1 00:00:03,600 --> 00:00:05,759 Welcome to episode 412 2 00:00:05,759 --> 00:00:08,820 of the Microsoft Cloud IT Pro podcast recorded 3 00:00:08,880 --> 00:00:11,460 live on 10/03/2025. 4 00:00:11,599 --> 00:00:14,000 This is a show about Microsoft three sixty 5 00:00:14,000 --> 00:00:16,125 five and Azure from the perspective of IT 6 00:00:16,125 --> 00:00:18,364 pros and end users, where we discuss a 7 00:00:18,364 --> 00:00:20,605 topic or recent news and how it relates 8 00:00:20,605 --> 00:00:23,484 to you. Microsoft Sentinel gets its own data 9 00:00:23,484 --> 00:00:26,765 lake, graph, and MCP server, and we have 10 00:00:26,765 --> 00:00:29,085 all the details. Whether you're a seasoned SOC 11 00:00:29,085 --> 00:00:31,929 analyst or just getting started with cloud security, 12 00:00:32,070 --> 00:00:34,070 you don't want to miss the powerful new 13 00:00:34,070 --> 00:00:37,770 ways to detect threats, investigate incidents, and understand 14 00:00:37,829 --> 00:00:41,289 your security posture that these new features offer. 15 00:00:43,510 --> 00:00:45,350 I have a problem, Scott. Is that the 16 00:00:45,350 --> 00:00:47,655 first thing to having a problem is admitting 17 00:00:47,655 --> 00:00:49,335 you have a problem? It's part of the 18 00:00:49,335 --> 00:00:51,414 steps. Yeah. Oh, weird. Now Teams is kinda 19 00:00:51,414 --> 00:00:52,774 doing it for me, but I only see 20 00:00:52,774 --> 00:00:54,554 it in Teams, like, with your video. 21 00:00:56,295 --> 00:00:59,494 Microsoft is gonna Microsoft. No. I squirrel yeah. 22 00:00:59,494 --> 00:01:01,034 Squirrel. Logitech MX 23 00:01:01,469 --> 00:01:03,950 Master four came out the other day, and 24 00:01:03,950 --> 00:01:05,310 I may have bought two, like, the day 25 00:01:05,310 --> 00:01:06,909 it came out for same day delivery on 26 00:01:06,909 --> 00:01:08,450 Amazon. I have a problem. 27 00:01:10,030 --> 00:01:11,709 I needed one for my desk and one 28 00:01:11,709 --> 00:01:13,150 for when I'm not at my desk. Okay. 29 00:01:13,150 --> 00:01:15,170 So you're gonna be living that haptic 30 00:01:15,734 --> 00:01:16,715 mouse lifestyle, 31 00:01:17,174 --> 00:01:18,935 I'm looking at my mouse as I talk 32 00:01:18,935 --> 00:01:21,114 about it. The haptic to me is like, 33 00:01:21,814 --> 00:01:23,494 whatever. I like the way they move the 34 00:01:23,494 --> 00:01:26,215 button though because I had the Logitech MX 35 00:01:26,215 --> 00:01:27,814 Master three s two, and they had, like, 36 00:01:27,814 --> 00:01:29,334 the thumb button that was like under your 37 00:01:29,334 --> 00:01:31,209 thumb knuckle, and that was just a weird 38 00:01:31,209 --> 00:01:32,810 motion for me to push down on the 39 00:01:32,810 --> 00:01:34,810 thumb knuckle. They kinda moved it up so 40 00:01:34,810 --> 00:01:36,729 you can now push in with your thumb 41 00:01:36,729 --> 00:01:39,229 to get that button, which is kinda nice. 42 00:01:39,289 --> 00:01:40,429 But I'm still 43 00:01:41,129 --> 00:01:43,314 it feels different than the three s, and 44 00:01:43,314 --> 00:01:45,314 I've seen some other comments about this. I 45 00:01:45,314 --> 00:01:47,734 don't know if it's a little bit thinner 46 00:01:47,795 --> 00:01:49,174 or if it's not the rubbery. 47 00:01:49,474 --> 00:01:51,314 But do you when you use a mouse, 48 00:01:51,314 --> 00:01:53,155 do you, like, squeeze it and pick it 49 00:01:53,155 --> 00:01:54,674 up sometimes and move it around on your 50 00:01:54,674 --> 00:01:56,834 desk because you run into your keyboard or 51 00:01:56,834 --> 00:01:57,575 run into 52 00:01:58,030 --> 00:01:59,490 something else on your desk. 53 00:02:00,030 --> 00:02:02,049 All the time. I couldn't tell you why. 54 00:02:02,189 --> 00:02:05,469 That feels different on this mouse, and it's, 55 00:02:05,469 --> 00:02:07,630 like, not as comfortable different. Like, it's a 56 00:02:07,630 --> 00:02:09,710 little bit harder for me to grab and 57 00:02:09,710 --> 00:02:12,144 pick up, and I couldn't tell you exactly 58 00:02:12,144 --> 00:02:13,504 why. I'd have to, like, get them and 59 00:02:13,504 --> 00:02:15,185 put them side by side. But I've seen 60 00:02:15,185 --> 00:02:17,424 some other people make some similar comments about 61 00:02:17,424 --> 00:02:20,305 it. I've got a three an MX Master 62 00:02:20,305 --> 00:02:22,704 three and a three s, and because same 63 00:02:22,704 --> 00:02:25,025 thing. Like, hey, like day mouse, night mouse, 64 00:02:25,025 --> 00:02:25,525 or 65 00:02:25,870 --> 00:02:27,389 you need one in your backpack when you 66 00:02:27,389 --> 00:02:29,550 travel, things like that. I don't like how 67 00:02:29,550 --> 00:02:31,629 the rubber always, like, gives way on them, 68 00:02:31,629 --> 00:02:33,710 and they are actually kind of big. So 69 00:02:33,710 --> 00:02:35,230 I think what I'm gonna do is rather 70 00:02:35,230 --> 00:02:36,370 than go into the MX4, 71 00:02:36,830 --> 00:02:38,189 I'm gonna go to maybe one of, like, 72 00:02:38,189 --> 00:02:40,805 the gaming mice, like a high DPI gaming 73 00:02:40,805 --> 00:02:42,745 mouse, and so so Logitech 74 00:02:43,284 --> 00:02:45,525 has some of those as well. And then 75 00:02:45,525 --> 00:02:49,305 my honestly, my biggest nit about the MX 76 00:02:49,365 --> 00:02:49,865 Master 77 00:02:50,485 --> 00:02:52,085 in general is, like, it's got, like, great 78 00:02:52,085 --> 00:02:55,090 ergonomics with this, like, slant on the front 79 00:02:55,090 --> 00:02:57,330 of it. But the slant for the right 80 00:02:57,330 --> 00:02:57,830 button, 81 00:02:58,129 --> 00:03:00,689 it slides right underneath the charging mat for 82 00:03:00,689 --> 00:03:02,849 my Ember Mug. So, like, if I'm sliding 83 00:03:02,849 --> 00:03:04,370 my hand up because I'm gonna go grab 84 00:03:04,370 --> 00:03:05,969 my coffee and then but then I've got 85 00:03:05,969 --> 00:03:07,490 my mouse there too, and I'm just gonna, 86 00:03:07,490 --> 00:03:09,754 like, park my mouse up there, It gets 87 00:03:09,754 --> 00:03:12,094 all the way up, and it goes underneath, 88 00:03:12,314 --> 00:03:13,514 like, the little charging 89 00:03:14,314 --> 00:03:16,314 like, the charging pad for the ember mug 90 00:03:16,314 --> 00:03:17,995 kinda thing. And then it gets stuck there 91 00:03:17,995 --> 00:03:20,814 or it just clicks, and every single time. 92 00:03:21,819 --> 00:03:23,020 So I need a mouse that's, like, a 93 00:03:23,020 --> 00:03:25,419 little bit taller or where both the buttons 94 00:03:25,419 --> 00:03:27,340 are shorter, and then I can just I 95 00:03:27,340 --> 00:03:29,659 can live a different life. First world problems 96 00:03:29,659 --> 00:03:31,500 when your mouse and your It's hard to 97 00:03:31,500 --> 00:03:34,235 be over here. Yeah. First world problems, for 98 00:03:34,235 --> 00:03:36,395 sure. Your ember mug and your mouse are 99 00:03:36,395 --> 00:03:38,555 not compatible. They're not. Yeah. So the one 100 00:03:38,555 --> 00:03:40,875 thing I like, I've tried other mice before. 101 00:03:40,875 --> 00:03:43,514 I've played with different ones. I haven't looked 102 00:03:43,514 --> 00:03:45,034 enough at the gaming mice. Do any of 103 00:03:45,034 --> 00:03:46,655 the gaming mice have the horizontal 104 00:03:47,194 --> 00:03:47,694 scroll 105 00:03:48,395 --> 00:03:50,239 it's not real I guess it's a scroll 106 00:03:50,239 --> 00:03:51,939 wheel, the horizontal scroll 107 00:03:52,400 --> 00:03:54,479 wheel thing on them. Some do. So I've 108 00:03:54,479 --> 00:03:56,400 mostly looked at, like, the not I'm not 109 00:03:56,400 --> 00:03:58,159 talking all about, like, a Razer gaming mouse, 110 00:03:58,159 --> 00:04:00,479 but Logitech makes, like, a G series. So 111 00:04:00,479 --> 00:04:01,759 if you go look at, like, the G 112 00:04:01,759 --> 00:04:03,439 series, they have the same thing with the 113 00:04:03,439 --> 00:04:04,685 infinite scroll 114 00:04:05,784 --> 00:04:07,885 and all they have a lot of similarities 115 00:04:08,504 --> 00:04:11,325 to the MX masters just without 116 00:04:11,784 --> 00:04:13,004 the ergonomics 117 00:04:13,305 --> 00:04:13,805 slash 118 00:04:14,185 --> 00:04:16,585 productivity thing. And then I guess one other 119 00:04:16,585 --> 00:04:18,740 question for you before we move on. So 120 00:04:19,040 --> 00:04:20,180 Logitech makes 121 00:04:20,480 --> 00:04:20,980 absolutely 122 00:04:21,360 --> 00:04:25,120 horrible software. Like their software is the worst 123 00:04:25,120 --> 00:04:28,240 in Logi options and things like that. My 124 00:04:28,240 --> 00:04:30,480 understanding was for the MX4 and what I 125 00:04:30,480 --> 00:04:32,694 saw in the reviews was for that haptic 126 00:04:32,694 --> 00:04:35,574 trackpad with the little, like, pioneer ish circle 127 00:04:35,574 --> 00:04:37,894 that that that comes up, that requires Logi 128 00:04:37,894 --> 00:04:38,394 options. 129 00:04:38,855 --> 00:04:41,115 And I don't think I'm willing to reinstall 130 00:04:41,254 --> 00:04:43,574 Logi options on my Mac. Like, I've ripped 131 00:04:43,574 --> 00:04:45,415 it off so many times and just don't 132 00:04:45,415 --> 00:04:47,529 use it. See, I've always had it on 133 00:04:47,529 --> 00:04:48,029 because 134 00:04:48,330 --> 00:04:50,269 I use it for, like, my spotlight 135 00:04:50,730 --> 00:04:51,230 presenter 136 00:04:51,689 --> 00:04:52,189 and, 137 00:04:52,569 --> 00:04:55,610 yeah, I've just resigned myself to the fact 138 00:04:55,610 --> 00:04:57,769 that I need it on there. So but 139 00:04:57,769 --> 00:04:59,615 that is I've seen the same thing, and 140 00:04:59,615 --> 00:05:01,535 I've had Logi options, so I haven't tried 141 00:05:01,535 --> 00:05:02,915 it without it. But 142 00:05:03,375 --> 00:05:06,254 given how it works, it feels like it 143 00:05:06,254 --> 00:05:08,495 would not work without the software. But the 144 00:05:08,495 --> 00:05:10,495 rubber thing that you said, that's the other 145 00:05:10,495 --> 00:05:14,009 thing that people have not liked. Well, mixed 146 00:05:14,009 --> 00:05:16,089 reviews on it is that this one, they 147 00:05:16,089 --> 00:05:18,170 took away a lot of the rubber. It's 148 00:05:18,170 --> 00:05:20,810 much more hard plastic than rubber on the 149 00:05:20,810 --> 00:05:23,389 four. That's good though. Like, because the rubber 150 00:05:23,449 --> 00:05:25,209 the other thing is, like, if you I 151 00:05:25,209 --> 00:05:27,769 mean, if you just Mine looks Yeah. It's 152 00:05:27,769 --> 00:05:28,509 pretty bad. 153 00:05:28,985 --> 00:05:30,584 Like, I'd be willing to throw them out 154 00:05:30,584 --> 00:05:32,665 just based on the and you can't really 155 00:05:32,665 --> 00:05:34,745 clean them either. Like, they start to, like, 156 00:05:34,745 --> 00:05:36,745 eat away and disintegrate, and, yeah, they're just 157 00:05:36,745 --> 00:05:38,105 not Doctor. Because it's rubber. Like Doctor. Not 158 00:05:38,185 --> 00:05:39,865 Doctor. Whatever you'd use to clean it would 159 00:05:39,865 --> 00:05:42,745 disintegrate the rubber, make it worse, and yeah. 160 00:05:42,745 --> 00:05:44,789 So it is much more hard plastic with 161 00:05:44,789 --> 00:05:47,189 the four. But it again, because of that, 162 00:05:47,189 --> 00:05:48,550 I'm so used to the rubber on the 163 00:05:48,550 --> 00:05:50,550 three s. It does it just feels different, 164 00:05:50,550 --> 00:05:51,909 and that might even be part of the 165 00:05:51,909 --> 00:05:54,409 grip thing as it just isn't as sticky. 166 00:05:54,550 --> 00:05:55,750 I don't know. I don't know if you 167 00:05:55,750 --> 00:05:57,269 want your mouse to be sticky or if 168 00:05:57,269 --> 00:05:58,949 that's just gross if you have a sticky 169 00:05:58,949 --> 00:06:01,194 mouse. Not the way that you said sticky 170 00:06:01,334 --> 00:06:03,274 the first time, but, you you know. 171 00:06:04,055 --> 00:06:05,735 Yeah. Okay. New mice are out there. So 172 00:06:05,735 --> 00:06:08,295 if anybody has a suggestion for Scott on 173 00:06:08,295 --> 00:06:10,954 a mouse that is not the MX Master 174 00:06:11,814 --> 00:06:13,814 four or the MX Master three or the 175 00:06:13,814 --> 00:06:16,269 three s, but, you you know, maybe something 176 00:06:16,269 --> 00:06:18,189 to move on to next. The other one 177 00:06:18,189 --> 00:06:20,529 I've been toying with, and not that I 178 00:06:20,829 --> 00:06:22,750 have it, I haven't had RSI for a 179 00:06:22,750 --> 00:06:25,709 long time, but thankfully, but I was thinking 180 00:06:25,709 --> 00:06:27,389 about, like, maybe going back to a vertical 181 00:06:27,389 --> 00:06:29,284 mouse for a little bit and trying some 182 00:06:29,284 --> 00:06:31,704 of that. Doesn't Keychron I feel like Keychron 183 00:06:32,004 --> 00:06:35,865 did Keychron make, like, an knockoff MX Master? 184 00:06:36,564 --> 00:06:39,064 They made something. Yeah. It's not that one. 185 00:06:39,125 --> 00:06:40,425 Yeah. They have some 186 00:06:40,805 --> 00:06:42,485 I haven't tried theirs. This one, like, the 187 00:06:42,485 --> 00:06:44,550 Keychron m six 188 00:06:44,930 --> 00:06:47,430 wireless totally looks like a knockoff of the 189 00:06:47,490 --> 00:06:48,389 MX Master. 190 00:06:49,410 --> 00:06:51,730 Yeah. They've got some. Anyways, yes. Give Scott 191 00:06:51,730 --> 00:06:54,550 a suggestion. Reach out to Scott on LinkedIn. 192 00:06:54,770 --> 00:06:56,689 Let him know which mouse he should get, 193 00:06:56,689 --> 00:06:59,110 and we can talk about it. Alright. News. 194 00:06:59,224 --> 00:07:01,224 Your news, my news, all the news. We 195 00:07:01,224 --> 00:07:02,985 have, like I wouldn't say a bunch of 196 00:07:02,985 --> 00:07:04,904 news. There were I wasn't sure what I 197 00:07:04,904 --> 00:07:06,504 was gonna talk about, and then yesterday, there 198 00:07:06,504 --> 00:07:07,564 were a bunch of announcements 199 00:07:07,944 --> 00:07:09,865 around a certain topic that I was like, 200 00:07:09,865 --> 00:07:11,305 oh, this is fun. But then you had 201 00:07:11,305 --> 00:07:12,664 some too. What do you wanna talk about 202 00:07:12,664 --> 00:07:14,410 first? We start wherever 203 00:07:14,949 --> 00:07:16,550 you would like. You want to start on 204 00:07:16,550 --> 00:07:18,089 the Azure side or 205 00:07:18,389 --> 00:07:20,389 the M365 side? Or I guess kind of 206 00:07:20,389 --> 00:07:22,230 both, right? So you had some Sentinel stuff 207 00:07:22,230 --> 00:07:24,330 in there, but Yeah. Mine is more like 208 00:07:24,550 --> 00:07:26,709 crossover. It's all Sentinel stuff, which could be 209 00:07:26,709 --> 00:07:28,214 either or. Why don't we start with some 210 00:07:28,214 --> 00:07:30,055 Sentinel stuff and see where it takes us? 211 00:07:30,055 --> 00:07:32,134 The first one, this is one let me 212 00:07:32,134 --> 00:07:34,214 go up to here. Sentinel Data Lake. Have 213 00:07:34,214 --> 00:07:36,214 you seen how you can start, like, just 214 00:07:36,214 --> 00:07:37,894 turning on Sentinel now to go into Data 215 00:07:37,894 --> 00:07:39,574 Lake? This was in preview for the last 216 00:07:39,574 --> 00:07:41,735 couple months or so. Lots of services are 217 00:07:41,735 --> 00:07:44,319 starting to do this, right? They're taking their 218 00:07:44,379 --> 00:07:48,379 kinda their more formal structured data and then 219 00:07:48,379 --> 00:07:51,180 giving you the opportunity to, like, either export 220 00:07:51,180 --> 00:07:53,580 that structured data. So, like, maybe Yep. Like 221 00:07:53,580 --> 00:07:55,020 if Sentinel is being driven by a graph 222 00:07:55,020 --> 00:07:56,779 and a bunch of parquet files, things like 223 00:07:56,779 --> 00:07:58,675 that, or a Delta Lake, Delta Table in 224 00:07:58,675 --> 00:08:00,595 the background. Why not just let you push 225 00:08:00,595 --> 00:08:04,194 those artifacts over someplace else or also start 226 00:08:04,194 --> 00:08:06,995 to do, like, more granular exports and all 227 00:08:06,995 --> 00:08:08,675 sorts of good stuff like that? Like, got 228 00:08:08,675 --> 00:08:10,915 a storage account? Export. Here you go. I've 229 00:08:10,915 --> 00:08:12,355 had it in preview for a little bit, 230 00:08:12,355 --> 00:08:14,100 and I'm like, for what I have done 231 00:08:14,100 --> 00:08:15,540 so far with Sentinel, it didn't make a 232 00:08:15,540 --> 00:08:16,279 big difference, 233 00:08:16,740 --> 00:08:18,500 but I ran it in preview. Well, that 234 00:08:18,500 --> 00:08:22,100 is now GA'd. So yesterday, Septem well, not 235 00:08:22,100 --> 00:08:24,259 yesterday. This was September 30. A few days 236 00:08:24,259 --> 00:08:27,214 ago, beginning of the week, this Sentinel data 237 00:08:27,214 --> 00:08:28,435 lake is now 238 00:08:28,814 --> 00:08:31,395 generally available. So if you want to 239 00:08:31,855 --> 00:08:34,115 go turn that on, like, it's just a 240 00:08:34,174 --> 00:08:35,715 click click through 241 00:08:36,335 --> 00:08:36,835 the 242 00:08:37,215 --> 00:08:40,129 security center. So I don't think you can 243 00:08:40,129 --> 00:08:42,769 do this, and this ties back to one 244 00:08:42,769 --> 00:08:43,669 of our other announcements. 245 00:08:43,970 --> 00:08:45,809 If you go to Sentinel via Azure, like, 246 00:08:45,809 --> 00:08:47,009 if you go to Azure and search for 247 00:08:47,009 --> 00:08:47,509 Sentinel, 248 00:08:47,889 --> 00:08:51,264 I haven't seen this pop up there. But 249 00:08:51,264 --> 00:08:54,304 if you go to your security center in 250 00:08:54,464 --> 00:08:57,504 or Defender, I guess, security.microsoft.com, 251 00:08:57,504 --> 00:08:59,745 where Sentinel's gonna live down the road all 252 00:08:59,745 --> 00:09:00,804 the time anyways, 253 00:09:01,184 --> 00:09:03,345 you can go connect Sentinel there. And then 254 00:09:03,345 --> 00:09:05,904 once Sentinel's connected there, you get the option 255 00:09:05,904 --> 00:09:06,404 to 256 00:09:07,529 --> 00:09:10,169 go turn on data lake for Sentinel, and 257 00:09:10,169 --> 00:09:12,250 you still have to pick, like you're gonna 258 00:09:12,250 --> 00:09:13,769 still pay for it. You pick an Azure 259 00:09:13,769 --> 00:09:15,470 subscription, you pick a resource 260 00:09:15,850 --> 00:09:17,769 group, and click, and it goes and creates 261 00:09:17,769 --> 00:09:19,450 the data lake and wires it all up 262 00:09:19,450 --> 00:09:21,389 and connects it all. And 263 00:09:21,735 --> 00:09:23,735 based on what I've seen in Sentinel so 264 00:09:23,735 --> 00:09:25,195 far too, it isn't 265 00:09:25,654 --> 00:09:26,154 necessarily 266 00:09:26,774 --> 00:09:28,934 pushing it all over. Like, if I go 267 00:09:28,934 --> 00:09:31,014 look through Sentinel now, I have two different 268 00:09:31,014 --> 00:09:32,794 icons for some of my 269 00:09:33,174 --> 00:09:34,475 data tables in Sentinel, 270 00:09:34,850 --> 00:09:37,090 ones that are still in the typical log 271 00:09:37,090 --> 00:09:39,410 analytics and then a bunch of them that 272 00:09:39,410 --> 00:09:40,149 are now 273 00:09:40,690 --> 00:09:42,690 in Data Lake. Yeah. I think it'll be 274 00:09:42,690 --> 00:09:43,190 good. 275 00:09:43,730 --> 00:09:45,110 Certainly, there's there's 276 00:09:45,649 --> 00:09:48,450 there's that pesky cost component, right, of of 277 00:09:48,450 --> 00:09:50,325 being in the cloud and running those things 278 00:09:50,325 --> 00:09:53,384 through. So there's things that I think customers 279 00:09:54,084 --> 00:09:55,464 would want to do 280 00:09:55,845 --> 00:09:56,345 with 281 00:09:57,284 --> 00:09:58,504 longer term trends 282 00:09:58,884 --> 00:10:00,485 based on some of these things. So maybe 283 00:10:00,485 --> 00:10:03,524 like anomalous user logins over time is really 284 00:10:03,524 --> 00:10:05,700 nice for the past couple days, it's nice 285 00:10:05,700 --> 00:10:06,679 for the past month, 286 00:10:07,059 --> 00:10:08,899 it could be nice to go back six 287 00:10:08,899 --> 00:10:10,899 months or a year. Maybe you wanna track 288 00:10:10,899 --> 00:10:12,360 some kind of like a 289 00:10:12,899 --> 00:10:15,860 KPI for yourself to improve your business or 290 00:10:15,860 --> 00:10:17,379 make sure that you're moving in the right 291 00:10:17,379 --> 00:10:17,879 direction. 292 00:10:18,225 --> 00:10:21,664 So for these systems, things like Sentinel that 293 00:10:21,664 --> 00:10:25,184 are generating a large amount of what's really 294 00:10:25,184 --> 00:10:26,964 just time series driven data. 295 00:10:27,345 --> 00:10:29,764 So here's a time, here's an event, and 296 00:10:29,985 --> 00:10:31,504 I'm sure the text of the event strippers, 297 00:10:31,504 --> 00:10:33,199 but to be able to go back in 298 00:10:33,199 --> 00:10:34,419 time over those things 299 00:10:34,959 --> 00:10:35,699 is important. 300 00:10:36,000 --> 00:10:38,399 And then it's also expensive to generate a 301 00:10:38,399 --> 00:10:40,000 bunch of time series data and have it 302 00:10:40,000 --> 00:10:42,319 just sitting there, especially in, like, some kind 303 00:10:42,319 --> 00:10:45,434 of, like, really hot, like, queryable 304 00:10:46,055 --> 00:10:48,774 thing. So Sentinel in the background, when you're 305 00:10:48,774 --> 00:10:51,495 writing, like, your queries, they're all KQL queries. 306 00:10:51,495 --> 00:10:53,095 Like, you don't have to go too high 307 00:10:53,415 --> 00:10:55,735 too far to imagine that, oh, it's just 308 00:10:55,735 --> 00:10:57,894 Azure Data Explorer in the back end, right, 309 00:10:57,894 --> 00:10:59,654 with with all that. So so you're dealing 310 00:10:59,654 --> 00:11:02,139 with those constraints and those things there. So 311 00:11:02,139 --> 00:11:04,379 it's nice to have the option to export 312 00:11:04,379 --> 00:11:07,259 it out, but then be able to continue 313 00:11:07,259 --> 00:11:09,179 to query it and do those things that 314 00:11:09,179 --> 00:11:11,839 you need to do, albeit with additional latency 315 00:11:12,059 --> 00:11:14,459 and things like that. But I think that's 316 00:11:14,459 --> 00:11:16,875 all good stuff. Gives customers 317 00:11:17,334 --> 00:11:18,154 more options 318 00:11:18,855 --> 00:11:21,674 and allows you also to do things like 319 00:11:21,735 --> 00:11:24,315 have these kinda longer term 320 00:11:24,774 --> 00:11:27,095 initiatives that you can actually track over time 321 00:11:27,095 --> 00:11:28,709 without having to, like, oh, no. I gotta 322 00:11:28,709 --> 00:11:30,149 export all the data for this month, right? 323 00:11:30,149 --> 00:11:31,750 Lay it in a spreadsheet, and if I 324 00:11:31,750 --> 00:11:33,029 don't do it next month or I do 325 00:11:33,029 --> 00:11:34,730 it on a different day, then it's inconsistent, 326 00:11:34,870 --> 00:11:36,870 things like that. That all goes away. Yeah. 327 00:11:36,870 --> 00:11:38,709 And there's some other updates that have come 328 00:11:38,709 --> 00:11:41,529 along with this. The whole article's there around 329 00:11:41,945 --> 00:11:44,365 different use cases for it, but some upgrades 330 00:11:44,464 --> 00:11:46,684 and benefits too when it comes 331 00:11:47,464 --> 00:11:50,264 to some of those enhancements around your notebooks 332 00:11:50,264 --> 00:11:51,004 in Sentinel. 333 00:11:51,784 --> 00:11:54,105 Yeah. Like you said, some cost benefits there 334 00:11:54,105 --> 00:11:55,084 to going into 335 00:11:55,705 --> 00:11:57,690 Data Lake. But then they also 336 00:11:58,330 --> 00:11:59,850 and this is what really caught my eye. 337 00:11:59,850 --> 00:12:01,370 Like, I was like, okay. Great. It went 338 00:12:01,370 --> 00:12:03,370 GA. But if you look on the GA 339 00:12:03,370 --> 00:12:03,870 announcement, 340 00:12:04,570 --> 00:12:07,049 it also you'll notice on the screen, and 341 00:12:07,049 --> 00:12:09,225 it talks about it in the announcement, they're 342 00:12:09,225 --> 00:12:11,725 also introducing some new platform capabilities 343 00:12:12,105 --> 00:12:15,384 built on Sentinel data lake. So once you 344 00:12:15,384 --> 00:12:17,144 get your data there, you're starting to do 345 00:12:17,144 --> 00:12:20,284 it, there is now a Sentinel graph. 346 00:12:20,585 --> 00:12:22,345 And we can talk about this. I've played 347 00:12:22,345 --> 00:12:24,629 with this a little bit. But then, also, 348 00:12:24,769 --> 00:12:28,049 an MCP server for Sentinel that's like a 349 00:12:28,049 --> 00:12:28,549 Microsoft 350 00:12:29,490 --> 00:12:32,370 native one. So we had talked about MCP 351 00:12:32,370 --> 00:12:35,490 servers a few episodes back, like the loca 352 00:12:35,490 --> 00:12:37,475 that Merrill had created. 353 00:12:37,934 --> 00:12:39,295 I think I mentioned I had gone out 354 00:12:39,295 --> 00:12:40,975 and found, like, a third party Sentinel one 355 00:12:40,975 --> 00:12:42,735 because I was like, oh, a Sentinel MCP 356 00:12:42,735 --> 00:12:44,815 server would be kinda cool. And we talked 357 00:12:44,815 --> 00:12:46,995 about some of the security concerns, and, ironically, 358 00:12:47,054 --> 00:12:49,295 like, a week ago, I sent you an 359 00:12:49,295 --> 00:12:49,795 article 360 00:12:50,654 --> 00:12:54,100 as well from the first malicious MCP server 361 00:12:54,100 --> 00:12:56,600 found where it was stealing emails and rogue 362 00:12:57,059 --> 00:12:57,799 rogue postmark 363 00:12:58,259 --> 00:13:00,179 settings, and we kinda talked about that. Right? 364 00:13:00,179 --> 00:13:02,019 Like, you go grab a third party MCP 365 00:13:02,019 --> 00:13:04,100 server without looking at the code. What is 366 00:13:04,100 --> 00:13:06,580 it doing? Obviously, something like Sentinel you wanna 367 00:13:06,580 --> 00:13:09,375 trust. So seeing Microsoft come out with this 368 00:13:09,434 --> 00:13:12,075 MCP server as well, that was all kind 369 00:13:12,075 --> 00:13:14,175 of rolled into Data Lakes, GA. 370 00:13:14,634 --> 00:13:16,394 Now you can go look at this graph 371 00:13:16,394 --> 00:13:19,274 in this MCP server as well if you 372 00:13:19,274 --> 00:13:22,019 wanna go swing over to Sentinel Data Lake. 373 00:13:22,019 --> 00:13:24,339 I wonder over time, I don't know if 374 00:13:24,339 --> 00:13:26,579 I think things will continue to like kind 375 00:13:26,579 --> 00:13:29,620 of churn and consolidate still. So we've seen 376 00:13:29,620 --> 00:13:31,720 a bunch of this at least with the 377 00:13:32,334 --> 00:13:34,735 things like the Kusto MCP server. Like, there 378 00:13:34,735 --> 00:13:36,414 was a Kusto one, and then it got 379 00:13:36,414 --> 00:13:38,414 rolled into the Fabric one. Fabric one's out 380 00:13:38,414 --> 00:13:40,174 there. Now you have a a Sentinel one. 381 00:13:40,174 --> 00:13:42,575 You have all these different, like, flavors and 382 00:13:42,575 --> 00:13:45,294 variations as folks are chasing things. Like, I 383 00:13:45,294 --> 00:13:47,455 do wonder or and I also kinda hope 384 00:13:47,455 --> 00:13:49,910 over time that it does consolidate a little 385 00:13:49,910 --> 00:13:51,430 bit. I I I don't know how it's 386 00:13:51,430 --> 00:13:53,430 getting for you since we did that MCP 387 00:13:53,430 --> 00:13:56,090 episode. I just have more and more MCP 388 00:13:56,309 --> 00:13:58,550 servers that are, like, going in. And for 389 00:13:58,550 --> 00:14:01,269 every MCP server that's being added into my 390 00:14:01,269 --> 00:14:03,855 client that I'm working in that day, like 391 00:14:03,855 --> 00:14:05,855 Versus Code, things like that, it's also getting 392 00:14:05,855 --> 00:14:06,674 really hard 393 00:14:08,014 --> 00:14:10,815 to wrangle the servers, especially the ones that 394 00:14:10,815 --> 00:14:13,774 have lots of tools associated with them. So 395 00:14:13,774 --> 00:14:15,695 I think the Azure MCP server is actually 396 00:14:15,695 --> 00:14:17,215 a good example of this because it's got, 397 00:14:17,215 --> 00:14:19,169 like, tools for a whole bunch of different 398 00:14:19,169 --> 00:14:19,990 Azure services. 399 00:14:20,529 --> 00:14:22,690 And I think at one point, it had, 400 00:14:22,690 --> 00:14:24,690 like, 40 plus tools in it. So you're 401 00:14:24,690 --> 00:14:26,709 sitting here trying to figure out, like, okay. 402 00:14:26,769 --> 00:14:28,209 I'm having a chat with this LLM. I 403 00:14:28,209 --> 00:14:30,450 wanted to form out some knowledge to this 404 00:14:30,450 --> 00:14:32,230 MCP or this set of MCPs. 405 00:14:33,825 --> 00:14:35,424 But I now I need to be, like, 406 00:14:35,424 --> 00:14:36,865 really constrained and figure out how to get 407 00:14:36,865 --> 00:14:37,524 it into 408 00:14:38,065 --> 00:14:39,504 e even the right tool or the right 409 00:14:39,504 --> 00:14:41,745 space. So stuff like this is gonna I 410 00:14:41,745 --> 00:14:44,304 wonder, like, do you find it confusing in 411 00:14:44,304 --> 00:14:46,065 this world of saying, like, hey. I have 412 00:14:46,065 --> 00:14:48,700 an MCP for Sentinel, which is doing this 413 00:14:48,700 --> 00:14:50,480 graph thing. I have an MCP for 414 00:14:50,860 --> 00:14:52,940 the Microsoft Graph. I have an MCP for 415 00:14:52,940 --> 00:14:55,440 LearnDocs. I have an MCP for Kusto, 416 00:14:55,820 --> 00:14:58,539 like, all these different thing or Fabric. Right. 417 00:14:58,539 --> 00:15:00,879 Are are you finding that hard to rationalize 418 00:15:01,019 --> 00:15:03,174 along the way? Like, I've started like, I 419 00:15:03,174 --> 00:15:04,855 was just going in and, like, turning on 420 00:15:04,855 --> 00:15:06,855 all my MCP servers, like, every time I 421 00:15:06,855 --> 00:15:09,654 started Versus Code, and now I'm actually being, 422 00:15:09,654 --> 00:15:12,054 like, more careful about that. Like, alright. Always 423 00:15:12,054 --> 00:15:14,054 gonna start, like, the learn docs one because 424 00:15:14,054 --> 00:15:15,894 that's easy. It's a remote server. Boom, boom, 425 00:15:15,894 --> 00:15:17,575 out Yeah. Out. No problem. But some of 426 00:15:17,575 --> 00:15:18,990 the other ones, like, you really do have 427 00:15:18,990 --> 00:15:21,353 to kinda pick and choose. But then it 428 00:15:21,353 --> 00:15:23,716 makes me wonder, alright. Great. I had to 429 00:15:23,716 --> 00:15:26,079 do that just to make my own life 430 00:15:26,079 --> 00:15:28,443 easier, but now what am I missing out 431 00:15:28,443 --> 00:15:30,806 on by not turning them all out? Do 432 00:15:30,806 --> 00:15:33,169 you feel overwhelmed by trying to manage your 433 00:15:33,169 --> 00:15:35,384 Office Office three sixty five environment? Are you 434 00:15:35,384 --> 00:15:38,684 facing unexpected issues that disrupt your company's productivity? 435 00:15:38,985 --> 00:15:40,904 Intelligink is here to help. Much like you 436 00:15:40,904 --> 00:15:42,825 take your car to the mechanic that has 437 00:15:42,825 --> 00:15:44,904 specialized knowledge on how to best keep your 438 00:15:44,904 --> 00:15:47,950 car running, Intelligent helps you with your Microsoft 439 00:15:48,009 --> 00:15:50,269 cloud environment because that's their expertise. 440 00:15:50,649 --> 00:15:52,889 Intelligent keeps up with the latest updates in 441 00:15:52,889 --> 00:15:55,129 the Microsoft cloud to help keep your business 442 00:15:55,129 --> 00:15:57,370 running smoothly and ahead of the curve. Whether 443 00:15:57,370 --> 00:15:59,370 you are a small organization with just a 444 00:15:59,370 --> 00:16:19,169 few users up to an organization liligink.com/podcast 445 00:16:19,549 --> 00:16:21,709 for more information or to schedule a thirty 446 00:16:21,709 --> 00:16:23,730 minute call to get started with them today. 447 00:16:24,029 --> 00:16:27,389 Remember, Intelligink focuses on the Microsoft cloud so 448 00:16:27,389 --> 00:16:29,024 you can focus on your business. 449 00:16:31,585 --> 00:16:34,085 Some of that the other thing I've seen 450 00:16:34,384 --> 00:16:35,825 and I just ran into this the other 451 00:16:35,825 --> 00:16:37,585 day when I started playing with this MCP 452 00:16:37,585 --> 00:16:39,665 server, and we can go talk about this 453 00:16:39,665 --> 00:16:41,345 a little bit more. And how to turn 454 00:16:41,345 --> 00:16:43,605 this one on, because this was interesting, is 455 00:16:43,809 --> 00:16:45,970 I added this one and I went to 456 00:16:45,970 --> 00:16:49,509 go ask a query about Sentinel, and it 457 00:16:49,570 --> 00:16:50,070 hit 458 00:16:50,610 --> 00:16:53,330 my loca MCP server because I didn't at 459 00:16:53,330 --> 00:16:56,394 mention the specific MCP server. So there's that 460 00:16:56,394 --> 00:16:58,154 trade off to, like, what you said is, 461 00:16:58,154 --> 00:16:58,654 one, 462 00:16:59,115 --> 00:17:00,554 if you don't turn them all on, what 463 00:17:00,554 --> 00:17:02,075 are you missing? Or if you do turn 464 00:17:02,075 --> 00:17:03,615 them all on, as 465 00:17:03,995 --> 00:17:06,634 you ask AI questions, does it end up 466 00:17:06,634 --> 00:17:08,954 going to the wrong MCP server when you 467 00:17:08,954 --> 00:17:10,420 want it? Like, does it go to Graph 468 00:17:10,420 --> 00:17:11,700 when you want it to go pull from 469 00:17:11,700 --> 00:17:14,420 Sentinel? Or maybe it was just me. I 470 00:17:14,420 --> 00:17:15,940 had to be a little bit more specific 471 00:17:15,940 --> 00:17:16,680 in my query, 472 00:17:17,220 --> 00:17:17,700 but there's 473 00:17:18,580 --> 00:17:20,420 it is. One of them is just, how 474 00:17:20,420 --> 00:17:22,180 do I make sure I'm going to the 475 00:17:22,180 --> 00:17:24,204 right right MCP server at the right time? 476 00:17:24,204 --> 00:17:25,825 How am I not missing out on it? 477 00:17:26,045 --> 00:17:26,545 Absolutely 478 00:17:27,085 --> 00:17:29,724 an additional cognitive load there, I think, around 479 00:17:29,724 --> 00:17:32,545 MCP servers. And the other one I found, 480 00:17:32,605 --> 00:17:35,005 and this was the first time I've kinda 481 00:17:35,005 --> 00:17:37,769 hit this one, is when you go look 482 00:17:37,769 --> 00:17:40,430 at this MCP server for Sentinel, 483 00:17:40,890 --> 00:17:43,869 they only give you steps on how 484 00:17:44,650 --> 00:17:47,289 to leverage this one with Visual Studio Code. 485 00:17:47,289 --> 00:17:50,075 And this is a remote MCP server. It's 486 00:17:50,075 --> 00:17:54,015 sentinel.microsoft.com/mcpdataexploration. 487 00:17:54,634 --> 00:17:57,694 And I tried to go add this one 488 00:17:57,755 --> 00:17:58,255 to 489 00:17:58,954 --> 00:18:01,674 Claude, and I couldn't figure out a way 490 00:18:01,674 --> 00:18:02,430 to do it 491 00:18:02,830 --> 00:18:05,890 because it uses some it appears 492 00:18:06,509 --> 00:18:08,930 that it uses some of the underlying authentication 493 00:18:09,309 --> 00:18:09,809 mechanisms 494 00:18:10,190 --> 00:18:12,590 in Visual Studio Code. Like, if I go 495 00:18:12,590 --> 00:18:14,190 add this to Claude and try to query 496 00:18:14,190 --> 00:18:16,269 it, I don't get the prompts. Like, there's 497 00:18:16,269 --> 00:18:18,664 no way to, like, set up a authentication 498 00:18:18,805 --> 00:18:20,644 mechanism to it, no way to set up 499 00:18:20,644 --> 00:18:22,105 a service principle to it, 500 00:18:22,485 --> 00:18:24,585 nowhere to say, like, go enter a username 501 00:18:25,045 --> 00:18:27,384 that I could find or trigger in Claude. 502 00:18:27,605 --> 00:18:29,045 But when you go add it to Visual 503 00:18:29,045 --> 00:18:30,585 Studio Code and 504 00:18:31,150 --> 00:18:32,829 the first time you add it, it's like, 505 00:18:32,829 --> 00:18:35,069 oh, go log in to your Microsoft three 506 00:18:35,069 --> 00:18:37,549 sixty five tenant with your account. And I 507 00:18:37,549 --> 00:18:39,549 think there's some things going on there where 508 00:18:39,549 --> 00:18:40,769 I couldn't actually 509 00:18:41,150 --> 00:18:44,210 add this to anything but Visual Studio Code. 510 00:18:44,484 --> 00:18:44,984 And 511 00:18:45,524 --> 00:18:47,464 then obviously you have to have 512 00:18:47,845 --> 00:18:50,644 GitHub Copilot in order to use it versus 513 00:18:50,644 --> 00:18:52,884 using another LLM that I have. It's hard. 514 00:18:52,884 --> 00:18:54,264 Like there's niceties 515 00:18:55,204 --> 00:18:56,345 to being in 516 00:18:57,044 --> 00:18:57,544 these 517 00:18:57,849 --> 00:19:01,049 systems that do require, like, authentication authorization, like, 518 00:19:01,049 --> 00:19:02,169 just to be able to do, like, the 519 00:19:02,169 --> 00:19:04,190 quick, like, fire and forget to enter, 520 00:19:04,649 --> 00:19:07,069 do your sign in, oauth and to end 521 00:19:07,369 --> 00:19:09,369 all the way. So typically in, like, at 522 00:19:09,369 --> 00:19:11,049 least the way it works in, like, the 523 00:19:11,049 --> 00:19:11,549 SDKs 524 00:19:12,494 --> 00:19:14,494 for Azure and things like that is there 525 00:19:14,575 --> 00:19:16,835 there's a class in the identity SDK 526 00:19:17,375 --> 00:19:19,694 that composes an object, and it's called default 527 00:19:19,694 --> 00:19:22,255 Azure credential. And it's just this magical thing 528 00:19:22,255 --> 00:19:24,414 where, like, you you put, I wanna use 529 00:19:24,414 --> 00:19:27,519 default Azure credential to sign in, and then 530 00:19:27,519 --> 00:19:29,279 it just kinda figures out based on the 531 00:19:29,279 --> 00:19:31,119 client it's on. Like, you so you can 532 00:19:31,119 --> 00:19:32,099 write, like, an application, 533 00:19:32,480 --> 00:19:34,400 say, with, like, the dot net SDK for 534 00:19:34,400 --> 00:19:36,400 Azure for any Azure service, and say, I 535 00:19:36,400 --> 00:19:39,119 wanna use default Azure credential. You put throw 536 00:19:39,519 --> 00:19:41,904 compile it as an executable, throw that executable 537 00:19:42,125 --> 00:19:43,345 on an Azure VM, 538 00:19:43,884 --> 00:19:45,184 and it will, 539 00:19:45,565 --> 00:19:47,884 like, automatically know that, hey, I'm on a 540 00:19:47,884 --> 00:19:49,265 VM in Azure, and 541 00:19:49,884 --> 00:19:52,065 I should try MSI authentication, 542 00:19:52,819 --> 00:19:54,339 and try and come through that way. Oh, 543 00:19:54,339 --> 00:19:56,579 MSI failed. Okay. Let me pop up a 544 00:19:56,579 --> 00:19:59,059 user prompt and come through. So sometimes it's 545 00:19:59,059 --> 00:20:01,059 the way, like, developers are building them, Randall. 546 00:20:01,059 --> 00:20:02,660 Like, so if they use something like default 547 00:20:02,660 --> 00:20:03,480 Azure credential, 548 00:20:04,019 --> 00:20:06,900 then it's got, like, that weird underlying behavior, 549 00:20:06,900 --> 00:20:08,579 which has a bunch of niceties to it, 550 00:20:08,579 --> 00:20:10,154 but you kinda gotta, like, know how the 551 00:20:10,154 --> 00:20:12,634 niceties work and how to land your app 552 00:20:12,634 --> 00:20:13,534 in the right place. 553 00:20:13,835 --> 00:20:16,075 So I wonder if it's some of that 554 00:20:16,075 --> 00:20:16,815 kind of stuff 555 00:20:17,355 --> 00:20:19,934 over just being, like, it's not, like, malicious 556 00:20:20,075 --> 00:20:20,575 intent 557 00:20:20,960 --> 00:20:23,039 to lock you out. It's like, hey. There's 558 00:20:23,039 --> 00:20:24,980 this ecosystem of stuff, and 559 00:20:25,440 --> 00:20:28,480 the people building the stuff also kinda leverage 560 00:20:28,480 --> 00:20:29,380 the same ecosystem. 561 00:20:30,079 --> 00:20:31,700 So while you're out there 562 00:20:32,000 --> 00:20:34,960 maybe saying, hey. I'm an Azure customer. Okay. 563 00:20:34,960 --> 00:20:37,015 Hey. We're all Azure customers. I hope We're 564 00:20:37,015 --> 00:20:39,255 all out there building our services on top 565 00:20:39,255 --> 00:20:41,734 of these things as well and building these 566 00:20:41,734 --> 00:20:42,234 capabilities 567 00:20:42,535 --> 00:20:44,775 and all that out there. So it could 568 00:20:44,775 --> 00:20:47,414 also be things like the clients are also 569 00:20:47,414 --> 00:20:50,375 in in various states. So the Cloud desktop 570 00:20:50,375 --> 00:20:50,875 client 571 00:20:51,349 --> 00:20:52,650 is constantly iterating, 572 00:20:53,430 --> 00:20:55,690 as is, like, the desktop client for Perplexity, 573 00:20:55,830 --> 00:20:57,990 for Copilot, for ChargePD, all the all these 574 00:20:57,990 --> 00:20:59,509 things. Right? Like, every single day they get 575 00:20:59,509 --> 00:21:01,269 an update, they might just need to update 576 00:21:01,269 --> 00:21:02,730 to allow things like 577 00:21:03,109 --> 00:21:04,565 the pop ups for authentication 578 00:21:04,944 --> 00:21:07,184 and everything else that comes through there. The 579 00:21:07,184 --> 00:21:09,105 other place this will integrate to is Security 580 00:21:09,105 --> 00:21:11,664 Copilot. Like, they also mentioned that. The Sentinel 581 00:21:11,664 --> 00:21:14,404 MCP server is gonna have native integration with 582 00:21:14,704 --> 00:21:17,039 Security Copilot, but I don't know about you. 583 00:21:17,039 --> 00:21:19,679 I'd rather pay $20 a month for Copilot 584 00:21:19,679 --> 00:21:20,179 GitHub 585 00:21:20,559 --> 00:21:22,259 than $20,000 586 00:21:22,639 --> 00:21:23,139 for 587 00:21:23,440 --> 00:21:26,720 Security Copilot. Obviously, other benefits with Security Copilot, 588 00:21:26,720 --> 00:21:28,639 people that have it, you'd wanna have this 589 00:21:28,639 --> 00:21:31,414 in there. But to me, this was I'm 590 00:21:31,414 --> 00:21:33,275 still kinda curious to see 591 00:21:33,734 --> 00:21:35,994 where Security Copilot goes because 592 00:21:36,375 --> 00:21:37,595 while there's other functionality 593 00:21:37,894 --> 00:21:38,954 in there, as 594 00:21:39,414 --> 00:21:41,815 these MCP servers continue to grow and you 595 00:21:41,815 --> 00:21:42,714 look at GraphMCP 596 00:21:43,174 --> 00:21:44,315 server and 597 00:21:44,640 --> 00:21:46,980 now you have the MCP server for Sentinel, 598 00:21:47,599 --> 00:21:48,339 if other 599 00:21:48,720 --> 00:21:49,460 third parties 600 00:21:49,839 --> 00:21:52,240 that you can integrate with I don't know. 601 00:21:52,240 --> 00:21:53,920 Like, if you integrate other third parties with 602 00:21:53,920 --> 00:21:56,640 Sentinel and you can do an MCP server 603 00:21:56,640 --> 00:21:57,299 with Sentinel, 604 00:21:58,205 --> 00:22:00,305 you lose some of the built in functionality 605 00:22:00,445 --> 00:22:03,005 in different places of Security Copilot, but to 606 00:22:03,005 --> 00:22:04,144 me, this lessens 607 00:22:04,445 --> 00:22:07,404 the need for something like Security Copilot. Maybe 608 00:22:07,404 --> 00:22:09,644 I'm not supposed to say that, but that's 609 00:22:09,644 --> 00:22:11,380 what I'm seeing. Like I have less and 610 00:22:11,380 --> 00:22:13,220 less of a need for Security Copilot because 611 00:22:13,220 --> 00:22:16,099 of MCPs. I think the world of the 612 00:22:16,099 --> 00:22:18,839 iGentik stuff, it's going to continue to morph 613 00:22:19,059 --> 00:22:21,000 and continue to change. 614 00:22:21,380 --> 00:22:23,160 It's one of those places where 615 00:22:23,539 --> 00:22:25,160 I don't even know that 616 00:22:25,845 --> 00:22:26,825 service providers, 617 00:22:27,804 --> 00:22:28,304 like 618 00:22:29,285 --> 00:22:30,404 none of us know where it's going to 619 00:22:30,404 --> 00:22:31,704 end up, basically. 620 00:22:32,284 --> 00:22:32,784 So 621 00:22:33,365 --> 00:22:36,505 everybody's racing to create these kinds of experiences, 622 00:22:36,644 --> 00:22:39,204 but they're going to continue to change over 623 00:22:39,204 --> 00:22:39,704 time. 624 00:22:40,359 --> 00:22:41,259 Like, this whole 625 00:22:41,640 --> 00:22:44,059 local versus remote MCP server, 626 00:22:44,519 --> 00:22:46,460 that's not fully baked, 627 00:22:46,759 --> 00:22:49,179 and that's not a done deal 628 00:22:49,640 --> 00:22:51,019 as to the way that composes. 629 00:22:51,480 --> 00:22:52,515 But I do think it offers, 630 00:23:01,875 --> 00:23:03,795 integrates over there is just add a tool. 631 00:23:03,795 --> 00:23:05,634 Right? Like, you're not adding an MCP server. 632 00:23:05,634 --> 00:23:07,474 You're adding a tool. What's it using in 633 00:23:07,474 --> 00:23:10,700 the background? The MCP server. So now we're 634 00:23:10,700 --> 00:23:14,460 starting to equate local MCP server with tools 635 00:23:14,460 --> 00:23:16,559 and resources and all the things in them. 636 00:23:16,700 --> 00:23:18,799 That same kind of nomenclature 637 00:23:19,579 --> 00:23:20,079 and 638 00:23:20,700 --> 00:23:23,839 architecture is coming to these cloud based 639 00:23:24,274 --> 00:23:27,075 and SaaS based things as well. I think 640 00:23:27,075 --> 00:23:27,734 you'll see 641 00:23:28,115 --> 00:23:30,534 more and more of this, like this mix 642 00:23:31,474 --> 00:23:32,694 of remote MCP 643 00:23:33,315 --> 00:23:35,575 and then some other piece of functionality 644 00:23:36,115 --> 00:23:37,815 in a part of the service itself 645 00:23:38,279 --> 00:23:41,240 or in, like, a parallel service. Oh, like, 646 00:23:41,240 --> 00:23:43,019 great. Now I can use that too 647 00:23:43,400 --> 00:23:44,299 and come across. 648 00:23:44,680 --> 00:23:46,359 What'll be interesting to see is, like, a 649 00:23:46,359 --> 00:23:48,440 year from now, is, like, MCP server is 650 00:23:48,440 --> 00:23:50,600 even a thing, or did we all settle 651 00:23:50,600 --> 00:23:53,285 on just exposing, like, the tools through, like, 652 00:23:53,285 --> 00:23:55,845 some other endpoint mechanism or things like that? 653 00:23:55,845 --> 00:23:56,345 Like, 654 00:23:56,805 --> 00:23:58,404 I don't know. TBD. We'll see where it 655 00:23:58,404 --> 00:24:00,244 all ends up. It'll be interesting. Shall be 656 00:24:00,244 --> 00:24:02,164 weird for a while. It's kinda like a 657 00:24:02,164 --> 00:24:03,625 fun ride though if you're a technologist. 658 00:24:03,924 --> 00:24:04,744 Oh, absolutely. 659 00:24:05,179 --> 00:24:06,619 So and then the third should we dive 660 00:24:06,619 --> 00:24:08,539 into the third one? The Sentinel Graph. This 661 00:24:08,539 --> 00:24:10,700 was kind of a cool one, and this 662 00:24:10,700 --> 00:24:13,359 is also in public preview now where 663 00:24:13,900 --> 00:24:16,220 now within Sentinel, we've always been able to 664 00:24:16,220 --> 00:24:18,059 do KQL queries, right, where you can go 665 00:24:18,059 --> 00:24:20,975 in and query stuff and get your results 666 00:24:20,975 --> 00:24:22,654 however you query it. And you could go 667 00:24:22,654 --> 00:24:24,815 look at incidents and kind of within different 668 00:24:24,815 --> 00:24:27,295 incidents, you're able to see connections between different 669 00:24:27,295 --> 00:24:29,394 events and different devices and all of that. 670 00:24:29,695 --> 00:24:32,575 What this does is it allows you to 671 00:24:32,575 --> 00:24:34,115 go do a, 672 00:24:34,589 --> 00:24:37,169 essentially, a graph based query 673 00:24:37,549 --> 00:24:40,509 against your Sentinel data. So instead of, like, 674 00:24:40,509 --> 00:24:42,190 waiting for an incident to occur and then 675 00:24:42,190 --> 00:24:44,029 seeing all the connections for the incident or 676 00:24:44,029 --> 00:24:45,789 instead of just writing a KQL query and 677 00:24:45,789 --> 00:24:48,190 getting data back, you can go in and 678 00:24:48,190 --> 00:24:48,690 this 679 00:24:49,144 --> 00:24:50,664 I'm trying to think if there's a screenshot 680 00:24:50,664 --> 00:24:51,404 in here 681 00:24:51,704 --> 00:24:54,024 where you can this is probably a decent 682 00:24:54,024 --> 00:24:55,784 one that I have on my screen. But 683 00:24:55,784 --> 00:24:56,444 for people 684 00:24:56,825 --> 00:24:57,325 listening, 685 00:24:57,944 --> 00:25:00,105 I could go in and it's preview, so 686 00:25:00,105 --> 00:25:01,625 it was somewhat limited, but I could say, 687 00:25:01,625 --> 00:25:03,600 like, show me this device, and I just 688 00:25:03,600 --> 00:25:05,519 picked two devices. You can pick two different 689 00:25:05,519 --> 00:25:08,640 entities. But I picked my laptop and I 690 00:25:08,640 --> 00:25:11,440 picked my desktop, and I said, show me 691 00:25:11,440 --> 00:25:14,160 the relationship between them, and it essentially created 692 00:25:14,160 --> 00:25:17,299 a graph with all the different ways 693 00:25:17,845 --> 00:25:20,164 these two devices were linked together, whether it 694 00:25:20,164 --> 00:25:22,805 was through users or linked together. I think 695 00:25:22,805 --> 00:25:25,045 it showed, like, my user account was one 696 00:25:25,045 --> 00:25:27,384 link. I think it maybe showed, like, Intune 697 00:25:27,525 --> 00:25:30,585 as another link between them or other services. 698 00:25:30,725 --> 00:25:31,365 So it was 699 00:25:32,130 --> 00:25:33,570 gave me, I would say, more of a 700 00:25:33,570 --> 00:25:36,230 proactive way to say, okay. So if this 701 00:25:36,369 --> 00:25:37,750 device was compromised, 702 00:25:38,369 --> 00:25:40,130 what are all the ways it could be 703 00:25:40,130 --> 00:25:42,930 linked to this other device, or what are 704 00:25:42,930 --> 00:25:45,109 all the ways my user is linked to 705 00:25:45,410 --> 00:25:48,634 different entities? And instead of giving me tabular 706 00:25:48,634 --> 00:25:51,295 data, it gave me a graph, a view 707 00:25:51,355 --> 00:25:52,494 of connections 708 00:25:52,954 --> 00:25:54,954 between different things in my tenant. If I 709 00:25:54,954 --> 00:25:57,134 was reading between the lines on this one, 710 00:25:57,194 --> 00:25:57,694 because 711 00:25:58,474 --> 00:26:00,875 we're back to the whole, like, KQL thing 712 00:26:00,875 --> 00:26:03,329 and what's it used under the hood, what's 713 00:26:03,329 --> 00:26:06,069 a capability that recently came to 714 00:26:06,450 --> 00:26:09,730 Azure Data Explorer and to Kusto? Well, a 715 00:26:09,730 --> 00:26:12,069 capability that recently came to Kusto 716 00:26:12,450 --> 00:26:12,950 is 717 00:26:13,250 --> 00:26:14,470 the ability to 718 00:26:14,849 --> 00:26:15,349 execute 719 00:26:15,809 --> 00:26:16,309 queries 720 00:26:17,434 --> 00:26:18,734 with graph models. 721 00:26:19,275 --> 00:26:20,414 So taking 722 00:26:20,875 --> 00:26:22,095 database objects 723 00:26:22,554 --> 00:26:23,054 that 724 00:26:23,914 --> 00:26:24,414 represent 725 00:26:24,795 --> 00:26:27,275 your property graph and that are stored in 726 00:26:27,275 --> 00:26:29,835 Data Explorer and then being able to bounce 727 00:26:29,835 --> 00:26:30,335 those 728 00:26:30,809 --> 00:26:31,789 against each other. 729 00:26:32,329 --> 00:26:34,029 So if you can do it in KQL 730 00:26:34,089 --> 00:26:35,690 and you can get at it, you might 731 00:26:35,690 --> 00:26:37,549 be able to do some even more interesting 732 00:26:37,609 --> 00:26:40,089 things with it along the way. And if 733 00:26:40,089 --> 00:26:42,169 you're into it, I'd recommend going and reading 734 00:26:42,169 --> 00:26:44,750 the Kusto documentation for graph models 735 00:26:45,295 --> 00:26:46,575 and seeing kinda 736 00:26:47,214 --> 00:26:49,134 if you can wrap your head around a 737 00:26:49,134 --> 00:26:50,335 little bit. How do I run that? They 738 00:26:50,335 --> 00:26:52,355 have some good, like, work working examples 739 00:26:52,815 --> 00:26:55,535 and things in there. So but absolutely. So 740 00:26:55,535 --> 00:26:58,434 so KQL now has this it has a 741 00:26:58,750 --> 00:27:00,829 a graph, right? So much like you'd have 742 00:27:00,829 --> 00:27:03,150 like a database or table name kind of 743 00:27:03,150 --> 00:27:05,150 thing. You have a graph out there, so 744 00:27:05,150 --> 00:27:07,470 there's an object for graphs, and then you 745 00:27:07,950 --> 00:27:10,269 and you know how you have like where 746 00:27:10,269 --> 00:27:13,089 clauses and summarizes and and things like that. 747 00:27:13,315 --> 00:27:15,575 There's also now a graph match, 748 00:27:16,035 --> 00:27:16,535 and 749 00:27:16,835 --> 00:27:19,555 so it's basically graph match, what's the pattern 750 00:27:19,555 --> 00:27:22,994 you input where these filters are true, and 751 00:27:22,994 --> 00:27:23,974 then output 752 00:27:24,355 --> 00:27:25,174 these fields 753 00:27:25,690 --> 00:27:26,509 based on 754 00:27:26,809 --> 00:27:28,730 the graph and how it comes together. The 755 00:27:28,730 --> 00:27:31,849 syntax is really weird and kinda wild. Like, 756 00:27:31,849 --> 00:27:34,250 it is not like other KQL syntax at 757 00:27:34,250 --> 00:27:36,250 all, when you especially when you're doing, like, 758 00:27:36,250 --> 00:27:38,490 the filtering and things like that, but it 759 00:27:38,490 --> 00:27:40,904 works pretty well. I've been playing around with 760 00:27:40,904 --> 00:27:42,744 it for some other stuff. I wonder if 761 00:27:42,744 --> 00:27:44,204 this is even using 762 00:27:44,585 --> 00:27:46,505 and this might be kinda what even you're 763 00:27:46,505 --> 00:27:48,105 getting at it. If this is using that 764 00:27:48,105 --> 00:27:49,625 under the covers, if this is a little 765 00:27:49,625 --> 00:27:50,924 bit more of a UI 766 00:27:51,704 --> 00:27:52,204 interface, 767 00:27:52,730 --> 00:27:55,789 and then behind the scenes, it's creating those 768 00:27:55,849 --> 00:27:56,349 KQL 769 00:27:56,650 --> 00:27:58,730 graph type of queries. It'd be an easy 770 00:27:58,730 --> 00:28:00,170 thing to do or a smart thing to 771 00:28:00,170 --> 00:28:02,809 do if the underline if the underlying database 772 00:28:02,809 --> 00:28:04,509 engine provides for it, why not? 773 00:28:04,890 --> 00:28:07,275 Yeah. Lots of improvements around Sentinel and different 774 00:28:07,275 --> 00:28:09,835 things you can do, especially with the data 775 00:28:09,835 --> 00:28:10,494 lake integration 776 00:28:10,795 --> 00:28:12,414 going GA. They layered 777 00:28:12,795 --> 00:28:14,394 all of these on top of it. So 778 00:28:14,394 --> 00:28:16,715 all of this does depend on you having 779 00:28:16,715 --> 00:28:19,355 Sentinel and Defender, making that connection between your 780 00:28:19,355 --> 00:28:22,174 workspace and Defender, and then enabling the graph, 781 00:28:22,309 --> 00:28:24,230 and then you'll be able to go light 782 00:28:24,230 --> 00:28:26,230 this stuff up. And I've seen some things. 783 00:28:26,230 --> 00:28:28,069 I'm in a few security groups where people 784 00:28:28,069 --> 00:28:30,309 weren't getting it necessarily right away. It might 785 00:28:30,309 --> 00:28:32,169 take some time in preview, 786 00:28:32,549 --> 00:28:35,109 trickling out. Yep. SaaS rollouts, all that good 787 00:28:35,109 --> 00:28:37,829 stuff. Yeah. All that stuff. So no. These 788 00:28:37,829 --> 00:28:40,065 were some fun announcements in the last 789 00:28:40,524 --> 00:28:42,444 week or so that came out that I've 790 00:28:42,444 --> 00:28:44,044 started playing with. The nice thing about those 791 00:28:44,044 --> 00:28:46,044 data lakes too is like you mentioned, you're 792 00:28:46,044 --> 00:28:48,464 provisioning those within your own infrastructure. 793 00:28:49,085 --> 00:28:50,784 So, you know, it's your 794 00:28:51,085 --> 00:28:53,724 Azure subscription, your resource group, so you still 795 00:28:53,724 --> 00:28:56,869 get the choice over, like, where does that 796 00:28:56,929 --> 00:28:59,169 data lake reside? So if you have, like, 797 00:28:59,169 --> 00:29:00,549 data residency requirements, 798 00:29:01,490 --> 00:29:03,169 anything like that, you could spin that up. 799 00:29:03,169 --> 00:29:04,869 You can also choose your redundancy, 800 00:29:05,409 --> 00:29:07,490 every everything like that that you might wanna 801 00:29:07,490 --> 00:29:09,484 do. So it's nice to have kinda that 802 00:29:09,484 --> 00:29:11,484 level of control too, but just watch out 803 00:29:11,484 --> 00:29:13,644 because it is a PAYGo component. So it 804 00:29:13,644 --> 00:29:16,125 is kinda sitting out there now churning month 805 00:29:16,125 --> 00:29:17,725 over month or however long you turn it 806 00:29:17,725 --> 00:29:19,565 on for. Yep. And then I think Data 807 00:29:19,565 --> 00:29:21,904 Lake too, you'd get charged based on queries 808 00:29:22,045 --> 00:29:24,599 and how much you use it and yeah. 809 00:29:24,759 --> 00:29:26,919 All those same things apply. This is not 810 00:29:26,919 --> 00:29:29,339 a free data lake with your Azure subscription. 811 00:29:29,400 --> 00:29:32,619 It's a PAYGo data lake that they automatically 812 00:29:33,079 --> 00:29:35,240 connect up and ingest all the data and 813 00:29:35,240 --> 00:29:37,160 do that for you. Yeah. Compute still costs 814 00:29:37,160 --> 00:29:37,980 money. Yes. 815 00:29:38,384 --> 00:29:40,384 Alright. We've spent, like, a bunch of time 816 00:29:40,384 --> 00:29:41,505 on mine. Do you want to talk about 817 00:29:41,505 --> 00:29:43,265 yours anymore today, or should we save those 818 00:29:43,265 --> 00:29:45,664 for round two? Let's save a we'll do 819 00:29:45,664 --> 00:29:47,345 an I'm just going to talk about some 820 00:29:47,345 --> 00:29:49,744 Kubernetes stuff, so we'll do a kind of 821 00:29:49,744 --> 00:29:51,045 AKS ish day 822 00:29:51,380 --> 00:29:53,539 coming up in the future here. Sounds good. 823 00:29:53,539 --> 00:29:54,039 AKS 824 00:29:54,580 --> 00:29:56,360 ish. Yeah. There we go. AKS 825 00:29:57,940 --> 00:29:58,519 ish. Yeah. 826 00:29:58,980 --> 00:30:00,420 All that said, if you're gonna be at 827 00:30:00,420 --> 00:30:02,259 any conf I Scott, I have a few 828 00:30:02,259 --> 00:30:03,940 conferences coming up. I'm still trying to get 829 00:30:03,940 --> 00:30:06,200 you to one. I'm down at Dev Intersections, 830 00:30:07,065 --> 00:30:10,345 Cybersecurity Intersections, which they added next week. So 831 00:30:10,345 --> 00:30:12,204 if you're down in Orlando at that one, 832 00:30:12,585 --> 00:30:13,085 October, 833 00:30:13,865 --> 00:30:16,105 like, six through ten or something. And then 834 00:30:16,105 --> 00:30:18,664 I did get accepted to go help Proctor 835 00:30:18,664 --> 00:30:21,419 Labs again at Ignite. So I'll be out 836 00:30:21,419 --> 00:30:23,140 at Oh, nice. Yeah. I'll be out at 837 00:30:23,140 --> 00:30:25,940 Ignite in November if anybody's going to be 838 00:30:25,940 --> 00:30:27,700 out there. And then I think I mentioned 839 00:30:27,700 --> 00:30:28,679 that I'm doing cybersecurity 840 00:30:29,380 --> 00:30:31,779 or not wow. Workplace Ninja is down in 841 00:30:31,779 --> 00:30:33,940 Dallas in December. So we're still working on 842 00:30:33,940 --> 00:30:36,115 getting you out to Ignite. We'll see, Scott. 843 00:30:36,115 --> 00:30:37,575 We need to get you out there yet. 844 00:30:38,994 --> 00:30:41,714 Yeah. Well, for the other stuff, give me 845 00:30:41,714 --> 00:30:42,855 some links, and 846 00:30:43,394 --> 00:30:44,914 I'll put them in the show notes. I 847 00:30:44,914 --> 00:30:46,194 will do that. So links to all those 848 00:30:46,194 --> 00:30:48,130 conferences will be in the show notes. Come 849 00:30:48,130 --> 00:30:49,429 find me and hopefully 850 00:30:49,809 --> 00:30:51,809 Scott at Ignite. And if you have any 851 00:30:51,809 --> 00:30:54,049 feedback for Scott, don't forget, let Scott know 852 00:30:54,049 --> 00:30:56,549 what mouse you should get. And any questions, 853 00:30:56,690 --> 00:30:57,190 comments, 854 00:30:58,049 --> 00:30:58,549 thoughts, 855 00:30:59,250 --> 00:31:02,210 future topics, future guests, we'd love to hear 856 00:31:02,210 --> 00:31:03,269 from people. So 857 00:31:03,654 --> 00:31:06,555 reach out. LinkedIn has turned into our social 858 00:31:07,015 --> 00:31:09,494 media platform of choice or we do still 859 00:31:09,494 --> 00:31:11,414 have the contact form on the website if 860 00:31:11,414 --> 00:31:12,535 you want to go there and fill that 861 00:31:12,535 --> 00:31:13,815 out as well. All good stuff. If you 862 00:31:13,815 --> 00:31:15,414 have complaints, only reach out to Ben though. 863 00:31:15,414 --> 00:31:19,710 Yes. My email address is scott@msclouditpropodcast.com. 864 00:31:20,970 --> 00:31:22,329 Bring on the spam. It's a good thing 865 00:31:22,329 --> 00:31:24,410 your spam filter is good. It is. Hopefully, 866 00:31:24,410 --> 00:31:26,170 it won't get spam too much out of 867 00:31:26,170 --> 00:31:28,329 that. Alright. With that, Scott, go enjoy your 868 00:31:28,329 --> 00:31:29,849 weekend. Thanks, Ben. It's getting nice in Florida. 869 00:31:29,849 --> 00:31:31,609 Go enjoy some time outside. It's not It 870 00:31:31,609 --> 00:31:35,005 is. Stupid hot anymore. Although, it's we're under, 871 00:31:35,384 --> 00:31:37,785 marine watch tomorrow. So a small craft device 872 00:31:37,785 --> 00:31:39,545 here tomorrow, so can't go out on the 873 00:31:39,545 --> 00:31:41,945 boat. Oh, so enjoy time outdoors not on 874 00:31:41,945 --> 00:31:43,384 the boat. Go fly a kite on the 875 00:31:43,384 --> 00:31:45,569 beach. Marine advisory means wind for a kite. 876 00:31:45,569 --> 00:31:47,890 Right? It's getting windy already. Yeah. Well, thanks, 877 00:31:47,890 --> 00:31:49,569 Scott. Enjoy your weekend. We'll talk to you 878 00:31:49,569 --> 00:31:51,429 next time. You too. Thanks, Ben. 879 00:31:53,409 --> 00:31:54,789 If you enjoyed the podcast, 880 00:31:55,089 --> 00:31:56,690 go leave us a five star rating in 881 00:31:56,690 --> 00:31:58,769 iTunes. It helps to get the word out 882 00:31:58,769 --> 00:32:00,565 so more IT pros pros can learn about 883 00:32:00,565 --> 00:32:02,345 Office three sixty five and Azure. 884 00:32:02,884 --> 00:32:04,565 If you have any questions you want us 885 00:32:04,565 --> 00:32:06,725 to address on the show, or feedback about 886 00:32:06,725 --> 00:32:09,045 the show, feel free to reach out via 887 00:32:09,045 --> 00:32:11,305 our website, Twitter, or Facebook. 888 00:32:11,605 --> 00:32:13,445 Thanks again for listening, and have a great 889 00:32:13,445 --> 00:32:13,945 day.