a Delta Lake, Delta Table in
224
00:07:58,675 --> 00:08:00,595
the background. Why not just let you push
225
00:08:00,595 --> 00:08:04,194
those artifacts over someplace else or also start
226
00:08:04,194 --> 00:08:06,995
to do, like, more granular exports and all
227
00:08:06,995 --> 00:08:08,675
sorts of good stuff like that? Like, got
228
00:08:08,675 --> 00:08:10,915
a storage account? Export. Here you go. I've
229
00:08:10,915 --> 00:08:12,355
had it in preview for a little bit,
230
00:08:12,355 --> 00:08:14,100
and I'm like, for what I have done
231
00:08:14,100 --> 00:08:15,540
so far with Sentinel, it didn't make a
232
00:08:15,540 --> 00:08:16,279
big difference,
233
00:08:16,740 --> 00:08:18,500
but I ran it in preview. Well, that
234
00:08:18,500 --> 00:08:22,100
is now GA'd. So yesterday, Septem well, not
235
00:08:22,100 --> 00:08:24,259
yesterday. This was September 30. A few days
236
00:08:24,259 --> 00:08:27,214
ago, beginning of the week, this Sentinel data
237
00:08:27,214 --> 00:08:28,435
lake is now
238
00:08:28,814 --> 00:08:31,395
generally available. So if you want to
239
00:08:31,855 --> 00:08:34,115
go turn that on, like, it's just a
240
00:08:34,174 --> 00:08:35,715
click click through
241
00:08:36,335 --> 00:08:36,835
the
242
00:08:37,215 --> 00:08:40,129
security center. So I don't think you can
243
00:08:40,129 --> 00:08:42,769
do this, and this ties back to one
244
00:08:42,769 --> 00:08:43,669
of our other announcements.
245
00:08:43,970 --> 00:08:45,809
If you go to Sentinel via Azure, like,
246
00:08:45,809 --> 00:08:47,009
if you go to Azure and search for
247
00:08:47,009 --> 00:08:47,509
Sentinel,
248
00:08:47,889 --> 00:08:51,264
I haven't seen this pop up there. But
249
00:08:51,264 --> 00:08:54,304
if you go to your security center in
250
00:08:54,464 --> 00:08:57,504
or Defender, I guess, security.microsoft.com,
251
00:08:57,504 --> 00:08:59,745
where Sentinel's gonna live down the road all
252
00:08:59,745 --> 00:09:00,804
the time anyways,
253
00:09:01,184 --> 00:09:03,345
you can go connect Sentinel there. And then
254
00:09:03,345 --> 00:09:05,904
once Sentinel's connected there, you get the option
255
00:09:05,904 --> 00:09:06,404
to
256
00:09:07,529 --> 00:09:10,169
go turn on data lake for Sentinel, and
257
00:09:10,169 --> 00:09:12,250
you still have to pick, like you're gonna
258
00:09:12,250 --> 00:09:13,769
still pay for it. You pick an Azure
259
00:09:13,769 --> 00:09:15,470
subscription, you pick a resource
260
00:09:15,850 --> 00:09:17,769
group, and click, and it goes and creates
261
00:09:17,769 --> 00:09:19,450
the data lake and wires it all up
262
00:09:19,450 --> 00:09:21,389
and connects it all. And
263
00:09:21,735 --> 00:09:23,735
based on what I've seen in Sentinel so
264
00:09:23,735 --> 00:09:25,195
far too, it isn't
265
00:09:25,654 --> 00:09:26,154
necessarily
266
00:09:26,774 --> 00:09:28,934
pushing it all over. Like, if I go
267
00:09:28,934 --> 00:09:31,014
look through Sentinel now, I have two different
268
00:09:31,014 --> 00:09:32,794
icons for some of my
269
00:09:33,174 --> 00:09:34,475
data tables in Sentinel,
270
00:09:34,850 --> 00:09:37,090
ones that are still in the typical log
271
00:09:37,090 --> 00:09:39,410
analytics and then a bunch of them that
272
00:09:39,410 --> 00:09:40,149
are now
273
00:09:40,690 --> 00:09:42,690
in Data Lake. Yeah. I think it'll be
274
00:09:42,690 --> 00:09:43,190
good.
275
00:09:43,730 --> 00:09:45,110
Certainly, there's there's
276
00:09:45,649 --> 00:09:48,450
there's that pesky cost component, right, of of
277
00:09:48,450 --> 00:09:50,325
being in the cloud and running those things
278
00:09:50,325 --> 00:09:53,384
through. So there's things that I think customers
279
00:09:54,084 --> 00:09:55,464
would want to do
280
00:09:55,845 --> 00:09:56,345
with
281
00:09:57,284 --> 00:09:58,504
longer term trends
282
00:09:58,884 --> 00:10:00,485
based on some of these things. So maybe
283
00:10:00,485 --> 00:10:03,524
like anomalous user logins over time is really
284
00:10:03,524 --> 00:10:05,700
nice for the past couple days, it's nice
285
00:10:05,700 --> 00:10:06,679
for the past month,
286
00:10:07,059 --> 00:10:08,899
it could be nice to go back six
287
00:10:08,899 --> 00:10:10,899
months or a year. Maybe you wanna track
288
00:10:10,899 --> 00:10:12,360
some kind of like a
289
00:10:12,899 --> 00:10:15,860
KPI for yourself to improve your business or
290
00:10:15,860 --> 00:10:17,379
make sure that you're moving in the right
291
00:10:17,379 --> 00:10:17,879
direction.
292
00:10:18,225 --> 00:10:21,664
So for these systems, things like Sentinel that
293
00:10:21,664 --> 00:10:25,184
are generating a large amount of what's really
294
00:10:25,184 --> 00:10:26,964
just time series driven data.
295
00:10:27,345 --> 00:10:29,764
So here's a time, here's an event, and
296
00:10:29,985 --> 00:10:31,504
I'm sure the text of the event strippers,
297
00:10:31,504 --> 00:10:33,199
but to be able to go back in
298
00:10:33,199 --> 00:10:34,419
time over those things
299
00:10:34,959 --> 00:10:35,699
is important.
300
00:10:36,000 --> 00:10:38,399
And then it's also expensive to generate a
301
00:10:38,399 --> 00:10:40,000
bunch of time series data and have it
302
00:10:40,000 --> 00:10:42,319
just sitting there, especially in, like, some kind
303
00:10:42,319 --> 00:10:45,434
of, like, really hot, like, queryable
304
00:10:46,055 --> 00:10:48,774
thing. So Sentinel in the background, when you're
305
00:10:48,774 --> 00:10:51,495
writing, like, your queries, they're all KQL queries.
306
00:10:51,495 --> 00:10:53,095
Like, you don't have to go too high
307
00:10:53,415 --> 00:10:55,735
too far to imagine that, oh, it's just
308
00:10:55,735 --> 00:10:57,894
Azure Data Explorer in the back end, right,
309
00:10:57,894 --> 00:10:59,654
with with all that. So so you're dealing
310
00:10:59,654 --> 00:11:02,139
with those constraints and those things there. So
311
00:11:02,139 --> 00:11:04,379
it's nice to have the option to export
312
00:11:04,379 --> 00:11:07,259
it out, but then be able to continue
313
00:11:07,259 --> 00:11:09,179
to query it and do those things that
314
00:11:09,179 --> 00:11:11,839
you need to do, albeit with additional latency
315
00:11:12,059 --> 00:11:14,459
and things like that. But I think that's
316
00:11:14,459 --> 00:11:16,875
all good stuff. Gives customers
317
00:11:17,334 --> 00:11:18,154
more options
318
00:11:18,855 --> 00:11:21,674
and allows you also to do things like
319
00:11:21,735 --> 00:11:24,315
have these kinda longer term
320
00:11:24,774 --> 00:11:27,095
initiatives that you can actually track over time
321
00:11:27,095 --> 00:11:28,709
without having to, like, oh, no. I gotta
322
00:11:28,709 --> 00:11:30,149
export all the data for this month, right?
323
00:11:30,149 --> 00:11:31,750
Lay it in a spreadsheet, and if I
324
00:11:31,750 --> 00:11:33,029
don't do it next month or I do
325
00:11:33,029 --> 00:11:34,730
it on a different day, then it's inconsistent,
326
00:11:34,870 --> 00:11:36,870
things like that. That all goes away. Yeah.
327
00:11:36,870 --> 00:11:38,709
And there's some other updates that have come
328
00:11:38,709 --> 00:11:41,529
along with this. The whole article's there around
329
00:11:41,945 --> 00:11:44,365
different use cases for it, but some upgrades
330
00:11:44,464 --> 00:11:46,684
and benefits too when it comes
331
00:11:47,464 --> 00:11:50,264
to some of those enhancements around your notebooks
332
00:11:50,264 --> 00:11:51,004
in Sentinel.
333
00:11:51,784 --> 00:11:54,105
Yeah. Like you said, some cost benefits there
334
00:11:54,105 --> 00:11:55,084
to going into
335
00:11:55,705 --> 00:11:57,690
Data Lake. But then they also
336
00:11:58,330 --> 00:11:59,850
and this is what really caught my eye.
337
00:11:59,850 --> 00:12:01,370
Like, I was like, okay. Great. It went
338
00:12:01,370 --> 00:12:03,370
GA. But if you look on the GA
339
00:12:03,370 --> 00:12:03,870
announcement,
340
00:12:04,570 --> 00:12:07,049
it also you'll notice on the screen, and
341
00:12:07,049 --> 00:12:09,225
it talks about it in the announcement, they're
342
00:12:09,225 --> 00:12:11,725
also introducing some new platform capabilities
343
00:12:12,105 --> 00:12:15,384
built on Sentinel data lake. So once you
344
00:12:15,384 --> 00:12:17,144
get your data there, you're starting to do
345
00:12:17,144 --> 00:12:20,284
it, there is now a Sentinel graph.
346
00:12:20,585 --> 00:12:22,345
And we can talk about this. I've played
347
00:12:22,345 --> 00:12:24,629
with this a little bit. But then, also,
348
00:12:24,769 --> 00:12:28,049
an MCP server for Sentinel that's like a
349
00:12:28,049 --> 00:12:28,549
Microsoft
350
00:12:29,490 --> 00:12:32,370
native one. So we had talked about MCP
351
00:12:32,370 --> 00:12:35,490
servers a few episodes back, like the loca
352
00:12:35,490 --> 00:12:37,475
that Merrill had created.
353
00:12:37,934 --> 00:12:39,295
I think I mentioned I had gone out
354
00:12:39,295 --> 00:12:40,975
and found, like, a third party Sentinel one
355
00:12:40,975 --> 00:12:42,735
because I was like, oh, a Sentinel MCP
356
00:12:42,735 --> 00:12:44,815
server would be kinda cool. And we talked
357
00:12:44,815 --> 00:12:46,995
about some of the security concerns, and, ironically,
358
00:12:47,054 --> 00:12:49,295
like, a week ago, I sent you an
359
00:12:49,295 --> 00:12:49,795
article
360
00:12:50,654 --> 00:12:54,100
as well from the first malicious MCP server
361
00:12:54,100 --> 00:12:56,600
found where it was stealing emails and rogue
362
00:12:57,059 --> 00:12:57,799
rogue postmark
363
00:12:58,259 --> 00:13:00,179
settings, and we kinda talked about that. Right?
364
00:13:00,179 --> 00:13:02,019
Like, you go grab a third party MCP
365
00:13:02,019 --> 00:13:04,100
server without looking at the code. What is
366
00:13:04,100 --> 00:13:06,580
it doing? Obviously, something like Sentinel you wanna
367
00:13:06,580 --> 00:13:09,375
trust. So seeing Microsoft come out with this
368
00:13:09,434 --> 00:13:12,075
MCP server as well, that was all kind
369
00:13:12,075 --> 00:13:14,175
of rolled into Data Lakes, GA.
370
00:13:14,634 --> 00:13:16,394
Now you can go look at this graph
371
00:13:16,394 --> 00:13:19,274
in this MCP server as well if you
372
00:13:19,274 --> 00:13:22,019
wanna go swing over to Sentinel Data Lake.
373
00:13:22,019 --> 00:13:24,339
I wonder over time, I don't know if
374
00:13:24,339 --> 00:13:26,579
I think things will continue to like kind
375
00:13:26,579 --> 00:13:29,620
of churn and consolidate still. So we've seen
376
00:13:29,620 --> 00:13:31,720
a bunch of this at least with the
377
00:13:32,334 --> 00:13:34,735
things like the Kusto MCP server. Like, there
378
00:13:34,735 --> 00:13:36,414
was a Kusto one, and then it got
379
00:13:36,414 --> 00:13:38,414
rolled into the Fabric one. Fabric one's out
380
00:13:38,414 --> 00:13:40,174
there. Now you have a a Sentinel one.
381
00:13:40,174 --> 00:13:42,575
You have all these different, like, flavors and
382
00:13:42,575 --> 00:13:45,294
variations as folks are chasing things. Like, I
383
00:13:45,294 --> 00:13:47,455
do wonder or and I also kinda hope
384
00:13:47,455 --> 00:13:49,910
over time that it does consolidate a little
385
00:13:49,910 --> 00:13:51,430
bit. I I I don't know how it's
386
00:13:51,430 --> 00:13:53,430
getting for you since we did that MCP
387
00:13:53,430 --> 00:13:56,090
episode. I just have more and more MCP
388
00:13:56,309 --> 00:13:58,550
servers that are, like, going in. And for
389
00:13:58,550 --> 00:14:01,269
every MCP server that's being added into my
390
00:14:01,269 --> 00:14:03,855
client that I'm working in that day, like
391
00:14:03,855 --> 00:14:05,855
Versus Code, things like that, it's also getting
392
00:14:05,855 --> 00:14:06,674
really hard
393
00:14:08,014 --> 00:14:10,815
to wrangle the servers, especially the ones that
394
00:14:10,815 --> 00:14:13,774
have lots of tools associated with them. So
395
00:14:13,774 --> 00:14:15,695
I think the Azure MCP server is actually
396
00:14:15,695 --> 00:14:17,215
a good example of this because it's got,
397
00:14:17,215 --> 00:14:19,169
like, tools for a whole bunch of different
398
00:14:19,169 --> 00:14:19,990
Azure services.
399
00:14:20,529 --> 00:14:22,690
And I think at one point, it had,
400
00:14:22,690 --> 00:14:24,690
like, 40 plus tools in it. So you're
401
00:14:24,690 --> 00:14:26,709
sitting here trying to figure out, like, okay.
402
00:14:26,769 --> 00:14:28,209
I'm having a chat with this LLM. I
403
00:14:28,209 --> 00:14:30,450
wanted to form out some knowledge to this
404
00:14:30,450 --> 00:14:32,230
MCP or this set of MCPs.
405
00:14:33,825 --> 00:14:35,424
But I now I need to be, like,
406
00:14:35,424 --> 00:14:36,865
really constrained and figure out how to get
407
00:14:36,865 --> 00:14:37,524
it into
408
00:14:38,065 --> 00:14:39,504
e even the right tool or the right
409
00:14:39,504 --> 00:14:41,745
space. So stuff like this is gonna I
410
00:14:41,745 --> 00:14:44,304
wonder, like, do you find it confusing in
411
00:14:44,304 --> 00:14:46,065
this world of saying, like, hey. I have
412
00:14:46,065 --> 00:14:48,700
an MCP for Sentinel, which is doing this
413
00:14:48,700 --> 00:14:50,480
graph thing. I have an MCP for
414
00:14:50,860 --> 00:14:52,940
the Microsoft Graph. I have an MCP for
415
00:14:52,940 --> 00:14:55,440
LearnDocs. I have an MCP for Kusto,
416
00:14:55,820 --> 00:14:58,539
like, all these different thing or Fabric. Right.
417
00:14:58,539 --> 00:15:00,879
Are are you finding that hard to rationalize
418
00:15:01,019 --> 00:15:03,174
along the way? Like, I've started like, I
419
00:15:03,174 --> 00:15:04,855
was just going in and, like, turning on
420
00:15:04,855 --> 00:15:06,855
all my MCP servers, like, every time I
421
00:15:06,855 --> 00:15:09,654
started Versus Code, and now I'm actually being,
422
00:15:09,654 --> 00:15:12,054
like, more careful about that. Like, alright. Always
423
00:15:12,054 --> 00:15:14,054
gonna start, like, the learn docs one because
424
00:15:14,054 --> 00:15:15,894
that's easy. It's a remote server. Boom, boom,
425
00:15:15,894 --> 00:15:17,575
out Yeah. Out. No problem. But some of
426
00:15:17,575 --> 00:15:18,990
the other ones, like, you really do have
427
00:15:18,990 --> 00:15:21,353
to kinda pick and choose. But then it
428
00:15:21,353 --> 00:15:23,716
makes me wonder, alright. Great. I had to
429
00:15:23,716 --> 00:15:26,079
do that just to make my own life
430
00:15:26,079 --> 00:15:28,443
easier, but now what am I missing out
431
00:15:28,443 --> 00:15:30,806
on by not turning them all out? Do
432
00:15:30,806 --> 00:15:33,169
you feel overwhelmed by trying to manage your
433
00:15:33,169 --> 00:15:35,384
Office Office three sixty five environment? Are you
434
00:15:35,384 --> 00:15:38,684
facing unexpected issues that disrupt your company's productivity?
435
00:15:38,985 --> 00:15:40,904
Intelligink is here to help. Much like you
436
00:15:40,904 --> 00:15:42,825
take your car to the mechanic that has
437
00:15:42,825 --> 00:15:44,904
specialized knowledge on how to best keep your
438
00:15:44,904 --> 00:15:47,950
car running, Intelligent helps you with your Microsoft
439
00:15:48,009 --> 00:15:50,269
cloud environment because that's their expertise.
440
00:15:50,649 --> 00:15:52,889
Intelligent keeps up with the latest updates in
441
00:15:52,889 --> 00:15:55,129
the Microsoft cloud to help keep your business
442
00:15:55,129 --> 00:15:57,370
running smoothly and ahead of the curve. Whether
443
00:15:57,370 --> 00:15:59,370
you are a small organization with just a
444
00:15:59,370 --> 00:16:19,169
few users up to an organization liligink.com/podcast
445
00:16:19,549 --> 00:16:21,709
for more information or to schedule a thirty
446
00:16:21,709 --> 00:16:23,730
minute call to get started with them today.
447
00:16:24,029 --> 00:16:27,389
Remember, Intelligink focuses on the Microsoft cloud so
448
00:16:27,389 --> 00:16:29,024
you can focus on your business.
449
00:16:31,585 --> 00:16:34,085
Some of that the other thing I've seen
450
00:16:34,384 --> 00:16:35,825
and I just ran into this the other
451
00:16:35,825 --> 00:16:37,585
day when I started playing with this MCP
452
00:16:37,585 --> 00:16:39,665
server, and we can go talk about this
453
00:16:39,665 --> 00:16:41,345
a little bit more. And how to turn
454
00:16:41,345 --> 00:16:43,605
this one on, because this was interesting, is
455
00:16:43,809 --> 00:16:45,970
I added this one and I went to
456
00:16:45,970 --> 00:16:49,509
go ask a query about Sentinel, and it
457
00:16:49,570 --> 00:16:50,070
hit
458
00:16:50,610 --> 00:16:53,330
my loca MCP server because I didn't at
459
00:16:53,330 --> 00:16:56,394
mention the specific MCP server. So there's that
460
00:16:56,394 --> 00:16:58,154
trade off to, like, what you said is,
461
00:16:58,154 --> 00:16:58,654
one,
462
00:16:59,115 --> 00:17:00,554
if you don't turn them all on, what
463
00:17:00,554 --> 00:17:02,075
are you missing? Or if you do turn
464
00:17:02,075 --> 00:17:03,615
them all on, as
465
00:17:03,995 --> 00:17:06,634
you ask AI questions, does it end up
466
00:17:06,634 --> 00:17:08,954
going to the wrong MCP server when you
467
00:17:08,954 --> 00:17:10,420
want it? Like, does it go to Graph
468
00:17:10,420 --> 00:17:11,700
when you want it to go pull from
469
00:17:11,700 --> 00:17:14,420
Sentinel? Or maybe it was just me. I
470
00:17:14,420 --> 00:17:15,940
had to be a little bit more specific
471
00:17:15,940 --> 00:17:16,680
in my query,
472
00:17:17,220 --> 00:17:17,700
but there's
473
00:17:18,580 --> 00:17:20,420
it is. One of them is just, how
474
00:17:20,420 --> 00:17:22,180
do I make sure I'm going to the
475
00:17:22,180 --> 00:17:24,204
right right MCP server at the right time?
476
00:17:24,204 --> 00:17:25,825
How am I not missing out on it?
477
00:17:26,045 --> 00:17:26,545
Absolutely
478
00:17:27,085 --> 00:17:29,724
an additional cognitive load there, I think, around
479
00:17:29,724 --> 00:17:32,545
MCP servers. And the other one I found,
480
00:17:32,605 --> 00:17:35,005
and this was the first time I've kinda
481
00:17:35,005 --> 00:17:37,769
hit this one, is when you go look
482
00:17:37,769 --> 00:17:40,430
at this MCP server for Sentinel,
483
00:17:40,890 --> 00:17:43,869
they only give you steps on how
484
00:17:44,650 --> 00:17:47,289
to leverage this one with Visual Studio Code.
485
00:17:47,289 --> 00:17:50,075
And this is a remote MCP server. It's
486
00:17:50,075 --> 00:17:54,015
sentinel.microsoft.com/mcpdataexploration.
487
00:17:54,634 --> 00:17:57,694
And I tried to go add this one
488
00:17:57,755 --> 00:17:58,255
to
489
00:17:58,954 --> 00:18:01,674
Claude, and I couldn't figure out a way
490
00:18:01,674 --> 00:18:02,430
to do it
491
00:18:02,830 --> 00:18:05,890
because it uses some it appears
492
00:18:06,509 --> 00:18:08,930
that it uses some of the underlying authentication
493
00:18:09,309 --> 00:18:09,809
mechanisms
494
00:18:10,190 --> 00:18:12,590
in Visual Studio Code. Like, if I go
495
00:18:12,590 --> 00:18:14,190
add this to Claude and try to query
496
00:18:14,190 --> 00:18:16,269
it, I don't get the prompts. Like, there's
497
00:18:16,269 --> 00:18:18,664
no way to, like, set up a authentication
498
00:18:18,805 --> 00:18:20,644
mechanism to it, no way to set up
499
00:18:20,644 --> 00:18:22,105
a service principle to it,
500
00:18:22,485 --> 00:18:24,585
nowhere to say, like, go enter a username
501
00:18:25,045 --> 00:18:27,384
that I could find or trigger in Claude.
502
00:18:27,605 --> 00:18:29,045
But when you go add it to Visual
503
00:18:29,045 --> 00:18:30,585
Studio Code and
504
00:18:31,150 --> 00:18:32,829
the first time you add it, it's like,
505
00:18:32,829 --> 00:18:35,069
oh, go log in to your Microsoft three
506
00:18:35,069 --> 00:18:37,549
sixty five tenant with your account. And I
507
00:18:37,549 --> 00:18:39,549
think there's some things going on there where
508
00:18:39,549 --> 00:18:40,769
I couldn't actually
509
00:18:41,150 --> 00:18:44,210
add this to anything but Visual Studio Code.
510
00:18:44,484 --> 00:18:44,984
And
511
00:18:45,524 --> 00:18:47,464
then obviously you have to have
512
00:18:47,845 --> 00:18:50,644
GitHub Copilot in order to use it versus
513
00:18:50,644 --> 00:18:52,884
using another LLM that I have. It's hard.
514
00:18:52,884 --> 00:18:54,264
Like there's niceties
515
00:18:55,204 --> 00:18:56,345
to being in
516
00:18:57,044 --> 00:18:57,544
these
517
00:18:57,849 --> 00:19:01,049
systems that do require, like, authentication authorization, like,
518
00:19:01,049 --> 00:19:02,169
just to be able to do, like, the
519
00:19:02,169 --> 00:19:04,190
quick, like, fire and forget to enter,
520
00:19:04,649 --> 00:19:07,069
do your sign in, oauth and to end
521
00:19:07,369 --> 00:19:09,369
all the way. So typically in, like, at
522
00:19:09,369 --> 00:19:11,049
least the way it works in, like, the
523
00:19:11,049 --> 00:19:11,549
SDKs
524
00:19:12,494 --> 00:19:14,494
for Azure and things like that is there
525
00:19:14,575 --> 00:19:16,835
there's a class in the identity SDK
526
00:19:17,375 --> 00:19:19,694
that composes an object, and it's called default
527
00:19:19,694 --> 00:19:22,255
Azure credential. And it's just this magical thing
528
00:19:22,255 --> 00:19:24,414
where, like, you you put, I wanna use
529
00:19:24,414 --> 00:19:27,519
default Azure credential to sign in, and then
530
00:19:27,519 --> 00:19:29,279
it just kinda figures out based on the
531
00:19:29,279 --> 00:19:31,119
client it's on. Like, you so you can
532
00:19:31,119 --> 00:19:32,099
write, like, an application,
533
00:19:32,480 --> 00:19:34,400
say, with, like, the dot net SDK for
534
00:19:34,400 --> 00:19:36,400
Azure for any Azure service, and say, I
535
00:19:36,400 --> 00:19:39,119
wanna use default Azure credential. You put throw
536
00:19:39,519 --> 00:19:41,904
compile it as an executable, throw that executable
537
00:19:42,125 --> 00:19:43,345
on an Azure VM,
538
00:19:43,884 --> 00:19:45,184
and it will,
539
00:19:45,565 --> 00:19:47,884
like, automatically know that, hey, I'm on a
540
00:19:47,884 --> 00:19:49,265
VM in Azure, and
541
00:19:49,884 --> 00:19:52,065
I should try MSI authentication,
542
00:19:52,819 --> 00:19:54,339
and try and come through that way. Oh,
543
00:19:54,339 --> 00:19:56,579
MSI failed. Okay. Let me pop up a
544
00:19:56,579 --> 00:19:59,059
user prompt and come through. So sometimes it's
545
00:19:59,059 --> 00:20:01,059
the way, like, developers are building them, Randall.
546
00:20:01,059 --> 00:20:02,660
Like, so if they use something like default
547
00:20:02,660 --> 00:20:03,480
Azure credential,
548
00:20:04,019 --> 00:20:06,900
then it's got, like, that weird underlying behavior,
549
00:20:06,900 --> 00:20:08,579
which has a bunch of niceties to it,
550
00:20:08,579 --> 00:20:10,154
but you kinda gotta, like, know how the
551
00:20:10,154 --> 00:20:12,634
niceties work and how to land your app
552
00:20:12,634 --> 00:20:13,534
in the right place.
553
00:20:13,835 --> 00:20:16,075
So I wonder if it's some of that
554
00:20:16,075 --> 00:20:16,815
kind of stuff
555
00:20:17,355 --> 00:20:19,934
over just being, like, it's not, like, malicious
556
00:20:20,075 --> 00:20:20,575
intent
557
00:20:20,960 --> 00:20:23,039
to lock you out. It's like, hey. There's
558
00:20:23,039 --> 00:20:24,980
this ecosystem of stuff, and
559
00:20:25,440 --> 00:20:28,480
the people building the stuff also kinda leverage
560
00:20:28,480 --> 00:20:29,380
the same ecosystem.
561
00:20:30,079 --> 00:20:31,700
So while you're out there
562
00:20:32,000 --> 00:20:34,960
maybe saying, hey. I'm an Azure customer. Okay.
563
00:20:34,960 --> 00:20:37,015
Hey. We're all Azure customers. I hope We're
564
00:20:37,015 --> 00:20:39,255
all out there building our services on top
565
00:20:39,255 --> 00:20:41,734
of these things as well and building these
566
00:20:41,734 --> 00:20:42,234
capabilities
567
00:20:42,535 --> 00:20:44,775
and all that out there. So it could
568
00:20:44,775 --> 00:20:47,414
also be things like the clients are also
569
00:20:47,414 --> 00:20:50,375
in in various states. So the Cloud desktop
570
00:20:50,375 --> 00:20:50,875
client
571
00:20:51,349 --> 00:20:52,650
is constantly iterating,
572
00:20:53,430 --> 00:20:55,690
as is, like, the desktop client for Perplexity,
573
00:20:55,830 --> 00:20:57,990
for Copilot, for ChargePD, all the all these
574
00:20:57,990 --> 00:20:59,509
things. Right? Like, every single day they get
575
00:20:59,509 --> 00:21:01,269
an update, they might just need to update
576
00:21:01,269 --> 00:21:02,730
to allow things like
577
00:21:03,109 --> 00:21:04,565
the pop ups for authentication
578
00:21:04,944 --> 00:21:07,184
and everything else that comes through there. The
579
00:21:07,184 --> 00:21:09,105
other place this will integrate to is Security
580
00:21:09,105 --> 00:21:11,664
Copilot. Like, they also mentioned that. The Sentinel
581
00:21:11,664 --> 00:21:14,404
MCP server is gonna have native integration with
582
00:21:14,704 --> 00:21:17,039
Security Copilot, but I don't know about you.
583
00:21:17,039 --> 00:21:19,679
I'd rather pay $20 a month for Copilot
584
00:21:19,679 --> 00:21:20,179
GitHub
585
00:21:20,559 --> 00:21:22,259
than $20,000
586
00:21:22,639 --> 00:21:23,139
for
587
00:21:23,440 --> 00:21:26,720
Security Copilot. Obviously, other benefits with Security Copilot,
588
00:21:26,720 --> 00:21:28,639
people that have it, you'd wanna have this
589
00:21:28,639 --> 00:21:31,414
in there. But to me, this was I'm
590
00:21:31,414 --> 00:21:33,275
still kinda curious to see
591
00:21:33,734 --> 00:21:35,994
where Security Copilot goes because
592
00:21:36,375 --> 00:21:37,595
while there's other functionality
593
00:21:37,894 --> 00:21:38,954
in there, as
594
00:21:39,414 --> 00:21:41,815
these MCP servers continue to grow and you
595
00:21:41,815 --> 00:21:42,714
look at GraphMCP
596
00:21:43,174 --> 00:21:44,315
server and
597
00:21:44,640 --> 00:21:46,980
now you have the MCP server for Sentinel,
598
00:21:47,599 --> 00:21:48,339
if other
599
00:21:48,720 --> 00:21:49,460
third parties
600
00:21:49,839 --> 00:21:52,240
that you can integrate with I don't know.
601
00:21:52,240 --> 00:21:53,920
Like, if you integrate other third parties with
602
00:21:53,920 --> 00:21:56,640
Sentinel and you can do an MCP server
603
00:21:56,640 --> 00:21:57,299
with Sentinel,
604
00:21:58,205 --> 00:22:00,305
you lose some of the built in functionality
605
00:22:00,445 --> 00:22:03,005
in different places of Security Copilot, but to
606
00:22:03,005 --> 00:22:04,144
me, this lessens
607
00:22:04,445 --> 00:22:07,404
the need for something like Security Copilot. Maybe
608
00:22:07,404 --> 00:22:09,644
I'm not supposed to say that, but that's
609
00:22:09,644 --> 00:22:11,380
what I'm seeing. Like I have less and
610
00:22:11,380 --> 00:22:13,220
less of a need for Security Copilot because
611
00:22:13,220 --> 00:22:16,099
of MCPs. I think the world of the
612
00:22:16,099 --> 00:22:18,839
iGentik stuff, it's going to continue to morph
613
00:22:19,059 --> 00:22:21,000
and continue to change.
614
00:22:21,380 --> 00:22:23,160
It's one of those places where
615
00:22:23,539 --> 00:22:25,160
I don't even know that
616
00:22:25,845 --> 00:22:26,825
service providers,
617
00:22:27,804 --> 00:22:28,304
like
618
00:22:29,285 --> 00:22:30,404
none of us know where it's going to
619
00:22:30,404 --> 00:22:31,704
end up, basically.
620
00:22:32,284 --> 00:22:32,784
So
621
00:22:33,365 --> 00:22:36,505
everybody's racing to create these kinds of experiences,
622
00:22:36,644 --> 00:22:39,204
but they're going to continue to change over
623
00:22:39,204 --> 00:22:39,704
time.
624
00:22:40,359 --> 00:22:41,259
Like, this whole
625
00:22:41,640 --> 00:22:44,059
local versus remote MCP server,
626
00:22:44,519 --> 00:22:46,460
that's not fully baked,
627
00:22:46,759 --> 00:22:49,179
and that's not a done deal
628
00:22:49,640 --> 00:22:51,019
as to the way that composes.
629
00:22:51,480 --> 00:22:52,515
But I do think it offers,
630
00:23:01,875 --> 00:23:03,795
integrates over there is just add a tool.
631
00:23:03,795 --> 00:23:05,634
Right? Like, you're not adding an MCP server.
632
00:23:05,634 --> 00:23:07,474
You're adding a tool. What's it using in
633
00:23:07,474 --> 00:23:10,700
the background? The MCP server. So now we're
634
00:23:10,700 --> 00:23:14,460
starting to equate local MCP server with tools
635
00:23:14,460 --> 00:23:16,559
and resources and all the things in them.
636
00:23:16,700 --> 00:23:18,799
That same kind of nomenclature
637
00:23:19,579 --> 00:23:20,079
and
638
00:23:20,700 --> 00:23:23,839
architecture is coming to these cloud based
639
00:23:24,274 --> 00:23:27,075
and SaaS based things as well. I think
640
00:23:27,075 --> 00:23:27,734
you'll see
641
00:23:28,115 --> 00:23:30,534
more and more of this, like this mix
642
00:23:31,474 --> 00:23:32,694
of remote MCP
643
00:23:33,315 --> 00:23:35,575
and then some other piece of functionality
644
00:23:36,115 --> 00:23:37,815
in a part of the service itself
645
00:23:38,279 --> 00:23:41,240
or in, like, a parallel service. Oh, like,
646
00:23:41,240 --> 00:23:43,019
great. Now I can use that too
647
00:23:43,400 --> 00:23:44,299
and come across.
648
00:23:44,680 --> 00:23:46,359
What'll be interesting to see is, like, a
649
00:23:46,359 --> 00:23:48,440
year from now, is, like, MCP server is
650
00:23:48,440 --> 00:23:50,600
even a thing, or did we all settle
651
00:23:50,600 --> 00:23:53,285
on just exposing, like, the tools through, like,
652
00:23:53,285 --> 00:23:55,845
some other endpoint mechanism or things like that?
653
00:23:55,845 --> 00:23:56,345
Like,
654
00:23:56,805 --> 00:23:58,404
I don't know. TBD. We'll see where it
655
00:23:58,404 --> 00:24:00,244
all ends up. It'll be interesting. Shall be
656
00:24:00,244 --> 00:24:02,164
weird for a while. It's kinda like a
657
00:24:02,164 --> 00:24:03,625
fun ride though if you're a technologist.
658
00:24:03,924 --> 00:24:04,744
Oh, absolutely.
659
00:24:05,179 --> 00:24:06,619
So and then the third should we dive
660
00:24:06,619 --> 00:24:08,539
into the third one? The Sentinel Graph. This
661
00:24:08,539 --> 00:24:10,700
was kind of a cool one, and this
662
00:24:10,700 --> 00:24:13,359
is also in public preview now where
663
00:24:13,900 --> 00:24:16,220
now within Sentinel, we've always been able to
664
00:24:16,220 --> 00:24:18,059
do KQL queries, right, where you can go
665
00:24:18,059 --> 00:24:20,975
in and query stuff and get your results
666
00:24:20,975 --> 00:24:22,654
however you query it. And you could go
667
00:24:22,654 --> 00:24:24,815
look at incidents and kind of within different
668
00:24:24,815 --> 00:24:27,295
incidents, you're able to see connections between different
669
00:24:27,295 --> 00:24:29,394
events and different devices and all of that.
670
00:24:29,695 --> 00:24:32,575
What this does is it allows you to
671
00:24:32,575 --> 00:24:34,115
go do a,
672
00:24:34,589 --> 00:24:37,169
essentially, a graph based query
673
00:24:37,549 --> 00:24:40,509
against your Sentinel data. So instead of, like,
674
00:24:40,509 --> 00:24:42,190
waiting for an incident to occur and then
675
00:24:42,190 --> 00:24:44,029
seeing all the connections for the incident or
676
00:24:44,029 --> 00:24:45,789
instead of just writing a KQL query and
677
00:24:45,789 --> 00:24:48,190
getting data back, you can go in and
678
00:24:48,190 --> 00:24:48,690
this
679
00:24:49,144 --> 00:24:50,664
I'm trying to think if there's a screenshot
680
00:24:50,664 --> 00:24:51,404
in here
681
00:24:51,704 --> 00:24:54,024
where you can this is probably a decent
682
00:24:54,024 --> 00:24:55,784
one that I have on my screen. But
683
00:24:55,784 --> 00:24:56,444
for people
684
00:24:56,825 --> 00:24:57,325
listening,
685
00:24:57,944 --> 00:25:00,105
I could go in and it's preview, so
686
00:25:00,105 --> 00:25:01,625
it was somewhat limited, but I could say,
687
00:25:01,625 --> 00:25:03,600
like, show me this device, and I just
688
00:25:03,600 --> 00:25:05,519
picked two devices. You can pick two different
689
00:25:05,519 --> 00:25:08,640
entities. But I picked my laptop and I
690
00:25:08,640 --> 00:25:11,440
picked my desktop, and I said, show me
691
00:25:11,440 --> 00:25:14,160
the relationship between them, and it essentially created
692
00:25:14,160 --> 00:25:17,299
a graph with all the different ways
693
00:25:17,845 --> 00:25:20,164
these two devices were linked together, whether it
694
00:25:20,164 --> 00:25:22,805
was through users or linked together. I think
695
00:25:22,805 --> 00:25:25,045
it showed, like, my user account was one
696
00:25:25,045 --> 00:25:27,384
link. I think it maybe showed, like, Intune
697
00:25:27,525 --> 00:25:30,585
as another link between them or other services.
698
00:25:30,725 --> 00:25:31,365
So it was
699
00:25:32,130 --> 00:25:33,570
gave me, I would say, more of a
700
00:25:33,570 --> 00:25:36,230
proactive way to say, okay. So if this
701
00:25:36,369 --> 00:25:37,750
device was compromised,
702
00:25:38,369 --> 00:25:40,130
what are all the ways it could be
703
00:25:40,130 --> 00:25:42,930
linked to this other device, or what are
704
00:25:42,930 --> 00:25:45,109
all the ways my user is linked to
705
00:25:45,410 --> 00:25:48,634
different entities? And instead of giving me tabular
706
00:25:48,634 --> 00:25:51,295
data, it gave me a graph, a view
707
00:25:51,355 --> 00:25:52,494
of connections
708
00:25:52,954 --> 00:25:54,954
between different things in my tenant. If I
709
00:25:54,954 --> 00:25:57,134
was reading between the lines on this one,
710
00:25:57,194 --> 00:25:57,694
because
711
00:25:58,474 --> 00:26:00,875
we're back to the whole, like, KQL thing
712
00:26:00,875 --> 00:26:03,329
and what's it used under the hood, what's
713
00:26:03,329 --> 00:26:06,069
a capability that recently came to
714
00:26:06,450 --> 00:26:09,730
Azure Data Explorer and to Kusto? Well, a
715
00:26:09,730 --> 00:26:12,069
capability that recently came to Kusto
716
00:26:12,450 --> 00:26:12,950
is
717
00:26:13,250 --> 00:26:14,470
the ability to
718
00:26:14,849 --> 00:26:15,349
execute
719
00:26:15,809 --> 00:26:16,309
queries
720
00:26:17,434 --> 00:26:18,734
with graph models.
721
00:26:19,275 --> 00:26:20,414
So taking
722
00:26:20,875 --> 00:26:22,095
database objects
723
00:26:22,554 --> 00:26:23,054
that
724
00:26:23,914 --> 00:26:24,414
represent
725
00:26:24,795 --> 00:26:27,275
your property graph and that are stored in
726
00:26:27,275 --> 00:26:29,835
Data Explorer and then being able to bounce
727
00:26:29,835 --> 00:26:30,335
those
728
00:26:30,809 --> 00:26:31,789
against each other.
729
00:26:32,329 --> 00:26:34,029
So if you can do it in KQL
730
00:26:34,089 --> 00:26:35,690
and you can get at it, you might
731
00:26:35,690 --> 00:26:37,549
be able to do some even more interesting
732
00:26:37,609 --> 00:26:40,089
things with it along the way. And if
733
00:26:40,089 --> 00:26:42,169
you're into it, I'd recommend going and reading
734
00:26:42,169 --> 00:26:44,750
the Kusto documentation for graph models
735
00:26:45,295 --> 00:26:46,575
and seeing kinda
736
00:26:47,214 --> 00:26:49,134
if you can wrap your head around a
737
00:26:49,134 --> 00:26:50,335
little bit. How do I run that? They
738
00:26:50,335 --> 00:26:52,355
have some good, like, work working examples
739
00:26:52,815 --> 00:26:55,535
and things in there. So but absolutely. So
740
00:26:55,535 --> 00:26:58,434
so KQL now has this it has a
741
00:26:58,750 --> 00:27:00,829
a graph, right? So much like you'd have
742
00:27:00,829 --> 00:27:03,150
like a database or table name kind of
743
00:27:03,150 --> 00:27:05,150
thing. You have a graph out there, so
744
00:27:05,150 --> 00:27:07,470
there's an object for graphs, and then you
745
00:27:07,950 --> 00:27:10,269
and you know how you have like where
746
00:27:10,269 --> 00:27:13,089
clauses and summarizes and and things like that.
747
00:27:13,315 --> 00:27:15,575
There's also now a graph match,
748
00:27:16,035 --> 00:27:16,535
and
749
00:27:16,835 --> 00:27:19,555
so it's basically graph match, what's the pattern
750
00:27:19,555 --> 00:27:22,994
you input where these filters are true, and
751
00:27:22,994 --> 00:27:23,974
then output
752
00:27:24,355 --> 00:27:25,174
these fields
753
00:27:25,690 --> 00:27:26,509
based on
754
00:27:26,809 --> 00:27:28,730
the graph and how it comes together. The
755
00:27:28,730 --> 00:27:31,849
syntax is really weird and kinda wild. Like,
756
00:27:31,849 --> 00:27:34,250
it is not like other KQL syntax at
757
00:27:34,250 --> 00:27:36,250
all, when you especially when you're doing, like,
758
00:27:36,250 --> 00:27:38,490
the filtering and things like that, but it
759
00:27:38,490 --> 00:27:40,904
works pretty well. I've been playing around with
760
00:27:40,904 --> 00:27:42,744
it for some other stuff. I wonder if
761
00:27:42,744 --> 00:27:44,204
this is even using
762
00:27:44,585 --> 00:27:46,505
and this might be kinda what even you're
763
00:27:46,505 --> 00:27:48,105
getting at it. If this is using that
764
00:27:48,105 --> 00:27:49,625
under the covers, if this is a little
765
00:27:49,625 --> 00:27:50,924
bit more of a UI
766
00:27:51,704 --> 00:27:52,204
interface,
767
00:27:52,730 --> 00:27:55,789
and then behind the scenes, it's creating those
768
00:27:55,849 --> 00:27:56,349
KQL
769
00:27:56,650 --> 00:27:58,730
graph type of queries. It'd be an easy
770
00:27:58,730 --> 00:28:00,170
thing to do or a smart thing to
771
00:28:00,170 --> 00:28:02,809
do if the underline if the underlying database
772
00:28:02,809 --> 00:28:04,509
engine provides for it, why not?
773
00:28:04,890 --> 00:28:07,275
Yeah. Lots of improvements around Sentinel and different
774
00:28:07,275 --> 00:28:09,835
things you can do, especially with the data
775
00:28:09,835 --> 00:28:10,494
lake integration
776
00:28:10,795 --> 00:28:12,414
going GA. They layered
777
00:28:12,795 --> 00:28:14,394
all of these on top of it. So
778
00:28:14,394 --> 00:28:16,715
all of this does depend on you having
779
00:28:16,715 --> 00:28:19,355
Sentinel and Defender, making that connection between your
780
00:28:19,355 --> 00:28:22,174
workspace and Defender, and then enabling the graph,
781
00:28:22,309 --> 00:28:24,230
and then you'll be able to go light
782
00:28:24,230 --> 00:28:26,230
this stuff up. And I've seen some things.
783
00:28:26,230 --> 00:28:28,069
I'm in a few security groups where people
784
00:28:28,069 --> 00:28:30,309
weren't getting it necessarily right away. It might
785
00:28:30,309 --> 00:28:32,169
take some time in preview,
786
00:28:32,549 --> 00:28:35,109
trickling out. Yep. SaaS rollouts, all that good
787
00:28:35,109 --> 00:28:37,829
stuff. Yeah. All that stuff. So no. These
788
00:28:37,829 --> 00:28:40,065
were some fun announcements in the last
789
00:28:40,524 --> 00:28:42,444
week or so that came out that I've
790
00:28:42,444 --> 00:28:44,044
started playing with. The nice thing about those
791
00:28:44,044 --> 00:28:46,044
data lakes too is like you mentioned, you're
792
00:28:46,044 --> 00:28:48,464
provisioning those within your own infrastructure.
793
00:28:49,085 --> 00:28:50,784
So, you know, it's your
794
00:28:51,085 --> 00:28:53,724
Azure subscription, your resource group, so you still
795
00:28:53,724 --> 00:28:56,869
get the choice over, like, where does that
796
00:28:56,929 --> 00:28:59,169
data lake reside? So if you have, like,
797
00:28:59,169 --> 00:29:00,549
data residency requirements,
798
00:29:01,490 --> 00:29:03,169
anything like that, you could spin that up.
799
00:29:03,169 --> 00:29:04,869
You can also choose your redundancy,
800
00:29:05,409 --> 00:29:07,490
every everything like that that you might wanna
801
00:29:07,490 --> 00:29:09,484
do. So it's nice to have kinda that
802
00:29:09,484 --> 00:29:11,484
level of control too, but just watch out
803
00:29:11,484 --> 00:29:13,644
because it is a PAYGo component. So it
804
00:29:13,644 --> 00:29:16,125
is kinda sitting out there now churning month
805
00:29:16,125 --> 00:29:17,725
over month or however long you turn it
806
00:29:17,725 --> 00:29:19,565
on for. Yep. And then I think Data
807
00:29:19,565 --> 00:29:21,904
Lake too, you'd get charged based on queries
808
00:29:22,045 --> 00:29:24,599
and how much you use it and yeah.
809
00:29:24,759 --> 00:29:26,919
All those same things apply. This is not
810
00:29:26,919 --> 00:29:29,339
a free data lake with your Azure subscription.
811
00:29:29,400 --> 00:29:32,619
It's a PAYGo data lake that they automatically
812
00:29:33,079 --> 00:29:35,240
connect up and ingest all the data and
813
00:29:35,240 --> 00:29:37,160
do that for you. Yeah. Compute still costs
814
00:29:37,160 --> 00:29:37,980
money. Yes.
815
00:29:38,384 --> 00:29:40,384
Alright. We've spent, like, a bunch of time
816
00:29:40,384 --> 00:29:41,505
on mine. Do you want to talk about
817
00:29:41,505 --> 00:29:43,265
yours anymore today, or should we save those
818
00:29:43,265 --> 00:29:45,664
for round two? Let's save a we'll do
819
00:29:45,664 --> 00:29:47,345
an I'm just going to talk about some
820
00:29:47,345 --> 00:29:49,744
Kubernetes stuff, so we'll do a kind of
821
00:29:49,744 --> 00:29:51,045
AKS ish day
822
00:29:51,380 --> 00:29:53,539
coming up in the future here. Sounds good.
823
00:29:53,539 --> 00:29:54,039
AKS
824
00:29:54,580 --> 00:29:56,360
ish. Yeah. There we go. AKS
825
00:29:57,940 --> 00:29:58,519
ish. Yeah.
826
00:29:58,980 --> 00:30:00,420
All that said, if you're gonna be at
827
00:30:00,420 --> 00:30:02,259
any conf I Scott, I have a few
828
00:30:02,259 --> 00:30:03,940
conferences coming up. I'm still trying to get
829
00:30:03,940 --> 00:30:06,200
you to one. I'm down at Dev Intersections,
830
00:30:07,065 --> 00:30:10,345
Cybersecurity Intersections, which they added next week. So
831
00:30:10,345 --> 00:30:12,204
if you're down in Orlando at that one,
832
00:30:12,585 --> 00:30:13,085
October,
833
00:30:13,865 --> 00:30:16,105
like, six through ten or something. And then
834
00:30:16,105 --> 00:30:18,664
I did get accepted to go help Proctor
835
00:30:18,664 --> 00:30:21,419
Labs again at Ignite. So I'll be out
836
00:30:21,419 --> 00:30:23,140
at Oh, nice. Yeah. I'll be out at
837
00:30:23,140 --> 00:30:25,940
Ignite in November if anybody's going to be
838
00:30:25,940 --> 00:30:27,700
out there. And then I think I mentioned
839
00:30:27,700 --> 00:30:28,679
that I'm doing cybersecurity
840
00:30:29,380 --> 00:30:31,779
or not wow. Workplace Ninja is down in
841
00:30:31,779 --> 00:30:33,940
Dallas in December. So we're still working on
842
00:30:33,940 --> 00:30:36,115
getting you out to Ignite. We'll see, Scott.
843
00:30:36,115 --> 00:30:37,575
We need to get you out there yet.
844
00:30:38,994 --> 00:30:41,714
Yeah. Well, for the other stuff, give me
845
00:30:41,714 --> 00:30:42,855
some links, and
846
00:30:43,394 --> 00:30:44,914
I'll put them in the show notes. I
847
00:30:44,914 --> 00:30:46,194
will do that. So links to all those
848
00:30:46,194 --> 00:30:48,130
conferences will be in the show notes. Come
849
00:30:48,130 --> 00:30:49,429
find me and hopefully
850
00:30:49,809 --> 00:30:51,809
Scott at Ignite. And if you have any
851
00:30:51,809 --> 00:30:54,049
feedback for Scott, don't forget, let Scott know
852
00:30:54,049 --> 00:30:56,549
what mouse you should get. And any questions,
853
00:30:56,690 --> 00:30:57,190
comments,
854
00:30:58,049 --> 00:30:58,549
thoughts,
855
00:30:59,250 --> 00:31:02,210
future topics, future guests, we'd love to hear
856
00:31:02,210 --> 00:31:03,269
from people. So
857
00:31:03,654 --> 00:31:06,555
reach out. LinkedIn has turned into our social
858
00:31:07,015 --> 00:31:09,494
media platform of choice or we do still
859
00:31:09,494 --> 00:31:11,414
have the contact form on the website if
860
00:31:11,414 --> 00:31:12,535
you want to go there and fill that
861
00:31:12,535 --> 00:31:13,815
out as well. All good stuff. If you
862
00:31:13,815 --> 00:31:15,414
have complaints, only reach out to Ben though.
863
00:31:15,414 --> 00:31:19,710
Yes. My email address is
[email protected].
864
00:31:20,970 --> 00:31:22,329
Bring on the spam. It's a good thing
865
00:31:22,329 --> 00:31:24,410
your spam filter is good. It is. Hopefully,
866
00:31:24,410 --> 00:31:26,170
it won't get spam too much out of
867
00:31:26,170 --> 00:31:28,329
that. Alright. With that, Scott, go enjoy your
868
00:31:28,329 --> 00:31:29,849
weekend. Thanks, Ben. It's getting nice in Florida.
869
00:31:29,849 --> 00:31:31,609
Go enjoy some time outside. It's not It
870
00:31:31,609 --> 00:31:35,005
is. Stupid hot anymore. Although, it's we're under,
871
00:31:35,384 --> 00:31:37,785
marine watch tomorrow. So a small craft device
872
00:31:37,785 --> 00:31:39,545
here tomorrow, so can't go out on the
873
00:31:39,545 --> 00:31:41,945
boat. Oh, so enjoy time outdoors not on
874
00:31:41,945 --> 00:31:43,384
the boat. Go fly a kite on the
875
00:31:43,384 --> 00:31:45,569
beach. Marine advisory means wind for a kite.
876
00:31:45,569 --> 00:31:47,890
Right? It's getting windy already. Yeah. Well, thanks,
877
00:31:47,890 --> 00:31:49,569
Scott. Enjoy your weekend. We'll talk to you
878
00:31:49,569 --> 00:31:51,429
next time. You too. Thanks, Ben.
879
00:31:53,409 --> 00:31:54,789
If you enjoyed the podcast,
880
00:31:55,089 --> 00:31:56,690
go leave us a five star rating in
881
00:31:56,690 --> 00:31:58,769
iTunes. It helps to get the word out
882
00:31:58,769 --> 00:32:00,565
so more IT pros pros can learn about
883
00:32:00,565 --> 00:32:02,345
Office three sixty five and Azure.
884
00:32:02,884 --> 00:32:04,565
If you have any questions you want us
885
00:32:04,565 --> 00:32:06,725
to address on the show, or feedback about
886
00:32:06,725 --> 00:32:09,045
the show, feel free to reach out via
887
00:32:09,045 --> 00:32:11,305
our website, Twitter, or Facebook.
888
00:32:11,605 --> 00:32:13,445
Thanks again for listening, and have a great
889
00:32:13,445 --> 00:32:13,945
day.
