1
00:00:03,439 --> 00:00:05,839
Welcome to episode 416
2
00:00:05,839 --> 00:00:08,960
of the Microsoft Cloud IT Pro podcast recorded
3
00:00:08,960 --> 00:00:11,539
live on 11/20/2025.
4
00:00:11,679 --> 00:00:13,919
This is a show about Microsoft three sixty
5
00:00:13,919 --> 00:00:16,045
five and Azure from the perspective of IT
6
00:00:16,045 --> 00:00:18,125
pros and end users, where we discuss a
7
00:00:18,125 --> 00:00:20,445
topic or recent news and how it relates
8
00:00:20,445 --> 00:00:22,925
to you. In this episode, I'm still live
9
00:00:22,925 --> 00:00:25,244
from Microsoft Ignite as I sit down with
10
00:00:25,244 --> 00:00:28,545
Henrik, a fellow Microsoft MVP in security,
11
00:00:28,845 --> 00:00:31,109
to record this episode. As we we enjoy
12
00:00:31,109 --> 00:00:33,829
some sun in San Francisco, we spent some
13
00:00:33,829 --> 00:00:35,929
time talking about Microsoft Sentinel,
14
00:00:36,309 --> 00:00:38,710
Data Lake with Microsoft Sentinel, and some of
15
00:00:38,710 --> 00:00:41,429
the announcements from Ignite, as well as some
16
00:00:41,429 --> 00:00:43,725
of our experiences at the conference and things
17
00:00:43,804 --> 00:00:46,545
that we've enjoyed about being live in person
18
00:00:46,684 --> 00:00:47,265
at Ignite.
19
00:00:49,405 --> 00:00:52,125
So here we are sitting at Ignite, recording
20
00:00:52,125 --> 00:00:55,405
another show of the Microsoft Cloud IT Pro
21
00:00:55,405 --> 00:00:55,905
podcast
22
00:00:56,689 --> 00:00:58,070
without Scott because
23
00:00:58,449 --> 00:01:00,689
Scott has bailed on me this year. We've
24
00:01:00,689 --> 00:01:02,850
got carnival music going on the background, sitting
25
00:01:02,850 --> 00:01:04,609
on the sun in the streets of San
26
00:01:04,609 --> 00:01:07,909
Francisco. But since Scott wasn't here, I had
27
00:01:08,209 --> 00:01:10,549
Henrik join me. So he's a
28
00:01:11,005 --> 00:01:14,064
senior cloud specialist, a fellow security MVP.
29
00:01:14,685 --> 00:01:16,204
Well, we met how long have we known
30
00:01:16,204 --> 00:01:18,125
each other? Eight couple years now? Yeah. A
31
00:01:18,125 --> 00:01:19,645
couple of years. Yeah. Yeah. Because we both
32
00:01:19,724 --> 00:01:21,325
did you become an MVP about the same
33
00:01:21,325 --> 00:01:24,040
time I did? Yeah. Yeah. We kinda came
34
00:01:24,040 --> 00:01:27,239
MVPs together. You started as security. I started
35
00:01:27,239 --> 00:01:29,879
as Microsoft March, and then I joined the
36
00:01:29,879 --> 00:01:31,479
dark side, the good side. I don't know.
37
00:01:31,479 --> 00:01:33,159
Security support. The good side. The good side.
38
00:01:33,159 --> 00:01:34,599
Yeah. Do you wanna give a little bit
39
00:01:34,599 --> 00:01:37,239
of introduction, Henrik, just about you, who you
40
00:01:37,239 --> 00:01:39,395
are, where you work, where you
41
00:01:39,775 --> 00:01:42,114
live, how much you love Samsung's system.
42
00:01:42,415 --> 00:01:45,055
Yeah. I'll just start with introducing myself. My
43
00:01:45,055 --> 00:01:46,754
name is Henrik Wysig
44
00:01:47,295 --> 00:01:49,795
from Denmark, and I work at a bank
45
00:01:49,855 --> 00:01:52,594
in the financial sector. That's my doing.
46
00:01:52,950 --> 00:01:54,329
And my area
47
00:01:54,790 --> 00:01:57,510
is security because I'm a security MVP. Yeah.
48
00:01:57,510 --> 00:02:00,069
I work with the Sentinel and Defender, the
49
00:02:00,069 --> 00:02:02,869
whole Defender suite. So, yeah, basically, I love
50
00:02:02,869 --> 00:02:05,575
everything security. Alright. I mean, bank security is
51
00:02:05,575 --> 00:02:07,755
kind of important at banks, I think. Apparently,
52
00:02:07,814 --> 00:02:10,294
something about people's money. Yeah. They kinda like
53
00:02:10,294 --> 00:02:11,754
it to be safe and secure
54
00:02:12,135 --> 00:02:13,415
and not allowed to get in. And you
55
00:02:13,415 --> 00:02:15,014
live in Denmark. I mean, how much better
56
00:02:15,014 --> 00:02:16,854
is that? You live in the same country
57
00:02:16,854 --> 00:02:19,629
as Legoland. Yes. And fun fact is I
58
00:02:19,629 --> 00:02:20,129
actually
59
00:02:20,430 --> 00:02:23,490
I only live, like, the twenty minutes drive
60
00:02:23,629 --> 00:02:26,430
from LEGOLAND and LEGO headquarters. Okay. That's why
61
00:02:26,430 --> 00:02:27,949
I have a lot of LEGO at home.
62
00:02:27,949 --> 00:02:29,949
See, I keep forgetting this. One of these
63
00:02:29,949 --> 00:02:31,870
years, Hendrik, I have you on record now.
64
00:02:31,870 --> 00:02:33,844
You're on the podcast. I would like a
65
00:02:33,844 --> 00:02:36,104
couple of those LEGO sets, like the headquarters
66
00:02:36,324 --> 00:02:38,004
and the tree that you can only get
67
00:02:38,004 --> 00:02:39,465
at LEGO headquarters. Yes.
68
00:02:39,844 --> 00:02:41,925
Any way you can arrange that? I won't
69
00:02:41,925 --> 00:02:43,544
put you on the spot on the podcast.
70
00:02:43,604 --> 00:02:45,444
Yeah. You'll have to show send me a
71
00:02:45,444 --> 00:02:47,044
picture of that. Send you a picture of
72
00:02:47,044 --> 00:02:49,260
the sets that I want? Yeah. Alright. I
73
00:02:49,260 --> 00:02:50,860
heard there's, like, those two sets that you
74
00:02:50,860 --> 00:02:53,199
can only buy at LEGO headquarters
75
00:02:53,580 --> 00:02:55,919
in Denmark. There is there is a collectible.
76
00:02:55,980 --> 00:02:57,980
Also, if you go on a special trip
77
00:02:57,980 --> 00:03:00,460
at the LEGO at LEGO House, which is
78
00:03:00,620 --> 00:03:03,004
Uh-huh. Yeah. Which is really cool. But you
79
00:03:03,004 --> 00:03:04,284
have to pay a lot of money to
80
00:03:04,284 --> 00:03:06,044
get on those tours, but you get a
81
00:03:06,044 --> 00:03:08,604
golden brick almost. Maybe we need to do
82
00:03:08,604 --> 00:03:10,064
Ignite Denmark. Yes.
83
00:03:12,205 --> 00:03:14,525
Yes. It will probably be better than San
84
00:03:14,525 --> 00:03:16,650
Francisco, but I don't know. Maybe. Yeah. We
85
00:03:16,729 --> 00:03:18,349
should probably be nice to San Francisco.
86
00:03:18,810 --> 00:03:21,289
Oh, well. Anyways, we should we talk about
87
00:03:21,289 --> 00:03:24,409
security instead of Legos in San Francisco and
88
00:03:24,409 --> 00:03:24,909
Denmark?
89
00:03:25,530 --> 00:03:27,930
So senior cloud specialist, you do a lot
90
00:03:27,930 --> 00:03:30,064
with security. You probably do more with security
91
00:03:30,064 --> 00:03:31,504
than I do because I tend to spin
92
00:03:31,504 --> 00:03:33,585
a whole bunch of stuff, but there have
93
00:03:33,585 --> 00:03:34,965
been some interesting
94
00:03:35,665 --> 00:03:37,764
changes with Sentinel in the last,
95
00:03:38,385 --> 00:03:40,544
what, probably six months or so. There was
96
00:03:40,544 --> 00:03:43,550
announcements around Sentinel coming into Defender where now
97
00:03:43,550 --> 00:03:45,229
it's really gonna be Defender's gonna be the
98
00:03:45,229 --> 00:03:47,469
place to get to Sentinel. Yes. But, also,
99
00:03:47,469 --> 00:03:49,789
if you connect Sentinel to Defender, you can
100
00:03:49,789 --> 00:03:52,689
do things with data lake now. Yes. So
101
00:03:52,990 --> 00:03:54,430
do you wanna talk a little bit? Like,
102
00:03:54,430 --> 00:03:56,129
we were talking about some of the advantages
103
00:03:56,189 --> 00:03:57,675
there. I know I think Scott and I
104
00:03:57,675 --> 00:03:58,875
mentioned it, but didn't go into a lot
105
00:03:58,875 --> 00:04:00,634
of details. And you were sharing some details
106
00:04:00,634 --> 00:04:02,634
even on some of the advantages, even some
107
00:04:02,634 --> 00:04:04,155
of the reasons. It makes a lot of
108
00:04:04,155 --> 00:04:05,835
sense in the EU. So in the EU,
109
00:04:05,835 --> 00:04:07,055
because of regulation,
110
00:04:07,594 --> 00:04:10,175
and we're driven by regulation, apparently.
111
00:04:10,719 --> 00:04:12,020
There are two new regulations.
112
00:04:12,319 --> 00:04:14,000
One is called NIST two, and the other
113
00:04:14,000 --> 00:04:16,500
is called DORA. And it applies actually
114
00:04:16,879 --> 00:04:20,399
to all critical infrastructure businesses. It's gonna hit
115
00:04:20,399 --> 00:04:23,185
almost everyone in the EU with logging. Okay.
116
00:04:23,185 --> 00:04:24,165
One of the loggings,
117
00:04:24,785 --> 00:04:26,785
logging requirements are that you need to save
118
00:04:26,785 --> 00:04:28,865
all your data or logs, audit logs, and
119
00:04:28,865 --> 00:04:32,245
security logs, and operation logs also for, like,
120
00:04:32,305 --> 00:04:34,785
thirteen months. Oh, wow. Yeah. That's a lot.
121
00:04:34,785 --> 00:04:37,205
Right? Yeah. So and this is just, like,
122
00:04:37,470 --> 00:04:39,470
everything. It doesn't matter what it is. It's
123
00:04:39,470 --> 00:04:42,189
just Yes. If something happens and it's logged
124
00:04:42,430 --> 00:04:43,949
Yes. What if you don't log it? Then
125
00:04:43,949 --> 00:04:46,189
we go far in. Too. Yeah. Yeah. So
126
00:04:46,189 --> 00:04:47,470
you have to log everything, and then you
127
00:04:47,470 --> 00:04:48,910
have to keep all of those for thirteen
128
00:04:48,910 --> 00:04:51,949
months. Yes. It's like GDPR. Okay. So it
129
00:04:51,949 --> 00:04:52,904
follows that.
130
00:04:53,384 --> 00:04:53,884
And,
131
00:04:54,504 --> 00:04:56,985
that has meant that especially us in the
132
00:04:56,985 --> 00:04:59,464
finance sector in Denmark have been looking into,
133
00:04:59,464 --> 00:05:01,384
oh, we need to save it for thirteen
134
00:05:01,384 --> 00:05:03,725
months now. Where to put it? Because
135
00:05:04,264 --> 00:05:06,904
yanking it up in log analytics workspace for
136
00:05:06,904 --> 00:05:08,550
thirteen months, that's expensive.
137
00:05:08,850 --> 00:05:10,769
Yeah. Especially I don't know. You don't have
138
00:05:10,769 --> 00:05:12,209
to share how big your bank is, but
139
00:05:12,209 --> 00:05:13,970
I can imagine with the bank and the
140
00:05:13,970 --> 00:05:16,550
amount of data, like, it's not an insignificant
141
00:05:16,930 --> 00:05:18,610
amount of logs that you have. This is
142
00:05:18,610 --> 00:05:19,089
probably
143
00:05:19,410 --> 00:05:22,149
is it gigabytes or terabytes of logs? It's
144
00:05:22,289 --> 00:05:24,524
a lot of gigabytes. And it's not
145
00:05:25,225 --> 00:05:27,404
how should I explain my workplace? I work
146
00:05:27,464 --> 00:05:29,404
at a company called Bank Data,
147
00:05:29,865 --> 00:05:33,064
and it's it's owned by different banks in
148
00:05:33,064 --> 00:05:35,384
Denmark, actually. Oh, okay. Yeah. So it's owned
149
00:05:35,384 --> 00:05:36,629
by seven different banks,
150
00:05:37,490 --> 00:05:40,689
and, we adjust the IT development department. So
151
00:05:40,689 --> 00:05:43,089
we do the finance banking apps. Got it.
152
00:05:43,089 --> 00:05:44,850
There's a lot of data, and they all
153
00:05:44,850 --> 00:05:46,230
want different things.
154
00:05:47,089 --> 00:05:47,589
So
155
00:05:48,154 --> 00:05:50,074
go make the button red. No. We want
156
00:05:50,074 --> 00:05:51,835
it blue. Yes. And then you have to
157
00:05:51,835 --> 00:05:53,355
log that you changed the button from red
158
00:05:53,355 --> 00:05:54,814
to blue? Change management.
159
00:05:55,115 --> 00:05:57,275
That's it's a finance sector, so we have
160
00:05:57,275 --> 00:05:58,895
to it's strictly regulated.
161
00:05:59,355 --> 00:06:01,849
So it's not it's not like in consultant
162
00:06:01,849 --> 00:06:04,490
where you just go in, place guns placing,
163
00:06:04,490 --> 00:06:06,490
and Yep. I can fix that for you,
164
00:06:06,490 --> 00:06:08,569
my friend. So how does data lake so
165
00:06:08,569 --> 00:06:10,569
you talked about, like, log analytics is super
166
00:06:10,569 --> 00:06:11,069
expensive
167
00:06:11,610 --> 00:06:14,009
when you are it it starts adding up.
168
00:06:14,009 --> 00:06:15,935
Now you can do it data lake. That
169
00:06:15,935 --> 00:06:18,574
helps with the pricing then. Yeah. A lot
170
00:06:18,574 --> 00:06:19,074
because
171
00:06:19,375 --> 00:06:22,035
we actually we are streaming logs from AWS.
172
00:06:22,414 --> 00:06:24,354
Okay. And that's a lot of logs
173
00:06:25,055 --> 00:06:28,035
you get from AWS also. And, specifically,
174
00:06:28,414 --> 00:06:30,735
what has helped us in our use case
175
00:06:30,735 --> 00:06:32,389
is that we don't have to pick and
176
00:06:32,389 --> 00:06:33,509
choose anymore with,
177
00:06:34,149 --> 00:06:35,750
do we lock this or not? It's a
178
00:06:35,750 --> 00:06:38,089
requirement. So we have we have the opportunity
179
00:06:38,149 --> 00:06:41,110
to log it every everything now. And the
180
00:06:41,110 --> 00:06:43,350
ones that we throw directly into data lake
181
00:06:43,350 --> 00:06:46,035
at the moment, the older network logs, which
182
00:06:46,035 --> 00:06:48,595
are the most noisy logs that you can
183
00:06:48,595 --> 00:06:49,814
almost ever find.
184
00:06:50,435 --> 00:06:52,354
So that has saved a lot of money
185
00:06:52,354 --> 00:06:54,115
for us at least. Got it. So how
186
00:06:54,115 --> 00:06:56,035
did you how do you set that up?
187
00:06:56,035 --> 00:06:57,555
Because, like, we were talking about setting a
188
00:06:57,555 --> 00:06:59,740
little log analytics, which is Azure. Yeah. You
189
00:06:59,740 --> 00:07:01,399
know, while you're networking in AWS,
190
00:07:02,180 --> 00:07:03,240
is that through,
191
00:07:04,019 --> 00:07:06,339
like, Sentinel connectors then that are available in
192
00:07:06,339 --> 00:07:08,279
the hub or Yeah. How do you architect,
193
00:07:08,660 --> 00:07:11,560
like okay. All of our networks in AWS,
194
00:07:11,699 --> 00:07:13,939
we're gonna save it on Sentinel Yes. In
195
00:07:13,939 --> 00:07:15,079
data lake. Yes.
196
00:07:15,514 --> 00:07:18,495
So yeah. Because we actually stream it over
197
00:07:18,555 --> 00:07:21,055
from from the AWS. We have a connector.
198
00:07:21,194 --> 00:07:22,095
There's a
199
00:07:22,954 --> 00:07:25,995
a Amazon s three service in Okay. Content
200
00:07:25,995 --> 00:07:28,314
hub in the Sentinel, which we enabled. And
201
00:07:28,314 --> 00:07:30,014
that hooks into all the
202
00:07:31,439 --> 00:07:34,319
guard duty logs and cloud trail logs and
203
00:07:34,319 --> 00:07:36,720
VPC flow logs. And there's one more. I
204
00:07:36,720 --> 00:07:39,199
forgot its name. And that's so we have
205
00:07:39,199 --> 00:07:41,939
already the design before we went into AWS,
206
00:07:42,000 --> 00:07:44,079
we know that we were gonna move it
207
00:07:44,079 --> 00:07:46,214
over to Sentinel Okay. For the c m,
208
00:07:46,294 --> 00:07:48,154
one Centimeters to rule them all. Yep.
209
00:07:48,535 --> 00:07:50,935
And, yeah. And we also got cut off
210
00:07:50,935 --> 00:07:53,735
guard in the early moments because there were
211
00:07:53,735 --> 00:07:56,134
some spikes in the traffic with the network
212
00:07:56,134 --> 00:07:57,814
logs, and it cost us a lot of
213
00:07:57,814 --> 00:07:59,615
money. And those spike was only, like, for
214
00:07:59,615 --> 00:08:01,654
a couple of hours, one day or two
215
00:08:01,654 --> 00:08:03,910
days, and it cost us a lot of
216
00:08:03,910 --> 00:08:06,470
money. That was before we enabled data lake,
217
00:08:06,470 --> 00:08:09,430
and that's what actually made us enable data
218
00:08:09,430 --> 00:08:11,750
lake to get it cheaper and then move
219
00:08:11,750 --> 00:08:13,830
the network logs directly into the data lake
220
00:08:13,830 --> 00:08:15,910
now. So we are saving money. Got it.
221
00:08:15,910 --> 00:08:17,664
So how does that work with data lake?
222
00:08:17,664 --> 00:08:19,425
Because I've started doing this. I've enabled data
223
00:08:19,425 --> 00:08:21,044
lake in mind, and it looks like
224
00:08:21,345 --> 00:08:23,504
by default, when you enable data lake for
225
00:08:23,504 --> 00:08:24,004
Sentinel,
226
00:08:24,384 --> 00:08:27,764
there's only certain tables from log analytics
227
00:08:28,305 --> 00:08:30,779
that go into data lake. Is that something
228
00:08:30,779 --> 00:08:32,160
that you can customize
229
00:08:32,460 --> 00:08:34,000
and tweak? Or have you
230
00:08:34,940 --> 00:08:37,019
We have only, we have only looked at
231
00:08:37,019 --> 00:08:39,120
those that cost us most money.
232
00:08:40,379 --> 00:08:42,620
So, yeah, it's a we have, like, I
233
00:08:42,620 --> 00:08:45,754
don't know, 290
234
00:08:45,815 --> 00:08:47,894
tables or something like that. Okay. And we
235
00:08:47,894 --> 00:08:50,375
did the quick one. Show us the most
236
00:08:50,375 --> 00:08:53,415
top 20 expensive tables, and then we did
237
00:08:53,415 --> 00:08:55,274
it from there. And all of those twenties,
238
00:08:55,654 --> 00:08:57,860
we could convert them into data lakes, but
239
00:08:57,860 --> 00:09:00,339
some don't actually make sense because you don't
240
00:09:00,339 --> 00:09:01,159
wanna move
241
00:09:01,620 --> 00:09:04,419
device events from MDE over to data lake
242
00:09:04,419 --> 00:09:07,220
because that correlates with all the other stuff
243
00:09:07,220 --> 00:09:09,699
on the attack vector. So you can't move
244
00:09:09,699 --> 00:09:12,259
that from away from log analytics, actually. Got
245
00:09:12,259 --> 00:09:14,725
it. So there are certain tables that like
246
00:09:14,725 --> 00:09:17,205
those device tables that, at least at this
247
00:09:17,205 --> 00:09:18,105
point in time,
248
00:09:18,565 --> 00:09:20,644
just have to stay in log analytics. There's
249
00:09:20,644 --> 00:09:22,245
no option. So you end up with a
250
00:09:22,245 --> 00:09:24,725
mix of tables and some in data lakes,
251
00:09:24,725 --> 00:09:25,785
some in log analytics.
252
00:09:26,350 --> 00:09:28,669
Yeah. Because if you put it if you
253
00:09:28,669 --> 00:09:30,669
had to put it into data lake, then
254
00:09:30,669 --> 00:09:33,970
you had to make KQL queries instead of
255
00:09:34,110 --> 00:09:35,009
analytic rules.
256
00:09:35,389 --> 00:09:37,470
And it's a bit slow, and the SOC
257
00:09:37,470 --> 00:09:38,325
doesn't like that.
258
00:09:39,524 --> 00:09:41,445
The sock, like, send their data right away?
259
00:09:41,445 --> 00:09:43,065
Yes. Apparently. Okay.
260
00:09:43,524 --> 00:09:46,105
But, I mean, they are doing something that
261
00:09:46,565 --> 00:09:48,665
most of the logs for from the defender
262
00:09:48,965 --> 00:09:50,644
stays in the in the new tables for
263
00:09:50,644 --> 00:09:52,485
thirty days. Okay. So they have something to
264
00:09:52,485 --> 00:09:54,929
look into. And, I mean, who whoever comes
265
00:09:54,929 --> 00:09:57,089
back looking at logs at some point that
266
00:09:57,089 --> 00:09:59,089
needs them to go back a year, they're
267
00:09:59,089 --> 00:10:01,809
looking for something specific. Right? Right. So I
268
00:10:01,809 --> 00:10:03,409
haven't looked at this yet with the data
269
00:10:03,409 --> 00:10:05,250
lake. Can you set it then? So, like,
270
00:10:05,250 --> 00:10:07,649
logs from certain tables will go into data
271
00:10:07,649 --> 00:10:10,235
lake after a period of time? So, like
272
00:10:10,235 --> 00:10:12,634
you said, thirty days of device in log
273
00:10:12,634 --> 00:10:15,434
analytics and then thirty one days out to
274
00:10:15,434 --> 00:10:17,514
the thirteen months go to data lake? Yes.
275
00:10:17,514 --> 00:10:19,434
That's actually how we do it. In our
276
00:10:19,434 --> 00:10:21,799
case, we do ninety days. Okay. So we
277
00:10:21,799 --> 00:10:24,120
do ninety days log analytics tiering and then
278
00:10:24,120 --> 00:10:25,980
the rest in the data lake after that.
279
00:10:26,519 --> 00:10:28,279
Got it. For the other ones, we do
280
00:10:28,279 --> 00:10:31,639
directly to data lake. Okay. Network logs. Okay.
281
00:10:31,639 --> 00:10:33,980
And then you mentioned the analytics rules too.
282
00:10:34,414 --> 00:10:35,934
Again, like, I knew this, and I've kinda
283
00:10:35,934 --> 00:10:37,694
played with it, but haven't spent as much
284
00:10:37,694 --> 00:10:40,014
time with you. You talked about, like, the
285
00:10:40,014 --> 00:10:43,475
analytics rules and writing the queries. Does that
286
00:10:44,095 --> 00:10:45,934
differ then based on where the data is
287
00:10:45,934 --> 00:10:47,694
and how you write those queries? Or even
288
00:10:47,694 --> 00:10:51,220
if you wanna correlate data across different tables
289
00:10:51,600 --> 00:10:53,519
where you have some in log analytics and
290
00:10:53,519 --> 00:10:55,120
some in data lake, do you have to
291
00:10:55,120 --> 00:10:56,639
get a little more creative in how you
292
00:10:56,639 --> 00:10:58,960
write those? Yes. You have. So if we
293
00:10:58,960 --> 00:11:02,340
do, normally, all the Hondas do within KQL
294
00:11:02,399 --> 00:11:04,980
in the analytics, rule and then about something.
295
00:11:05,355 --> 00:11:08,075
And it's not that very seldom that we
296
00:11:08,075 --> 00:11:11,115
actually look back more than three months. That's
297
00:11:11,115 --> 00:11:13,274
why we landed on the magic ninety days.
298
00:11:13,274 --> 00:11:15,674
Got it. So so because it's not necessary,
299
00:11:15,674 --> 00:11:18,920
but if you have analytic queries for certain
300
00:11:18,920 --> 00:11:21,240
tables, then you have to convert them over
301
00:11:21,240 --> 00:11:23,879
because you can't cross over the search. So
302
00:11:23,879 --> 00:11:25,879
you have to you have to make another
303
00:11:25,879 --> 00:11:28,360
KQL job that runs to through the data
304
00:11:28,360 --> 00:11:30,920
lake. Okay. Yeah. Where if it's older than
305
00:11:30,920 --> 00:11:34,245
three months. Sorry. Ninety days. Okay. Ninety days,
306
00:11:34,245 --> 00:11:36,904
three months. They're about the same. Right? Yeah.
307
00:11:36,964 --> 00:11:38,985
Most months, they're close. Yeah.
308
00:11:39,445 --> 00:11:41,204
So can you write a query that because
309
00:11:41,204 --> 00:11:42,644
you can, like, look up. Like, you wanna
310
00:11:42,644 --> 00:11:45,044
look up log information for a device. And
311
00:11:45,044 --> 00:11:47,065
if you have those tables in two different
312
00:11:47,319 --> 00:11:47,819
sources,
313
00:11:48,199 --> 00:11:49,799
can you write a query? Yeah. So it
314
00:11:49,799 --> 00:11:51,639
will cross over. No. Because it there are
315
00:11:51,639 --> 00:11:54,759
two different things. Analytics ones will only do
316
00:11:54,759 --> 00:11:56,600
the ninety days. Yep. And then you have
317
00:11:56,600 --> 00:11:58,919
to switch over to the other ones. Got
318
00:11:58,919 --> 00:12:00,044
it. Yeah. For,
319
00:12:00,365 --> 00:12:01,964
yeah, but we haven't had the use case
320
00:12:01,964 --> 00:12:03,325
yet for that. Okay. Where you have to
321
00:12:03,325 --> 00:12:05,884
cross over, like, correlate network logs with device
322
00:12:05,884 --> 00:12:07,565
logs within ninety days when they're in two
323
00:12:07,565 --> 00:12:08,464
different sources?
324
00:12:08,924 --> 00:12:10,865
We haven't had that issue yet. Okay.
325
00:12:11,325 --> 00:12:13,049
Knock on wood. Let me know when that
326
00:12:13,129 --> 00:12:13,950
happens? Yeah. For
327
00:12:14,490 --> 00:12:16,970
you. It's a nice case because we actually
328
00:12:16,970 --> 00:12:19,370
had one that does advanced hunting. He asked
329
00:12:19,370 --> 00:12:21,690
about it. So if I'm doing this and
330
00:12:21,690 --> 00:12:24,089
this, but this table for the network logs
331
00:12:24,089 --> 00:12:25,769
is down here. As far as I said,
332
00:12:25,769 --> 00:12:28,330
we keep the devices because he's writing on
333
00:12:28,330 --> 00:12:28,990
the devices
334
00:12:29,345 --> 00:12:30,565
with the MDE data.
335
00:12:30,945 --> 00:12:32,945
Yeah. So we haven't had the use case
336
00:12:32,945 --> 00:12:33,764
for that because
337
00:12:34,144 --> 00:12:36,865
one thing is Azure logs and VPC flow
338
00:12:36,865 --> 00:12:38,644
logs from AWS firewalls.
339
00:12:39,345 --> 00:12:42,384
That's a whole another ballgame versus the MDE
340
00:12:42,384 --> 00:12:45,160
data that come from Got it. Laptops. Yep.
341
00:12:45,160 --> 00:12:45,660
Yeah.
342
00:12:46,200 --> 00:12:48,519
So and that's where the interesting stuff is.
343
00:12:48,519 --> 00:12:50,300
Got it. That makes sense.
344
00:12:51,160 --> 00:12:52,519
There was something else I was gonna ask
345
00:12:52,519 --> 00:12:54,040
and now I can't remember what it was
346
00:12:54,040 --> 00:12:56,300
around some of that. Must be the carnival
347
00:12:56,360 --> 00:12:58,575
music. Yeah. It's the carnival music in the
348
00:12:58,575 --> 00:13:01,054
background that people walking by. And the lack
349
00:13:01,054 --> 00:13:03,375
of sleep over the last few days. I'm
350
00:13:03,375 --> 00:13:04,274
getting tired.
351
00:13:04,654 --> 00:13:07,134
Yeah. So so you did say speed. That's
352
00:13:07,134 --> 00:13:08,815
one thing too that if you're querying data
353
00:13:08,815 --> 00:13:10,970
like that, your queries do is it, like,
354
00:13:10,970 --> 00:13:11,470
noticeably
355
00:13:12,009 --> 00:13:14,649
slower, or is it just, like, maybe it's
356
00:13:14,649 --> 00:13:16,029
a few seconds slower?
357
00:13:16,490 --> 00:13:18,569
What have you seen from a speed perspective
358
00:13:18,569 --> 00:13:20,329
when you're querying it? It was only, like,
359
00:13:20,329 --> 00:13:23,129
a couple of minutes. Okay. But and we
360
00:13:23,129 --> 00:13:25,529
had to build the query specifically. I wanna
361
00:13:25,529 --> 00:13:28,264
see it that I was searching for something
362
00:13:28,404 --> 00:13:31,065
in here and go pick those days only
363
00:13:31,205 --> 00:13:33,285
in this time span. So we were pretty
364
00:13:33,285 --> 00:13:35,764
precise because it costs money to query the
365
00:13:35,764 --> 00:13:38,165
data lake. So you gotta kind of have
366
00:13:38,165 --> 00:13:39,240
to optimize your
367
00:13:39,639 --> 00:13:41,559
your statements. Your queries. Yeah. Like, so is
368
00:13:41,559 --> 00:13:44,279
that something different with is it more, like,
369
00:13:44,279 --> 00:13:46,120
it's cheaper to store data in the data
370
00:13:46,120 --> 00:13:48,679
lake, but more expensive to query it? Yes.
371
00:13:48,679 --> 00:13:51,240
Precisely. That's but I that's with all the
372
00:13:51,240 --> 00:13:53,019
products actually today. So
373
00:13:53,399 --> 00:13:54,014
but, yes,
374
00:13:54,495 --> 00:13:56,415
that's one of the four pits. So you
375
00:13:56,415 --> 00:13:58,894
don't wanna have a guy that that does
376
00:13:58,894 --> 00:14:01,375
a search in the data lake for five
377
00:14:01,375 --> 00:14:03,774
years back or something like that. Okay. If
378
00:14:03,774 --> 00:14:05,575
you saw data for five years back. Right?
379
00:14:05,695 --> 00:14:07,409
Sort of that long. That's gonna cost a
380
00:14:07,409 --> 00:14:09,970
lot of money. Okay. Just firing the query
381
00:14:09,970 --> 00:14:11,889
off, and that's why we also said it
382
00:14:11,889 --> 00:14:14,529
would be nice before doing the statements or
383
00:14:14,529 --> 00:14:15,669
the k 12 queries.
384
00:14:15,970 --> 00:14:18,370
What is the approximate cost if I throw
385
00:14:18,370 --> 00:14:19,190
this query
386
00:14:19,820 --> 00:14:22,095
Right. Yeah. Turn it on. So is it
387
00:14:22,174 --> 00:14:23,934
with the data lake queries and the cost,
388
00:14:23,934 --> 00:14:25,855
is it based on how much data gets
389
00:14:25,855 --> 00:14:28,754
returned from the query, or is it based
390
00:14:29,534 --> 00:14:31,375
on how many tables The lookup of the
391
00:14:31,375 --> 00:14:33,970
data. Okay. It's the lookup of how much
392
00:14:33,970 --> 00:14:35,990
data it has to go through. Got it.
393
00:14:36,049 --> 00:14:37,730
As as far as I know, but it's
394
00:14:37,730 --> 00:14:39,570
still new to us. I mean, it's like
395
00:14:39,570 --> 00:14:41,330
two months ago. Right. It hasn't been out
396
00:14:41,330 --> 00:14:43,330
very long. So people are still trying to
397
00:14:43,330 --> 00:14:45,250
figure it out. It'll be interesting to see
398
00:14:45,250 --> 00:14:46,230
even how Microsoft
399
00:14:47,245 --> 00:14:49,184
evolves it because I can imagine
400
00:14:49,644 --> 00:14:51,485
the scenario is gonna arise where someone has
401
00:14:51,485 --> 00:14:53,404
to query data in both data sources and
402
00:14:53,404 --> 00:14:55,485
how hopefully, they come up with a way
403
00:14:55,485 --> 00:14:57,404
to maybe make that a little bit more
404
00:14:57,404 --> 00:14:57,904
seamless
405
00:14:58,605 --> 00:15:00,625
as time goes on. Yeah. It's gonna
406
00:15:01,210 --> 00:15:04,250
as a true Microsoft employee would say, it's
407
00:15:04,250 --> 00:15:05,629
a journey we are on.
408
00:15:07,610 --> 00:15:09,690
And we have no idea how long this
409
00:15:09,690 --> 00:15:11,529
journey is gonna take us. But we have
410
00:15:11,529 --> 00:15:12,509
never been closer.
411
00:15:14,075 --> 00:15:15,674
Every day it's just like your birthday. Right?
412
00:15:15,674 --> 00:15:17,035
Every day, you get one day closer to
413
00:15:17,035 --> 00:15:18,715
your birthday. Yeah. Yay. Every day, we get
414
00:15:18,715 --> 00:15:20,634
one day closer to the destination on this
415
00:15:20,634 --> 00:15:22,174
journey with Microsoft. Yeah.
416
00:15:22,715 --> 00:15:24,575
It's funny. Oh, man.
417
00:15:28,610 --> 00:15:30,769
Do you feel overwhelmed by trying to manage
418
00:15:30,769 --> 00:15:33,009
your Office three sixty five environment? Are you
419
00:15:33,009 --> 00:15:36,309
facing unexpected issues that disrupt your company's productivity?
420
00:15:36,610 --> 00:15:38,529
Intelligink is here to help. Much like you
421
00:15:38,529 --> 00:15:40,449
take your car to the mechanic that has
422
00:15:40,449 --> 00:15:42,529
specialized knowledge on how to best keep your
423
00:15:42,529 --> 00:15:45,595
car running, Intelligent helps you with your Microsoft
424
00:15:45,654 --> 00:15:47,915
cloud environment because that's their expertise.
425
00:15:48,295 --> 00:15:50,535
Intelligent keeps up with the latest updates in
426
00:15:50,535 --> 00:15:52,774
the Microsoft cloud to help keep your business
427
00:15:52,774 --> 00:15:54,934
running smoothly and ahead of the curve. Whether
428
00:15:54,934 --> 00:15:57,014
you are a small organization with just a
429
00:15:57,014 --> 00:15:59,429
few users up to an organization of several
430
00:15:59,429 --> 00:16:00,490
thousand employees,
431
00:16:00,870 --> 00:16:02,790
they want to partner with you to implement
432
00:16:02,790 --> 00:16:05,529
and administer your Microsoft cloud technology.
433
00:16:06,309 --> 00:16:09,850
Visit them at inteliginc.com/podcast.
434
00:16:10,070 --> 00:16:16,754
That's intelligink.com/podcast
435
00:16:17,134 --> 00:16:19,295
for more information or to schedule a thirty
436
00:16:19,295 --> 00:16:21,394
minute call to get started with them today.
437
00:16:21,615 --> 00:16:24,975
Remember, Intelligink focuses on the Microsoft cloud so
438
00:16:24,975 --> 00:16:26,519
you can focus on your business.
439
00:16:29,080 --> 00:16:31,820
So other things that kinda tie in the
440
00:16:32,120 --> 00:16:32,620
Sentinel,
441
00:16:32,920 --> 00:16:33,420
this
442
00:16:33,800 --> 00:16:36,920
security ecosystem is and there were some announcements
443
00:16:36,920 --> 00:16:39,654
around Security Copilot. Have you started playing with
444
00:16:39,654 --> 00:16:43,034
Security Copilot yet with your Sentinel data and
445
00:16:43,095 --> 00:16:45,414
looking at that? No. We have not because
446
00:16:45,414 --> 00:16:47,274
it had the cost have been an issue
447
00:16:47,334 --> 00:16:49,194
for us from day one. Right?
448
00:16:49,495 --> 00:16:51,779
Because of the ACU cost. The c level
449
00:16:51,779 --> 00:16:54,019
said no because it's too expensive. And, I
450
00:16:54,019 --> 00:16:55,700
mean, what's the value if we look at
451
00:16:55,700 --> 00:16:58,500
it? I mean Right. Yeah. And then where
452
00:16:58,500 --> 00:17:00,360
there were all those hacks that you could
453
00:17:00,419 --> 00:17:02,820
spin up the ACUs, then shut them down,
454
00:17:02,820 --> 00:17:04,740
spin them up next day, and stuff like
455
00:17:04,740 --> 00:17:07,264
that. But we didn't bother in our enterprise
456
00:17:07,325 --> 00:17:10,144
because it didn't give that value. But now,
457
00:17:10,204 --> 00:17:12,384
with the new e five, yes,
458
00:17:12,684 --> 00:17:14,524
it's gonna be exciting. It is. And that
459
00:17:14,524 --> 00:17:16,204
was one of the announcements. So have you
460
00:17:16,204 --> 00:17:17,964
started playing with it yet? Have you guys
461
00:17:18,044 --> 00:17:19,724
well, though you probably haven't gotten it yet,
462
00:17:19,724 --> 00:17:21,184
you didn't have security copilot.
463
00:17:21,619 --> 00:17:23,859
No. Not yet. Not yet. But we have
464
00:17:23,859 --> 00:17:25,619
you five. But you have you five, so
465
00:17:25,619 --> 00:17:27,460
you're ready. This was and this was one
466
00:17:27,460 --> 00:17:28,920
of those announcements. And
467
00:17:29,220 --> 00:17:30,820
Scott and I talked about it a little
468
00:17:30,820 --> 00:17:32,200
bit on the last podcast,
469
00:17:32,740 --> 00:17:34,420
but we only had the book of news
470
00:17:34,420 --> 00:17:37,154
to go by. Yeah. Now Microsoft has announced
471
00:17:37,154 --> 00:17:39,734
it. There's blog posts out there about it
472
00:17:39,795 --> 00:17:40,295
that
473
00:17:40,674 --> 00:17:42,914
e fives are going to get a certain
474
00:17:42,914 --> 00:17:43,894
level of copilot.
475
00:17:44,275 --> 00:17:46,035
Have you started looking at that? How many
476
00:17:46,035 --> 00:17:47,634
details do you have around that you wanna
477
00:17:47,634 --> 00:17:50,039
share? We are definitely gonna use it for
478
00:17:50,039 --> 00:17:52,859
the intra ID one and the conditional access
479
00:17:53,240 --> 00:17:55,420
one. The optimization Yeah. The optimization.
480
00:17:55,799 --> 00:17:58,279
Yeah. That's the one we probably the most
481
00:17:58,279 --> 00:17:59,579
most important one,
482
00:17:59,960 --> 00:18:01,720
and then we'll look into the others. I
483
00:18:01,720 --> 00:18:03,134
mean, we can probably
484
00:18:03,515 --> 00:18:06,095
burn through those SCUs. Through all SCUs. Yeah.
485
00:18:06,474 --> 00:18:09,115
Because it's also nice because even though it's
486
00:18:09,115 --> 00:18:11,535
in the license now, it's not that much
487
00:18:11,674 --> 00:18:12,174
anyways.
488
00:18:13,115 --> 00:18:14,795
Right. And I looked at
489
00:18:15,289 --> 00:18:16,730
so have you looked at the cost and
490
00:18:16,730 --> 00:18:18,250
how they're doing all this with the SCUs
491
00:18:18,250 --> 00:18:19,769
and then Yes. I looked into it, and
492
00:18:19,769 --> 00:18:22,289
I think it's gonna be a journey Yeah.
493
00:18:22,490 --> 00:18:25,210
As they say. More journeys. More journeys. Lots
494
00:18:25,210 --> 00:18:27,289
of journeys we are on. It's a step
495
00:18:27,289 --> 00:18:29,325
in the right direction, I would say. Because
496
00:18:29,325 --> 00:18:31,404
if you wanna get people to use Security
497
00:18:31,404 --> 00:18:33,565
Copilot, this is the right step to do
498
00:18:33,565 --> 00:18:36,525
because nobody in their mind would do it.
499
00:18:36,525 --> 00:18:38,444
Right. And let's look at it going. And
500
00:18:38,444 --> 00:18:40,859
I started looking at the pricing, and it's,
501
00:18:41,179 --> 00:18:42,940
to your point, it's a journey. It's gonna
502
00:18:42,940 --> 00:18:45,019
be interesting to see how this pricing works
503
00:18:45,019 --> 00:18:46,559
out because you essentially
504
00:18:46,859 --> 00:18:48,960
get Microsoft gave an example
505
00:18:49,660 --> 00:18:52,319
of for every it was a thousand
506
00:18:52,859 --> 00:18:53,839
e five licenses,
507
00:18:54,474 --> 00:18:56,335
you would get 400
508
00:18:57,274 --> 00:18:57,774
SCUs.
509
00:18:58,075 --> 00:19:00,875
Yeah. Which is the security compute units. Yes.
510
00:19:00,875 --> 00:19:02,234
But I had to shift it in my
511
00:19:02,234 --> 00:19:03,994
mind because at first it was like, oh,
512
00:19:03,994 --> 00:19:07,375
currently it's like $4 per hour per SCU,
513
00:19:07,960 --> 00:19:10,380
and this is a 400
514
00:19:10,759 --> 00:19:11,259
SCUs
515
00:19:12,279 --> 00:19:12,779
per
516
00:19:13,480 --> 00:19:13,980
month.
517
00:19:14,440 --> 00:19:16,519
So it's like it was a per hour
518
00:19:16,519 --> 00:19:17,019
pricing.
519
00:19:17,880 --> 00:19:19,799
Now it's changing to, like, a quota per
520
00:19:19,799 --> 00:19:22,220
month, and they said there's also no minimum.
521
00:19:22,384 --> 00:19:24,545
So if you have like one e five
522
00:19:24,545 --> 00:19:26,244
you get point four
523
00:19:26,545 --> 00:19:27,904
Yeah. SCUs per month. I don't know how
524
00:19:27,904 --> 00:19:30,085
that's gonna work out. But it's not
525
00:19:30,625 --> 00:19:32,465
and at first I was super excited. I'm
526
00:19:32,465 --> 00:19:33,985
like, oh I get two SCUs. And in
527
00:19:33,985 --> 00:19:35,585
my head I was still thinking per hour
528
00:19:35,585 --> 00:19:38,419
not per month. Yeah. Because a thousand users,
529
00:19:38,480 --> 00:19:40,259
400 SCUs a month
530
00:19:40,640 --> 00:19:42,559
only gives you, like you divide that by
531
00:19:42,559 --> 00:19:43,380
thirty days,
532
00:19:43,759 --> 00:19:44,819
you're down to
533
00:19:45,279 --> 00:19:47,279
what, like it's just over, it's like a
534
00:19:47,279 --> 00:19:48,900
120
535
00:19:49,440 --> 00:19:52,154
it no, a hundred and twenty thirty ish.
536
00:19:52,535 --> 00:19:54,555
Yeah. 130 ish SCUs
537
00:19:55,255 --> 00:19:57,734
per day Are gonna be burned through. Break
538
00:19:57,734 --> 00:19:59,755
it down by hour, and you're like, well,
539
00:19:59,815 --> 00:20:01,674
wait a minute. Now I'm down to, like,
540
00:20:01,734 --> 00:20:02,694
1.5
541
00:20:02,694 --> 00:20:05,494
or two SCUs per hour Yeah. For a
542
00:20:05,494 --> 00:20:06,394
thousand users?
543
00:20:07,019 --> 00:20:09,220
I hope we'll be able to make that
544
00:20:09,340 --> 00:20:12,220
the Intune guys get so much and the
545
00:20:12,220 --> 00:20:14,539
InfID guys get so much, and the other
546
00:20:14,539 --> 00:20:17,019
security guys get the so like you you
547
00:20:17,019 --> 00:20:18,940
could do today, right, if you bought the
548
00:20:18,940 --> 00:20:20,720
norm the regular old SCUs.
549
00:20:21,615 --> 00:20:23,214
Yeah. So I'm curious to see how that
550
00:20:23,214 --> 00:20:24,654
works because then they said, well, if you
551
00:20:24,654 --> 00:20:26,115
go over, you buy SCUs.
552
00:20:26,654 --> 00:20:28,255
Yeah. And then we are right back at
553
00:20:28,255 --> 00:20:30,575
square one. Right. Well, now it's an hourly,
554
00:20:30,575 --> 00:20:32,355
but I'm like, well, how do you do
555
00:20:32,414 --> 00:20:34,755
it if you're doing a quota of SCUs
556
00:20:35,775 --> 00:20:36,515
per month
557
00:20:36,849 --> 00:20:39,009
and now you need SCUs, do you start
558
00:20:39,009 --> 00:20:40,549
buying just individual
559
00:20:41,009 --> 00:20:43,029
SCUs now per month?
560
00:20:43,490 --> 00:20:45,970
Or once you run out, do you have
561
00:20:45,970 --> 00:20:46,950
to start paying
562
00:20:47,329 --> 00:20:49,990
per hour for the rest of the month?
563
00:20:50,325 --> 00:20:52,804
Yes. Like and that's where I think it's
564
00:20:52,804 --> 00:20:55,444
gonna be a journey of the documentation I
565
00:20:55,444 --> 00:20:57,544
looked at wasn't super clear
566
00:20:58,644 --> 00:21:01,524
in my mind on how the $6 per
567
00:21:01,524 --> 00:21:02,024
SCU
568
00:21:02,565 --> 00:21:03,304
per hour
569
00:21:03,900 --> 00:21:06,400
or if it's just $6 per SCU now
570
00:21:06,619 --> 00:21:09,259
in the quota per month kinda Yeah. Very
571
00:21:09,420 --> 00:21:10,700
and I didn't know if you looked at
572
00:21:10,700 --> 00:21:13,099
any of that or started trying to figure
573
00:21:13,099 --> 00:21:14,859
that out because you have any vibes and
574
00:21:14,859 --> 00:21:16,380
you wanna go home and use your SCU.
575
00:21:16,380 --> 00:21:19,284
Yes. I'm looking forward. Probably when I get
576
00:21:19,284 --> 00:21:21,924
home, somebody have probably started up paying with
577
00:21:21,924 --> 00:21:25,044
it because it's for free now. Yeah. Otherwise
578
00:21:25,365 --> 00:21:26,724
so this was the other part of what
579
00:21:26,724 --> 00:21:28,404
I saw is if you were paying for
580
00:21:28,404 --> 00:21:30,680
Security Copilot now, you
581
00:21:31,220 --> 00:21:33,220
would get transitioned right away to this new
582
00:21:33,220 --> 00:21:35,860
pricing model. And if you aren't paying for
583
00:21:35,860 --> 00:21:36,759
Security Copilot,
584
00:21:37,700 --> 00:21:38,200
you
585
00:21:38,740 --> 00:21:40,259
have to wait. So you might not be
586
00:21:40,259 --> 00:21:41,799
able to play with the right one again.
587
00:21:41,860 --> 00:21:43,940
But we can wait because, I mean, let's
588
00:21:43,940 --> 00:21:46,894
face it. The need hasn't been there. Yeah.
589
00:21:47,195 --> 00:21:49,835
So are there any other yeah. Or security.
590
00:21:49,835 --> 00:21:52,075
Any other security announcements from Ignite that you
591
00:21:52,075 --> 00:21:54,394
were excited about other than you can start
592
00:21:54,394 --> 00:21:57,035
playing with security Copilot now? That would be
593
00:21:57,035 --> 00:21:57,775
the agents.
594
00:21:58,154 --> 00:21:59,994
The a there were a bunch of like,
595
00:21:59,994 --> 00:22:02,769
there's a bunch the security Copilot agents. Yes.
596
00:22:02,769 --> 00:22:05,009
A bunch of them. I haven't actually looked
597
00:22:05,009 --> 00:22:07,509
into them. Okay. I can't remember their names.
598
00:22:09,170 --> 00:22:11,650
I remember a few only because I've seen
599
00:22:11,650 --> 00:22:14,450
them already. Like, there were some agents that
600
00:22:14,450 --> 00:22:17,829
already existed. The conditional access optimization agent,
601
00:22:18,914 --> 00:22:22,194
the phishing remediation agent. Yeah. That one. That's
602
00:22:22,194 --> 00:22:24,914
also a really nice one. Yeah. Those but
603
00:22:24,914 --> 00:22:26,994
I think there were, like Five or six
604
00:22:26,994 --> 00:22:29,154
months? Well, there were five or six before.
605
00:22:29,154 --> 00:22:30,534
I think there's at least,
606
00:22:30,869 --> 00:22:32,630
I think there's, like, another six to 10
607
00:22:32,630 --> 00:22:35,430
agents Ugh. That came out now. So I
608
00:22:35,509 --> 00:22:37,029
again, if there were any of those that
609
00:22:37,029 --> 00:22:39,609
you were excited about that you've looked at.
610
00:22:39,670 --> 00:22:40,329
I haven't.
611
00:22:40,789 --> 00:22:43,109
I can almost imagine now it's gonna be
612
00:22:43,109 --> 00:22:44,809
governance towards agents.
613
00:22:45,704 --> 00:22:47,464
Well, there is. We got agent three sixty
614
00:22:47,464 --> 00:22:49,484
five now for configuring our agents. Right?
615
00:22:50,505 --> 00:22:52,984
I saw so here's another one. I'm curious
616
00:22:52,984 --> 00:22:54,605
if you think this one will help.
617
00:22:55,704 --> 00:22:57,545
I saw some talk too about, like, a
618
00:22:57,545 --> 00:23:00,070
DLP agent around DLP remediations
619
00:23:00,609 --> 00:23:03,330
Yeah. Where an agent now and I can't
620
00:23:03,330 --> 00:23:05,269
remember if it's here or if it's coming.
621
00:23:05,330 --> 00:23:07,509
We're, like, you send an email, and
622
00:23:07,809 --> 00:23:09,990
instead of maybe using some of the regular
623
00:23:10,049 --> 00:23:13,029
expressions and detection there for sensitive information,
624
00:23:13,734 --> 00:23:16,394
starting to leverage an AI agent to detect,
625
00:23:16,774 --> 00:23:18,934
was this a sensitive email? And then if
626
00:23:18,934 --> 00:23:19,595
it is,
627
00:23:20,134 --> 00:23:21,734
instead of sending it to the sock right
628
00:23:21,734 --> 00:23:24,075
away, sending it back to the end user,
629
00:23:24,375 --> 00:23:26,474
like, maybe it's a Teams message or something.
630
00:23:26,569 --> 00:23:28,329
Did you mean to send this email? Did
631
00:23:28,329 --> 00:23:30,429
you realize there was sensitive information in
632
00:23:30,730 --> 00:23:32,890
it? Almost to let the end user self
633
00:23:32,890 --> 00:23:33,390
remediate.
634
00:23:34,009 --> 00:23:36,329
And if it turns out that, no. I
635
00:23:36,329 --> 00:23:38,329
didn't send this email, then it goes to
636
00:23:38,329 --> 00:23:39,529
the Slack team or if it's, yeah, I
637
00:23:39,529 --> 00:23:41,515
sent this email. No. I didn't realize there
638
00:23:41,515 --> 00:23:43,035
was sensitive information in it. We need to
639
00:23:43,035 --> 00:23:44,955
open an incident, then it goes to the
640
00:23:44,955 --> 00:23:47,035
SOC team. So trying to eliminate some of
641
00:23:47,035 --> 00:23:48,714
that noise that goes to the SOC team.
642
00:23:48,714 --> 00:23:51,195
That's actually really smart. Right? Yeah. I thought
643
00:23:51,195 --> 00:23:53,275
the same thing. I was like, oh, I
644
00:23:53,275 --> 00:23:55,515
like the work. On the SEO cost, of
645
00:23:55,515 --> 00:23:58,109
course. Depending on the SEO cost. But it's
646
00:23:58,109 --> 00:23:59,490
free now with an e five.
647
00:24:01,549 --> 00:24:04,210
Yes. Whoever comes first that day.
648
00:24:05,309 --> 00:24:06,990
Yeah. The fir the first two or three
649
00:24:06,990 --> 00:24:09,710
people get the agent for Yeah. DLP, and
650
00:24:09,710 --> 00:24:11,649
then after that, it's all over. Yeah.
651
00:24:12,085 --> 00:24:13,125
I know. I had to keep an eye
652
00:24:13,125 --> 00:24:15,125
on time. We've been doing some labs. You
653
00:24:15,125 --> 00:24:17,605
and I both been practicing labs this week.
654
00:24:17,605 --> 00:24:19,765
Those have been fun. Any other highlights from
655
00:24:19,765 --> 00:24:20,265
Ignite?
656
00:24:21,285 --> 00:24:22,965
Okay. I know how you feel about San
657
00:24:22,965 --> 00:24:23,465
Francisco.
658
00:24:24,019 --> 00:24:25,720
We don't need to talk about San Francisco.
659
00:24:25,940 --> 00:24:27,700
We're not talking we're not gonna make fun
660
00:24:27,700 --> 00:24:29,139
of San Francisco. We can't talk about San
661
00:24:29,139 --> 00:24:31,079
Francisco. Actually, my experiences
662
00:24:31,460 --> 00:24:33,859
has been nice, but being a proctor and
663
00:24:33,859 --> 00:24:36,759
having the expert badge with the special inferences
664
00:24:36,980 --> 00:24:39,460
helps a lot. It does. I must admit
665
00:24:39,460 --> 00:24:42,154
that seeing these people rock walking through metal
666
00:24:42,154 --> 00:24:42,654
detectors
667
00:24:42,955 --> 00:24:45,835
constantly, it's a pain. Right? It is. I
668
00:24:45,835 --> 00:24:47,914
heard it from and getting the back search
669
00:24:47,914 --> 00:24:48,654
each time,
670
00:24:48,955 --> 00:24:52,075
it's it's really frustrating for some. I heard
671
00:24:52,075 --> 00:24:53,835
it from all the colleagues I'm with and
672
00:24:53,835 --> 00:24:56,609
the other fellow Danes. Okay. They really hate
673
00:24:56,609 --> 00:24:58,769
it going from building to building building to
674
00:24:58,769 --> 00:25:01,570
building. Yeah. And the the venue is so
675
00:25:01,570 --> 00:25:03,650
fast spread. Right? If you have sessions down
676
00:25:03,650 --> 00:25:04,150
at
677
00:25:04,849 --> 00:25:05,349
Marquis
678
00:25:05,809 --> 00:25:06,309
Yeah.
679
00:25:06,930 --> 00:25:08,944
It's a walk. I walked over there this
680
00:25:08,944 --> 00:25:11,025
morning. Yeah. It's fifteen minutes or something before
681
00:25:11,025 --> 00:25:13,505
you actually reach the room. Uh-huh. And then
682
00:25:13,505 --> 00:25:15,825
you have to go back into, the West
683
00:25:15,825 --> 00:25:18,464
Moscone Center. Yeah. You you use you use
684
00:25:18,464 --> 00:25:20,545
a lot of time walking. You do. And
685
00:25:20,545 --> 00:25:22,850
it does feel I'm glad I'm here. I
686
00:25:22,850 --> 00:25:25,090
still love being at Ignite. It's bigger than
687
00:25:25,090 --> 00:25:27,350
last year. Yep. Definitely. But it feels
688
00:25:27,970 --> 00:25:30,130
smaller to me because of how spread out
689
00:25:30,130 --> 00:25:32,930
everything is. Like, I miss everything being when
690
00:25:32,930 --> 00:25:35,585
it was closer together, there were definitely it
691
00:25:35,585 --> 00:25:37,424
was harder in some respects, it was harder
692
00:25:37,424 --> 00:25:38,944
to get around because everybody was shoulder to
693
00:25:38,944 --> 00:25:41,184
shoulder. Yeah. But I felt like you saw
694
00:25:41,184 --> 00:25:41,924
more people.
695
00:25:42,464 --> 00:25:43,204
You did.
696
00:25:43,825 --> 00:25:45,744
Yeah. I it's all but I like the
697
00:25:45,744 --> 00:25:47,984
expo, the hub area and the expo in
698
00:25:47,984 --> 00:25:50,569
the Moscone's in the South. It's pretty nice.
699
00:25:50,789 --> 00:25:53,589
What? Any highlights? Any vendors you've seen or
700
00:25:53,589 --> 00:25:55,589
any highlights from the hub? People you've run
701
00:25:55,589 --> 00:25:56,089
into?
702
00:25:56,630 --> 00:25:58,569
I like the MVP wall, the new MVP
703
00:25:58,630 --> 00:26:01,909
wall. Yes. It's curvy. Right? It's curvy. And
704
00:26:01,909 --> 00:26:04,244
a lot of names. A lot of names.
705
00:26:04,404 --> 00:26:05,684
Did you get your picture by the MVP?
706
00:26:05,684 --> 00:26:07,684
Yes. I did. Of course. Hey. That's what
707
00:26:07,765 --> 00:26:10,085
Were you on the MVP? So the wall's
708
00:26:10,085 --> 00:26:12,404
curvy. Right? Yeah. But if you're on one
709
00:26:12,404 --> 00:26:14,424
end of it, you can't see the MVP
710
00:26:14,484 --> 00:26:17,470
logo and your name because it's curved. Thank
711
00:26:17,470 --> 00:26:18,369
you for that.
712
00:26:19,230 --> 00:26:20,990
I am down in the corner. You're down
713
00:26:20,990 --> 00:26:22,829
in the corner? Yeah. Let's go down. The
714
00:26:22,990 --> 00:26:24,349
okay. So you're in front so you can
715
00:26:24,349 --> 00:26:26,109
see the MVP logo when you're by your
716
00:26:26,109 --> 00:26:28,429
name? Nope. Oh, you're down to, like, around
717
00:26:28,429 --> 00:26:29,950
the corner. Yes. I'm around the corner. Oh,
718
00:26:29,950 --> 00:26:32,715
I'm sorry. Yeah. No. I can actually oh.
719
00:26:32,715 --> 00:26:34,875
And now that I'm thinking about it, maybe
720
00:26:34,875 --> 00:26:36,555
I just took it from the wrong side,
721
00:26:36,555 --> 00:26:37,615
the picture. Yeah.
722
00:26:38,715 --> 00:26:40,154
Oh, man. I need to go ahead and
723
00:26:40,154 --> 00:26:41,035
check. We'll go back and do that. Yeah.
724
00:26:41,035 --> 00:26:42,795
We'll go back. Any other highlights from Ignite?
725
00:26:42,795 --> 00:26:45,089
Like, what have you despite some of the
726
00:26:45,089 --> 00:26:47,250
differences with it being out here, what have
727
00:26:47,250 --> 00:26:49,029
you enjoyed from being out here? Highlights?
728
00:26:49,890 --> 00:26:52,769
Like social or really Ignite stuff? Anything. I
729
00:26:52,769 --> 00:26:54,450
like the city. I like the tourist stuff.
730
00:26:54,450 --> 00:26:56,529
It's my first time in San Francisco. I
731
00:26:56,529 --> 00:26:57,015
like it.
732
00:26:58,055 --> 00:27:00,055
Certain areas you have to avoid, of course.
733
00:27:00,055 --> 00:27:02,375
Yeah. But I'm guessing that's normal probably in
734
00:27:02,375 --> 00:27:04,454
each city. And it's normal. I would say
735
00:27:04,454 --> 00:27:06,695
in Jacksonville, it's normal. Like, there's areas of
736
00:27:06,695 --> 00:27:07,195
Jacksonville.
737
00:27:07,575 --> 00:27:10,214
There's areas it's been in Orlando before. There's
738
00:27:10,214 --> 00:27:11,835
areas of Orlando you should avoid.
739
00:27:12,150 --> 00:27:14,630
Chicago, it's been in there are absolutely areas
740
00:27:14,710 --> 00:27:16,789
I grew up close to Chicago. There's absolutely
741
00:27:16,789 --> 00:27:18,789
areas of Chicago you just do not go
742
00:27:18,789 --> 00:27:21,269
into. I've had friends that were escorted by
743
00:27:21,269 --> 00:27:21,769
police
744
00:27:22,070 --> 00:27:23,450
out of areas of Chicago
745
00:27:24,434 --> 00:27:26,554
because it was so dangerous. But Yeah. Okay.
746
00:27:26,755 --> 00:27:29,154
Anyways, that's beside the point. You you've enjoyed
747
00:27:29,154 --> 00:27:31,075
some of the tourists walking up. So did
748
00:27:31,075 --> 00:27:32,694
you get out to, like, Pier 39?
749
00:27:32,755 --> 00:27:34,534
Yeah. I've I've been I've been all over.
750
00:27:35,394 --> 00:27:37,575
Alright. What about from Ignite? Any highlights
751
00:27:38,700 --> 00:27:39,679
from the conference?
752
00:27:40,299 --> 00:27:42,539
I actually liked the keynote. It was fun.
753
00:27:42,539 --> 00:27:43,759
Was it? Yeah.
754
00:27:44,299 --> 00:27:46,140
I mean, it was a bit high level.
755
00:27:46,140 --> 00:27:48,700
Some it wasn't technical and that Yeah. Keynotes
756
00:27:48,700 --> 00:27:50,480
never are. No. So
757
00:27:50,804 --> 00:27:53,204
I liked it on a marketing level. Alright.
758
00:27:53,204 --> 00:27:54,664
Have you had fun with the labs?
759
00:27:55,044 --> 00:27:57,625
Oh, yeah. Well, you know how it went.
760
00:27:57,845 --> 00:27:59,845
I had fun today. You have fun today
761
00:27:59,845 --> 00:28:02,404
with the labs. Today? The labs actually worked
762
00:28:02,404 --> 00:28:04,424
today. Okay. Yeah. We had issues
763
00:28:04,859 --> 00:28:07,019
because getting back from the keynote because it
764
00:28:07,019 --> 00:28:10,380
was thirty minute drive away. Yep. So people
765
00:28:10,380 --> 00:28:12,640
getting back in time for the first laps
766
00:28:12,859 --> 00:28:15,019
when the conference started, really started after the
767
00:28:15,019 --> 00:28:17,900
keynote. They didn't because there were traffic jams
768
00:28:17,900 --> 00:28:19,440
and Okay. People were late.
769
00:28:19,819 --> 00:28:22,515
And what you what even what's more worse
770
00:28:22,515 --> 00:28:25,474
is that the Cloudflare incident happened that day.
771
00:28:25,474 --> 00:28:28,275
Yes. So that meant all the labs were
772
00:28:28,275 --> 00:28:30,755
in hosted in GitHub, and the repos were
773
00:28:30,755 --> 00:28:33,794
down, couldn't be accessed. So our instructions for
774
00:28:33,794 --> 00:28:35,154
our labs were Got
775
00:28:35,929 --> 00:28:37,929
it's funny because it went down and everybody's
776
00:28:37,929 --> 00:28:40,009
like, but GitHub's a Microsoft company. Why are
777
00:28:40,009 --> 00:28:42,829
these in CloudFlare and not, like, Azure? Yeah.
778
00:28:42,970 --> 00:28:44,890
Yeah. The front door. It is what it
779
00:28:44,890 --> 00:28:46,410
is. It is. I would say like, I
780
00:28:46,410 --> 00:28:47,929
proctored labs too, and I would say that's
781
00:28:47,929 --> 00:28:49,769
been one of the highlights. And even talking
782
00:28:49,769 --> 00:28:50,250
to people
783
00:28:50,765 --> 00:28:52,125
and we've talked about it before, I think,
784
00:28:52,125 --> 00:28:54,205
in the podcast, for Ignite has a little
785
00:28:54,205 --> 00:28:55,725
bit more of a sales feel and less
786
00:28:55,725 --> 00:28:57,884
of a technical feel. But I think the
787
00:28:57,884 --> 00:28:58,384
labs,
788
00:28:58,684 --> 00:29:01,265
I would say, are a well kept secret,
789
00:29:01,485 --> 00:29:03,404
but the labs I've been in have been,
790
00:29:03,404 --> 00:29:06,369
like, jam packed with people. Yeah. Is if
791
00:29:06,369 --> 00:29:08,289
you're gonna come to a future Ignite, because
792
00:29:08,289 --> 00:29:10,230
this is gonna come out after Ignite's been
793
00:29:10,369 --> 00:29:12,529
said and done this year, and you want
794
00:29:12,529 --> 00:29:13,509
more technical
795
00:29:14,130 --> 00:29:16,849
content, I would actually recommend going and doing
796
00:29:16,849 --> 00:29:19,009
the labs for a couple of reasons. One,
797
00:29:19,009 --> 00:29:21,694
yeah, they're click, like, it's the click click.
798
00:29:21,694 --> 00:29:23,954
Right? You follow the instructions, click through,
799
00:29:24,255 --> 00:29:26,115
but you do get to get your hands
800
00:29:26,494 --> 00:29:26,994
on
801
00:29:27,295 --> 00:29:28,755
more technical aspects
802
00:29:29,055 --> 00:29:30,815
than maybe you would learn about if you
803
00:29:30,815 --> 00:29:32,894
went to a session. Yeah. And the other
804
00:29:32,894 --> 00:29:34,414
thing I would say is I don't know
805
00:29:34,414 --> 00:29:36,809
about your lab. My labs, it's the product
806
00:29:36,809 --> 00:29:38,809
group for the features. I've been doing identity
807
00:29:38,809 --> 00:29:39,309
governance.
808
00:29:39,849 --> 00:29:41,929
So I had, like, the product manager for
809
00:29:41,929 --> 00:29:45,549
PIM and one of the product managers for
810
00:29:46,250 --> 00:29:48,250
can't remember if it was for Entra, but
811
00:29:48,250 --> 00:29:50,650
it was different product managers for the products
812
00:29:50,650 --> 00:29:53,024
involved in ID governance. So if you had
813
00:29:53,024 --> 00:29:55,125
questions about the products,
814
00:29:55,504 --> 00:29:57,184
like, it was a great way after the
815
00:29:57,184 --> 00:29:59,664
labs or even during the labs Yeah. To
816
00:29:59,664 --> 00:30:01,365
be able to talk to the people
817
00:30:02,144 --> 00:30:04,224
that are in charge of these different features.
818
00:30:04,224 --> 00:30:05,984
Yes. Was that your experience too in your
819
00:30:06,065 --> 00:30:07,880
Yes. Lab? It was. Because,
820
00:30:08,740 --> 00:30:12,039
our guys also were close to MDE team.
821
00:30:12,099 --> 00:30:14,740
Okay. So, yeah, it was defender related, but
822
00:30:14,740 --> 00:30:16,680
mostly MDO and MDE
823
00:30:17,299 --> 00:30:19,720
stuff were was were in our labs.
824
00:30:20,180 --> 00:30:21,000
But, yeah,
825
00:30:21,585 --> 00:30:23,345
it was a pleasure seeing it because our
826
00:30:23,345 --> 00:30:25,585
laps were also full and the capacity was
827
00:30:25,585 --> 00:30:27,284
around 115
828
00:30:27,424 --> 00:30:30,304
as I recall in our room. Yeah. And,
829
00:30:30,784 --> 00:30:32,784
I'm going back in just a second when
830
00:30:32,784 --> 00:30:34,650
we are done for the last. That's gonna
831
00:30:34,650 --> 00:30:36,509
be the fourth of the laps. Right?
832
00:30:37,049 --> 00:30:39,390
And it's also sold out. So
833
00:30:39,930 --> 00:30:42,029
people really like the laps, but sometimes
834
00:30:42,570 --> 00:30:44,970
they go down and they then people leave.
835
00:30:44,970 --> 00:30:46,430
Yeah. It walkouts
836
00:30:46,809 --> 00:30:48,430
rarely, but it happened again
837
00:30:48,884 --> 00:30:50,105
yesterday because
838
00:30:50,484 --> 00:30:53,285
our tenant provisioning didn't work. So people were
839
00:30:53,285 --> 00:30:55,525
just yeah. We're gonna go with lessons learned,
840
00:30:55,525 --> 00:30:56,884
and then if you're listening to this now,
841
00:30:56,884 --> 00:30:59,285
next year will be better because they've learned
842
00:30:59,285 --> 00:31:01,125
some less I think they've learned some lessons
843
00:31:01,125 --> 00:31:02,404
this year. And I would say even as
844
00:31:02,404 --> 00:31:04,809
the week's gone on, they've learned some lessons
845
00:31:04,809 --> 00:31:07,630
about it's I mean, it's not easy. Capacity
846
00:31:07,690 --> 00:31:09,149
in here is a 115,
847
00:31:09,369 --> 00:31:11,130
but there's I don't know how many labs.
848
00:31:11,130 --> 00:31:12,970
There's probably 10 or 15 labs going on
849
00:31:12,970 --> 00:31:13,470
simultaneously.
850
00:31:14,169 --> 00:31:14,909
Yep. Precisely.
851
00:31:15,210 --> 00:31:17,154
That's like 1,500
852
00:31:17,154 --> 00:31:18,615
tenants getting provisioned
853
00:31:18,914 --> 00:31:20,595
to these labs at the same time. It's
854
00:31:20,595 --> 00:31:21,095
not
855
00:31:21,475 --> 00:31:22,215
a insignificant
856
00:31:22,674 --> 00:31:24,674
feat to do something like that. And it's
857
00:31:24,674 --> 00:31:26,835
a fully live tenant, right, in our labs?
858
00:31:26,835 --> 00:31:28,375
So it's a 115
859
00:31:28,835 --> 00:31:29,654
live tenants
860
00:31:30,289 --> 00:31:33,109
spinning up. Yeah. Yeah. It's complicated.
861
00:31:33,410 --> 00:31:36,210
Yeah. For sure. Awesome. Well, thanks, Hendrik. Thanks
862
00:31:36,210 --> 00:31:37,650
for joining me. I know you have a
863
00:31:37,650 --> 00:31:39,650
lab to get to. Yes. Thanks. I might
864
00:31:39,650 --> 00:31:41,009
go down to the hub and try to
865
00:31:41,009 --> 00:31:43,809
find more Swag. Yeah. See what I can
866
00:31:43,809 --> 00:31:44,869
come up with. Yeah.
867
00:31:45,315 --> 00:31:47,734
Glad that we've talked about doing this for
868
00:31:48,274 --> 00:31:50,355
A long time. A long time. We yeah.
869
00:31:50,355 --> 00:31:52,595
At MVP Summit or other Ignites, and it
870
00:31:52,595 --> 00:31:54,914
just it hasn't worked out. You got sick
871
00:31:54,914 --> 00:31:57,730
once on me. Yeah. But glad we could
872
00:31:57,730 --> 00:31:59,349
sit down and do it here at Ignite.
873
00:31:59,409 --> 00:31:59,909
And
874
00:32:00,369 --> 00:32:02,450
Yeah. Same to you. It was nice doing
875
00:32:02,450 --> 00:32:04,609
it. Alright. Well, thanks. Yeah. Glad you enjoyed
876
00:32:04,609 --> 00:32:05,890
it. Hope you enjoy your lab and the
877
00:32:05,890 --> 00:32:07,730
rest of Ignite. And Yes. I hope you
878
00:32:07,730 --> 00:32:09,809
get some swag. Thanks. And hopefully, we'll catch
879
00:32:09,809 --> 00:32:12,345
up again soon. Yeah. Bye. Bye
880
00:32:14,345 --> 00:32:16,825
bye. If you enjoyed the podcast, go leave
881
00:32:16,825 --> 00:32:18,904
us a five star rating in iTunes. It
882
00:32:18,904 --> 00:32:20,585
helps to get the word out so more
883
00:32:20,585 --> 00:32:22,904
IT pros can learn about Office three sixty
884
00:32:22,904 --> 00:32:23,804
five and Azure.
885
00:32:24,265 --> 00:32:25,944
If you have any questions you want us
886
00:32:25,944 --> 00:32:28,160
to address on the show, or feedback about
887
00:32:28,160 --> 00:32:30,480
the show, feel free to reach out via
888
00:32:30,480 --> 00:32:33,759
our website, Twitter, or Facebook. Thanks again for
889
00:32:33,759 --> 00:32:35,380
listening, and have a great day.
