1 00:00:03,439 --> 00:00:05,839 Welcome to episode 416 2 00:00:05,839 --> 00:00:08,960 of the Microsoft Cloud IT Pro podcast recorded 3 00:00:08,960 --> 00:00:11,539 live on 11/20/2025. 4 00:00:11,679 --> 00:00:13,919 This is a show about Microsoft three sixty 5 00:00:13,919 --> 00:00:16,045 five and Azure from the perspective of IT 6 00:00:16,045 --> 00:00:18,125 pros and end users, where we discuss a 7 00:00:18,125 --> 00:00:20,445 topic or recent news and how it relates 8 00:00:20,445 --> 00:00:22,925 to you. In this episode, I'm still live 9 00:00:22,925 --> 00:00:25,244 from Microsoft Ignite as I sit down with 10 00:00:25,244 --> 00:00:28,545 Henrik, a fellow Microsoft MVP in security, 11 00:00:28,845 --> 00:00:31,109 to record this episode. As we we enjoy 12 00:00:31,109 --> 00:00:33,829 some sun in San Francisco, we spent some 13 00:00:33,829 --> 00:00:35,929 time talking about Microsoft Sentinel, 14 00:00:36,309 --> 00:00:38,710 Data Lake with Microsoft Sentinel, and some of 15 00:00:38,710 --> 00:00:41,429 the announcements from Ignite, as well as some 16 00:00:41,429 --> 00:00:43,725 of our experiences at the conference and things 17 00:00:43,804 --> 00:00:46,545 that we've enjoyed about being live in person 18 00:00:46,684 --> 00:00:47,265 at Ignite. 19 00:00:49,405 --> 00:00:52,125 So here we are sitting at Ignite, recording 20 00:00:52,125 --> 00:00:55,405 another show of the Microsoft Cloud IT Pro 21 00:00:55,405 --> 00:00:55,905 podcast 22 00:00:56,689 --> 00:00:58,070 without Scott because 23 00:00:58,449 --> 00:01:00,689 Scott has bailed on me this year. We've 24 00:01:00,689 --> 00:01:02,850 got carnival music going on the background, sitting 25 00:01:02,850 --> 00:01:04,609 on the sun in the streets of San 26 00:01:04,609 --> 00:01:07,909 Francisco. But since Scott wasn't here, I had 27 00:01:08,209 --> 00:01:10,549 Henrik join me. So he's a 28 00:01:11,005 --> 00:01:14,064 senior cloud specialist, a fellow security MVP. 29 00:01:14,685 --> 00:01:16,204 Well, we met how long have we known 30 00:01:16,204 --> 00:01:18,125 each other? Eight couple years now? Yeah. A 31 00:01:18,125 --> 00:01:19,645 couple of years. Yeah. Yeah. Because we both 32 00:01:19,724 --> 00:01:21,325 did you become an MVP about the same 33 00:01:21,325 --> 00:01:24,040 time I did? Yeah. Yeah. We kinda came 34 00:01:24,040 --> 00:01:27,239 MVPs together. You started as security. I started 35 00:01:27,239 --> 00:01:29,879 as Microsoft March, and then I joined the 36 00:01:29,879 --> 00:01:31,479 dark side, the good side. I don't know. 37 00:01:31,479 --> 00:01:33,159 Security support. The good side. The good side. 38 00:01:33,159 --> 00:01:34,599 Yeah. Do you wanna give a little bit 39 00:01:34,599 --> 00:01:37,239 of introduction, Henrik, just about you, who you 40 00:01:37,239 --> 00:01:39,395 are, where you work, where you 41 00:01:39,775 --> 00:01:42,114 live, how much you love Samsung's system. 42 00:01:42,415 --> 00:01:45,055 Yeah. I'll just start with introducing myself. My 43 00:01:45,055 --> 00:01:46,754 name is Henrik Wysig 44 00:01:47,295 --> 00:01:49,795 from Denmark, and I work at a bank 45 00:01:49,855 --> 00:01:52,594 in the financial sector. That's my doing. 46 00:01:52,950 --> 00:01:54,329 And my area 47 00:01:54,790 --> 00:01:57,510 is security because I'm a security MVP. Yeah. 48 00:01:57,510 --> 00:02:00,069 I work with the Sentinel and Defender, the 49 00:02:00,069 --> 00:02:02,869 whole Defender suite. So, yeah, basically, I love 50 00:02:02,869 --> 00:02:05,575 everything security. Alright. I mean, bank security is 51 00:02:05,575 --> 00:02:07,755 kind of important at banks, I think. Apparently, 52 00:02:07,814 --> 00:02:10,294 something about people's money. Yeah. They kinda like 53 00:02:10,294 --> 00:02:11,754 it to be safe and secure 54 00:02:12,135 --> 00:02:13,415 and not allowed to get in. And you 55 00:02:13,415 --> 00:02:15,014 live in Denmark. I mean, how much better 56 00:02:15,014 --> 00:02:16,854 is that? You live in the same country 57 00:02:16,854 --> 00:02:19,629 as Legoland. Yes. And fun fact is I 58 00:02:19,629 --> 00:02:20,129 actually 59 00:02:20,430 --> 00:02:23,490 I only live, like, the twenty minutes drive 60 00:02:23,629 --> 00:02:26,430 from LEGOLAND and LEGO headquarters. Okay. That's why 61 00:02:26,430 --> 00:02:27,949 I have a lot of LEGO at home. 62 00:02:27,949 --> 00:02:29,949 See, I keep forgetting this. One of these 63 00:02:29,949 --> 00:02:31,870 years, Hendrik, I have you on record now. 64 00:02:31,870 --> 00:02:33,844 You're on the podcast. I would like a 65 00:02:33,844 --> 00:02:36,104 couple of those LEGO sets, like the headquarters 66 00:02:36,324 --> 00:02:38,004 and the tree that you can only get 67 00:02:38,004 --> 00:02:39,465 at LEGO headquarters. Yes. 68 00:02:39,844 --> 00:02:41,925 Any way you can arrange that? I won't 69 00:02:41,925 --> 00:02:43,544 put you on the spot on the podcast. 70 00:02:43,604 --> 00:02:45,444 Yeah. You'll have to show send me a 71 00:02:45,444 --> 00:02:47,044 picture of that. Send you a picture of 72 00:02:47,044 --> 00:02:49,260 the sets that I want? Yeah. Alright. I 73 00:02:49,260 --> 00:02:50,860 heard there's, like, those two sets that you 74 00:02:50,860 --> 00:02:53,199 can only buy at LEGO headquarters 75 00:02:53,580 --> 00:02:55,919 in Denmark. There is there is a collectible. 76 00:02:55,980 --> 00:02:57,980 Also, if you go on a special trip 77 00:02:57,980 --> 00:03:00,460 at the LEGO at LEGO House, which is 78 00:03:00,620 --> 00:03:03,004 Uh-huh. Yeah. Which is really cool. But you 79 00:03:03,004 --> 00:03:04,284 have to pay a lot of money to 80 00:03:04,284 --> 00:03:06,044 get on those tours, but you get a 81 00:03:06,044 --> 00:03:08,604 golden brick almost. Maybe we need to do 82 00:03:08,604 --> 00:03:10,064 Ignite Denmark. Yes. 83 00:03:12,205 --> 00:03:14,525 Yes. It will probably be better than San 84 00:03:14,525 --> 00:03:16,650 Francisco, but I don't know. Maybe. Yeah. We 85 00:03:16,729 --> 00:03:18,349 should probably be nice to San Francisco. 86 00:03:18,810 --> 00:03:21,289 Oh, well. Anyways, we should we talk about 87 00:03:21,289 --> 00:03:24,409 security instead of Legos in San Francisco and 88 00:03:24,409 --> 00:03:24,909 Denmark? 89 00:03:25,530 --> 00:03:27,930 So senior cloud specialist, you do a lot 90 00:03:27,930 --> 00:03:30,064 with security. You probably do more with security 91 00:03:30,064 --> 00:03:31,504 than I do because I tend to spin 92 00:03:31,504 --> 00:03:33,585 a whole bunch of stuff, but there have 93 00:03:33,585 --> 00:03:34,965 been some interesting 94 00:03:35,665 --> 00:03:37,764 changes with Sentinel in the last, 95 00:03:38,385 --> 00:03:40,544 what, probably six months or so. There was 96 00:03:40,544 --> 00:03:43,550 announcements around Sentinel coming into Defender where now 97 00:03:43,550 --> 00:03:45,229 it's really gonna be Defender's gonna be the 98 00:03:45,229 --> 00:03:47,469 place to get to Sentinel. Yes. But, also, 99 00:03:47,469 --> 00:03:49,789 if you connect Sentinel to Defender, you can 100 00:03:49,789 --> 00:03:52,689 do things with data lake now. Yes. So 101 00:03:52,990 --> 00:03:54,430 do you wanna talk a little bit? Like, 102 00:03:54,430 --> 00:03:56,129 we were talking about some of the advantages 103 00:03:56,189 --> 00:03:57,675 there. I know I think Scott and I 104 00:03:57,675 --> 00:03:58,875 mentioned it, but didn't go into a lot 105 00:03:58,875 --> 00:04:00,634 of details. And you were sharing some details 106 00:04:00,634 --> 00:04:02,634 even on some of the advantages, even some 107 00:04:02,634 --> 00:04:04,155 of the reasons. It makes a lot of 108 00:04:04,155 --> 00:04:05,835 sense in the EU. So in the EU, 109 00:04:05,835 --> 00:04:07,055 because of regulation, 110 00:04:07,594 --> 00:04:10,175 and we're driven by regulation, apparently. 111 00:04:10,719 --> 00:04:12,020 There are two new regulations. 112 00:04:12,319 --> 00:04:14,000 One is called NIST two, and the other 113 00:04:14,000 --> 00:04:16,500 is called DORA. And it applies actually 114 00:04:16,879 --> 00:04:20,399 to all critical infrastructure businesses. It's gonna hit 115 00:04:20,399 --> 00:04:23,185 almost everyone in the EU with logging. Okay. 116 00:04:23,185 --> 00:04:24,165 One of the loggings, 117 00:04:24,785 --> 00:04:26,785 logging requirements are that you need to save 118 00:04:26,785 --> 00:04:28,865 all your data or logs, audit logs, and 119 00:04:28,865 --> 00:04:32,245 security logs, and operation logs also for, like, 120 00:04:32,305 --> 00:04:34,785 thirteen months. Oh, wow. Yeah. That's a lot. 121 00:04:34,785 --> 00:04:37,205 Right? Yeah. So and this is just, like, 122 00:04:37,470 --> 00:04:39,470 everything. It doesn't matter what it is. It's 123 00:04:39,470 --> 00:04:42,189 just Yes. If something happens and it's logged 124 00:04:42,430 --> 00:04:43,949 Yes. What if you don't log it? Then 125 00:04:43,949 --> 00:04:46,189 we go far in. Too. Yeah. Yeah. So 126 00:04:46,189 --> 00:04:47,470 you have to log everything, and then you 127 00:04:47,470 --> 00:04:48,910 have to keep all of those for thirteen 128 00:04:48,910 --> 00:04:51,949 months. Yes. It's like GDPR. Okay. So it 129 00:04:51,949 --> 00:04:52,904 follows that. 130 00:04:53,384 --> 00:04:53,884 And, 131 00:04:54,504 --> 00:04:56,985 that has meant that especially us in the 132 00:04:56,985 --> 00:04:59,464 finance sector in Denmark have been looking into, 133 00:04:59,464 --> 00:05:01,384 oh, we need to save it for thirteen 134 00:05:01,384 --> 00:05:03,725 months now. Where to put it? Because 135 00:05:04,264 --> 00:05:06,904 yanking it up in log analytics workspace for 136 00:05:06,904 --> 00:05:08,550 thirteen months, that's expensive. 137 00:05:08,850 --> 00:05:10,769 Yeah. Especially I don't know. You don't have 138 00:05:10,769 --> 00:05:12,209 to share how big your bank is, but 139 00:05:12,209 --> 00:05:13,970 I can imagine with the bank and the 140 00:05:13,970 --> 00:05:16,550 amount of data, like, it's not an insignificant 141 00:05:16,930 --> 00:05:18,610 amount of logs that you have. This is 142 00:05:18,610 --> 00:05:19,089 probably 143 00:05:19,410 --> 00:05:22,149 is it gigabytes or terabytes of logs? It's 144 00:05:22,289 --> 00:05:24,524 a lot of gigabytes. And it's not 145 00:05:25,225 --> 00:05:27,404 how should I explain my workplace? I work 146 00:05:27,464 --> 00:05:29,404 at a company called Bank Data, 147 00:05:29,865 --> 00:05:33,064 and it's it's owned by different banks in 148 00:05:33,064 --> 00:05:35,384 Denmark, actually. Oh, okay. Yeah. So it's owned 149 00:05:35,384 --> 00:05:36,629 by seven different banks, 150 00:05:37,490 --> 00:05:40,689 and, we adjust the IT development department. So 151 00:05:40,689 --> 00:05:43,089 we do the finance banking apps. Got it. 152 00:05:43,089 --> 00:05:44,850 There's a lot of data, and they all 153 00:05:44,850 --> 00:05:46,230 want different things. 154 00:05:47,089 --> 00:05:47,589 So 155 00:05:48,154 --> 00:05:50,074 go make the button red. No. We want 156 00:05:50,074 --> 00:05:51,835 it blue. Yes. And then you have to 157 00:05:51,835 --> 00:05:53,355 log that you changed the button from red 158 00:05:53,355 --> 00:05:54,814 to blue? Change management. 159 00:05:55,115 --> 00:05:57,275 That's it's a finance sector, so we have 160 00:05:57,275 --> 00:05:58,895 to it's strictly regulated. 161 00:05:59,355 --> 00:06:01,849 So it's not it's not like in consultant 162 00:06:01,849 --> 00:06:04,490 where you just go in, place guns placing, 163 00:06:04,490 --> 00:06:06,490 and Yep. I can fix that for you, 164 00:06:06,490 --> 00:06:08,569 my friend. So how does data lake so 165 00:06:08,569 --> 00:06:10,569 you talked about, like, log analytics is super 166 00:06:10,569 --> 00:06:11,069 expensive 167 00:06:11,610 --> 00:06:14,009 when you are it it starts adding up. 168 00:06:14,009 --> 00:06:15,935 Now you can do it data lake. That 169 00:06:15,935 --> 00:06:18,574 helps with the pricing then. Yeah. A lot 170 00:06:18,574 --> 00:06:19,074 because 171 00:06:19,375 --> 00:06:22,035 we actually we are streaming logs from AWS. 172 00:06:22,414 --> 00:06:24,354 Okay. And that's a lot of logs 173 00:06:25,055 --> 00:06:28,035 you get from AWS also. And, specifically, 174 00:06:28,414 --> 00:06:30,735 what has helped us in our use case 175 00:06:30,735 --> 00:06:32,389 is that we don't have to pick and 176 00:06:32,389 --> 00:06:33,509 choose anymore with, 177 00:06:34,149 --> 00:06:35,750 do we lock this or not? It's a 178 00:06:35,750 --> 00:06:38,089 requirement. So we have we have the opportunity 179 00:06:38,149 --> 00:06:41,110 to log it every everything now. And the 180 00:06:41,110 --> 00:06:43,350 ones that we throw directly into data lake 181 00:06:43,350 --> 00:06:46,035 at the moment, the older network logs, which 182 00:06:46,035 --> 00:06:48,595 are the most noisy logs that you can 183 00:06:48,595 --> 00:06:49,814 almost ever find. 184 00:06:50,435 --> 00:06:52,354 So that has saved a lot of money 185 00:06:52,354 --> 00:06:54,115 for us at least. Got it. So how 186 00:06:54,115 --> 00:06:56,035 did you how do you set that up? 187 00:06:56,035 --> 00:06:57,555 Because, like, we were talking about setting a 188 00:06:57,555 --> 00:06:59,740 little log analytics, which is Azure. Yeah. You 189 00:06:59,740 --> 00:07:01,399 know, while you're networking in AWS, 190 00:07:02,180 --> 00:07:03,240 is that through, 191 00:07:04,019 --> 00:07:06,339 like, Sentinel connectors then that are available in 192 00:07:06,339 --> 00:07:08,279 the hub or Yeah. How do you architect, 193 00:07:08,660 --> 00:07:11,560 like okay. All of our networks in AWS, 194 00:07:11,699 --> 00:07:13,939 we're gonna save it on Sentinel Yes. In 195 00:07:13,939 --> 00:07:15,079 data lake. Yes. 196 00:07:15,514 --> 00:07:18,495 So yeah. Because we actually stream it over 197 00:07:18,555 --> 00:07:21,055 from from the AWS. We have a connector. 198 00:07:21,194 --> 00:07:22,095 There's a 199 00:07:22,954 --> 00:07:25,995 a Amazon s three service in Okay. Content 200 00:07:25,995 --> 00:07:28,314 hub in the Sentinel, which we enabled. And 201 00:07:28,314 --> 00:07:30,014 that hooks into all the 202 00:07:31,439 --> 00:07:34,319 guard duty logs and cloud trail logs and 203 00:07:34,319 --> 00:07:36,720 VPC flow logs. And there's one more. I 204 00:07:36,720 --> 00:07:39,199 forgot its name. And that's so we have 205 00:07:39,199 --> 00:07:41,939 already the design before we went into AWS, 206 00:07:42,000 --> 00:07:44,079 we know that we were gonna move it 207 00:07:44,079 --> 00:07:46,214 over to Sentinel Okay. For the c m, 208 00:07:46,294 --> 00:07:48,154 one Centimeters to rule them all. Yep. 209 00:07:48,535 --> 00:07:50,935 And, yeah. And we also got cut off 210 00:07:50,935 --> 00:07:53,735 guard in the early moments because there were 211 00:07:53,735 --> 00:07:56,134 some spikes in the traffic with the network 212 00:07:56,134 --> 00:07:57,814 logs, and it cost us a lot of 213 00:07:57,814 --> 00:07:59,615 money. And those spike was only, like, for 214 00:07:59,615 --> 00:08:01,654 a couple of hours, one day or two 215 00:08:01,654 --> 00:08:03,910 days, and it cost us a lot of 216 00:08:03,910 --> 00:08:06,470 money. That was before we enabled data lake, 217 00:08:06,470 --> 00:08:09,430 and that's what actually made us enable data 218 00:08:09,430 --> 00:08:11,750 lake to get it cheaper and then move 219 00:08:11,750 --> 00:08:13,830 the network logs directly into the data lake 220 00:08:13,830 --> 00:08:15,910 now. So we are saving money. Got it. 221 00:08:15,910 --> 00:08:17,664 So how does that work with data lake? 222 00:08:17,664 --> 00:08:19,425 Because I've started doing this. I've enabled data 223 00:08:19,425 --> 00:08:21,044 lake in mind, and it looks like 224 00:08:21,345 --> 00:08:23,504 by default, when you enable data lake for 225 00:08:23,504 --> 00:08:24,004 Sentinel, 226 00:08:24,384 --> 00:08:27,764 there's only certain tables from log analytics 227 00:08:28,305 --> 00:08:30,779 that go into data lake. Is that something 228 00:08:30,779 --> 00:08:32,160 that you can customize 229 00:08:32,460 --> 00:08:34,000 and tweak? Or have you 230 00:08:34,940 --> 00:08:37,019 We have only, we have only looked at 231 00:08:37,019 --> 00:08:39,120 those that cost us most money. 232 00:08:40,379 --> 00:08:42,620 So, yeah, it's a we have, like, I 233 00:08:42,620 --> 00:08:45,754 don't know, 290 234 00:08:45,815 --> 00:08:47,894 tables or something like that. Okay. And we 235 00:08:47,894 --> 00:08:50,375 did the quick one. Show us the most 236 00:08:50,375 --> 00:08:53,415 top 20 expensive tables, and then we did 237 00:08:53,415 --> 00:08:55,274 it from there. And all of those twenties, 238 00:08:55,654 --> 00:08:57,860 we could convert them into data lakes, but 239 00:08:57,860 --> 00:09:00,339 some don't actually make sense because you don't 240 00:09:00,339 --> 00:09:01,159 wanna move 241 00:09:01,620 --> 00:09:04,419 device events from MDE over to data lake 242 00:09:04,419 --> 00:09:07,220 because that correlates with all the other stuff 243 00:09:07,220 --> 00:09:09,699 on the attack vector. So you can't move 244 00:09:09,699 --> 00:09:12,259 that from away from log analytics, actually. Got 245 00:09:12,259 --> 00:09:14,725 it. So there are certain tables that like 246 00:09:14,725 --> 00:09:17,205 those device tables that, at least at this 247 00:09:17,205 --> 00:09:18,105 point in time, 248 00:09:18,565 --> 00:09:20,644 just have to stay in log analytics. There's 249 00:09:20,644 --> 00:09:22,245 no option. So you end up with a 250 00:09:22,245 --> 00:09:24,725 mix of tables and some in data lakes, 251 00:09:24,725 --> 00:09:25,785 some in log analytics. 252 00:09:26,350 --> 00:09:28,669 Yeah. Because if you put it if you 253 00:09:28,669 --> 00:09:30,669 had to put it into data lake, then 254 00:09:30,669 --> 00:09:33,970 you had to make KQL queries instead of 255 00:09:34,110 --> 00:09:35,009 analytic rules. 256 00:09:35,389 --> 00:09:37,470 And it's a bit slow, and the SOC 257 00:09:37,470 --> 00:09:38,325 doesn't like that. 258 00:09:39,524 --> 00:09:41,445 The sock, like, send their data right away? 259 00:09:41,445 --> 00:09:43,065 Yes. Apparently. Okay. 260 00:09:43,524 --> 00:09:46,105 But, I mean, they are doing something that 261 00:09:46,565 --> 00:09:48,665 most of the logs for from the defender 262 00:09:48,965 --> 00:09:50,644 stays in the in the new tables for 263 00:09:50,644 --> 00:09:52,485 thirty days. Okay. So they have something to 264 00:09:52,485 --> 00:09:54,929 look into. And, I mean, who whoever comes 265 00:09:54,929 --> 00:09:57,089 back looking at logs at some point that 266 00:09:57,089 --> 00:09:59,089 needs them to go back a year, they're 267 00:09:59,089 --> 00:10:01,809 looking for something specific. Right? Right. So I 268 00:10:01,809 --> 00:10:03,409 haven't looked at this yet with the data 269 00:10:03,409 --> 00:10:05,250 lake. Can you set it then? So, like, 270 00:10:05,250 --> 00:10:07,649 logs from certain tables will go into data 271 00:10:07,649 --> 00:10:10,235 lake after a period of time? So, like 272 00:10:10,235 --> 00:10:12,634 you said, thirty days of device in log 273 00:10:12,634 --> 00:10:15,434 analytics and then thirty one days out to 274 00:10:15,434 --> 00:10:17,514 the thirteen months go to data lake? Yes. 275 00:10:17,514 --> 00:10:19,434 That's actually how we do it. In our 276 00:10:19,434 --> 00:10:21,799 case, we do ninety days. Okay. So we 277 00:10:21,799 --> 00:10:24,120 do ninety days log analytics tiering and then 278 00:10:24,120 --> 00:10:25,980 the rest in the data lake after that. 279 00:10:26,519 --> 00:10:28,279 Got it. For the other ones, we do 280 00:10:28,279 --> 00:10:31,639 directly to data lake. Okay. Network logs. Okay. 281 00:10:31,639 --> 00:10:33,980 And then you mentioned the analytics rules too. 282 00:10:34,414 --> 00:10:35,934 Again, like, I knew this, and I've kinda 283 00:10:35,934 --> 00:10:37,694 played with it, but haven't spent as much 284 00:10:37,694 --> 00:10:40,014 time with you. You talked about, like, the 285 00:10:40,014 --> 00:10:43,475 analytics rules and writing the queries. Does that 286 00:10:44,095 --> 00:10:45,934 differ then based on where the data is 287 00:10:45,934 --> 00:10:47,694 and how you write those queries? Or even 288 00:10:47,694 --> 00:10:51,220 if you wanna correlate data across different tables 289 00:10:51,600 --> 00:10:53,519 where you have some in log analytics and 290 00:10:53,519 --> 00:10:55,120 some in data lake, do you have to 291 00:10:55,120 --> 00:10:56,639 get a little more creative in how you 292 00:10:56,639 --> 00:10:58,960 write those? Yes. You have. So if we 293 00:10:58,960 --> 00:11:02,340 do, normally, all the Hondas do within KQL 294 00:11:02,399 --> 00:11:04,980 in the analytics, rule and then about something. 295 00:11:05,355 --> 00:11:08,075 And it's not that very seldom that we 296 00:11:08,075 --> 00:11:11,115 actually look back more than three months. That's 297 00:11:11,115 --> 00:11:13,274 why we landed on the magic ninety days. 298 00:11:13,274 --> 00:11:15,674 Got it. So so because it's not necessary, 299 00:11:15,674 --> 00:11:18,920 but if you have analytic queries for certain 300 00:11:18,920 --> 00:11:21,240 tables, then you have to convert them over 301 00:11:21,240 --> 00:11:23,879 because you can't cross over the search. So 302 00:11:23,879 --> 00:11:25,879 you have to you have to make another 303 00:11:25,879 --> 00:11:28,360 KQL job that runs to through the data 304 00:11:28,360 --> 00:11:30,920 lake. Okay. Yeah. Where if it's older than 305 00:11:30,920 --> 00:11:34,245 three months. Sorry. Ninety days. Okay. Ninety days, 306 00:11:34,245 --> 00:11:36,904 three months. They're about the same. Right? Yeah. 307 00:11:36,964 --> 00:11:38,985 Most months, they're close. Yeah. 308 00:11:39,445 --> 00:11:41,204 So can you write a query that because 309 00:11:41,204 --> 00:11:42,644 you can, like, look up. Like, you wanna 310 00:11:42,644 --> 00:11:45,044 look up log information for a device. And 311 00:11:45,044 --> 00:11:47,065 if you have those tables in two different 312 00:11:47,319 --> 00:11:47,819 sources, 313 00:11:48,199 --> 00:11:49,799 can you write a query? Yeah. So it 314 00:11:49,799 --> 00:11:51,639 will cross over. No. Because it there are 315 00:11:51,639 --> 00:11:54,759 two different things. Analytics ones will only do 316 00:11:54,759 --> 00:11:56,600 the ninety days. Yep. And then you have 317 00:11:56,600 --> 00:11:58,919 to switch over to the other ones. Got 318 00:11:58,919 --> 00:12:00,044 it. Yeah. For, 319 00:12:00,365 --> 00:12:01,964 yeah, but we haven't had the use case 320 00:12:01,964 --> 00:12:03,325 yet for that. Okay. Where you have to 321 00:12:03,325 --> 00:12:05,884 cross over, like, correlate network logs with device 322 00:12:05,884 --> 00:12:07,565 logs within ninety days when they're in two 323 00:12:07,565 --> 00:12:08,464 different sources? 324 00:12:08,924 --> 00:12:10,865 We haven't had that issue yet. Okay. 325 00:12:11,325 --> 00:12:13,049 Knock on wood. Let me know when that 326 00:12:13,129 --> 00:12:13,950 happens? Yeah. For 327 00:12:14,490 --> 00:12:16,970 you. It's a nice case because we actually 328 00:12:16,970 --> 00:12:19,370 had one that does advanced hunting. He asked 329 00:12:19,370 --> 00:12:21,690 about it. So if I'm doing this and 330 00:12:21,690 --> 00:12:24,089 this, but this table for the network logs 331 00:12:24,089 --> 00:12:25,769 is down here. As far as I said, 332 00:12:25,769 --> 00:12:28,330 we keep the devices because he's writing on 333 00:12:28,330 --> 00:12:28,990 the devices 334 00:12:29,345 --> 00:12:30,565 with the MDE data. 335 00:12:30,945 --> 00:12:32,945 Yeah. So we haven't had the use case 336 00:12:32,945 --> 00:12:33,764 for that because 337 00:12:34,144 --> 00:12:36,865 one thing is Azure logs and VPC flow 338 00:12:36,865 --> 00:12:38,644 logs from AWS firewalls. 339 00:12:39,345 --> 00:12:42,384 That's a whole another ballgame versus the MDE 340 00:12:42,384 --> 00:12:45,160 data that come from Got it. Laptops. Yep. 341 00:12:45,160 --> 00:12:45,660 Yeah. 342 00:12:46,200 --> 00:12:48,519 So and that's where the interesting stuff is. 343 00:12:48,519 --> 00:12:50,300 Got it. That makes sense. 344 00:12:51,160 --> 00:12:52,519 There was something else I was gonna ask 345 00:12:52,519 --> 00:12:54,040 and now I can't remember what it was 346 00:12:54,040 --> 00:12:56,300 around some of that. Must be the carnival 347 00:12:56,360 --> 00:12:58,575 music. Yeah. It's the carnival music in the 348 00:12:58,575 --> 00:13:01,054 background that people walking by. And the lack 349 00:13:01,054 --> 00:13:03,375 of sleep over the last few days. I'm 350 00:13:03,375 --> 00:13:04,274 getting tired. 351 00:13:04,654 --> 00:13:07,134 Yeah. So so you did say speed. That's 352 00:13:07,134 --> 00:13:08,815 one thing too that if you're querying data 353 00:13:08,815 --> 00:13:10,970 like that, your queries do is it, like, 354 00:13:10,970 --> 00:13:11,470 noticeably 355 00:13:12,009 --> 00:13:14,649 slower, or is it just, like, maybe it's 356 00:13:14,649 --> 00:13:16,029 a few seconds slower? 357 00:13:16,490 --> 00:13:18,569 What have you seen from a speed perspective 358 00:13:18,569 --> 00:13:20,329 when you're querying it? It was only, like, 359 00:13:20,329 --> 00:13:23,129 a couple of minutes. Okay. But and we 360 00:13:23,129 --> 00:13:25,529 had to build the query specifically. I wanna 361 00:13:25,529 --> 00:13:28,264 see it that I was searching for something 362 00:13:28,404 --> 00:13:31,065 in here and go pick those days only 363 00:13:31,205 --> 00:13:33,285 in this time span. So we were pretty 364 00:13:33,285 --> 00:13:35,764 precise because it costs money to query the 365 00:13:35,764 --> 00:13:38,165 data lake. So you gotta kind of have 366 00:13:38,165 --> 00:13:39,240 to optimize your 367 00:13:39,639 --> 00:13:41,559 your statements. Your queries. Yeah. Like, so is 368 00:13:41,559 --> 00:13:44,279 that something different with is it more, like, 369 00:13:44,279 --> 00:13:46,120 it's cheaper to store data in the data 370 00:13:46,120 --> 00:13:48,679 lake, but more expensive to query it? Yes. 371 00:13:48,679 --> 00:13:51,240 Precisely. That's but I that's with all the 372 00:13:51,240 --> 00:13:53,019 products actually today. So 373 00:13:53,399 --> 00:13:54,014 but, yes, 374 00:13:54,495 --> 00:13:56,415 that's one of the four pits. So you 375 00:13:56,415 --> 00:13:58,894 don't wanna have a guy that that does 376 00:13:58,894 --> 00:14:01,375 a search in the data lake for five 377 00:14:01,375 --> 00:14:03,774 years back or something like that. Okay. If 378 00:14:03,774 --> 00:14:05,575 you saw data for five years back. Right? 379 00:14:05,695 --> 00:14:07,409 Sort of that long. That's gonna cost a 380 00:14:07,409 --> 00:14:09,970 lot of money. Okay. Just firing the query 381 00:14:09,970 --> 00:14:11,889 off, and that's why we also said it 382 00:14:11,889 --> 00:14:14,529 would be nice before doing the statements or 383 00:14:14,529 --> 00:14:15,669 the k 12 queries. 384 00:14:15,970 --> 00:14:18,370 What is the approximate cost if I throw 385 00:14:18,370 --> 00:14:19,190 this query 386 00:14:19,820 --> 00:14:22,095 Right. Yeah. Turn it on. So is it 387 00:14:22,174 --> 00:14:23,934 with the data lake queries and the cost, 388 00:14:23,934 --> 00:14:25,855 is it based on how much data gets 389 00:14:25,855 --> 00:14:28,754 returned from the query, or is it based 390 00:14:29,534 --> 00:14:31,375 on how many tables The lookup of the 391 00:14:31,375 --> 00:14:33,970 data. Okay. It's the lookup of how much 392 00:14:33,970 --> 00:14:35,990 data it has to go through. Got it. 393 00:14:36,049 --> 00:14:37,730 As as far as I know, but it's 394 00:14:37,730 --> 00:14:39,570 still new to us. I mean, it's like 395 00:14:39,570 --> 00:14:41,330 two months ago. Right. It hasn't been out 396 00:14:41,330 --> 00:14:43,330 very long. So people are still trying to 397 00:14:43,330 --> 00:14:45,250 figure it out. It'll be interesting to see 398 00:14:45,250 --> 00:14:46,230 even how Microsoft 399 00:14:47,245 --> 00:14:49,184 evolves it because I can imagine 400 00:14:49,644 --> 00:14:51,485 the scenario is gonna arise where someone has 401 00:14:51,485 --> 00:14:53,404 to query data in both data sources and 402 00:14:53,404 --> 00:14:55,485 how hopefully, they come up with a way 403 00:14:55,485 --> 00:14:57,404 to maybe make that a little bit more 404 00:14:57,404 --> 00:14:57,904 seamless 405 00:14:58,605 --> 00:15:00,625 as time goes on. Yeah. It's gonna 406 00:15:01,210 --> 00:15:04,250 as a true Microsoft employee would say, it's 407 00:15:04,250 --> 00:15:05,629 a journey we are on. 408 00:15:07,610 --> 00:15:09,690 And we have no idea how long this 409 00:15:09,690 --> 00:15:11,529 journey is gonna take us. But we have 410 00:15:11,529 --> 00:15:12,509 never been closer. 411 00:15:14,075 --> 00:15:15,674 Every day it's just like your birthday. Right? 412 00:15:15,674 --> 00:15:17,035 Every day, you get one day closer to 413 00:15:17,035 --> 00:15:18,715 your birthday. Yeah. Yay. Every day, we get 414 00:15:18,715 --> 00:15:20,634 one day closer to the destination on this 415 00:15:20,634 --> 00:15:22,174 journey with Microsoft. Yeah. 416 00:15:22,715 --> 00:15:24,575 It's funny. Oh, man. 417 00:15:28,610 --> 00:15:30,769 Do you feel overwhelmed by trying to manage 418 00:15:30,769 --> 00:15:33,009 your Office three sixty five environment? Are you 419 00:15:33,009 --> 00:15:36,309 facing unexpected issues that disrupt your company's productivity? 420 00:15:36,610 --> 00:15:38,529 Intelligink is here to help. Much like you 421 00:15:38,529 --> 00:15:40,449 take your car to the mechanic that has 422 00:15:40,449 --> 00:15:42,529 specialized knowledge on how to best keep your 423 00:15:42,529 --> 00:15:45,595 car running, Intelligent helps you with your Microsoft 424 00:15:45,654 --> 00:15:47,915 cloud environment because that's their expertise. 425 00:15:48,295 --> 00:15:50,535 Intelligent keeps up with the latest updates in 426 00:15:50,535 --> 00:15:52,774 the Microsoft cloud to help keep your business 427 00:15:52,774 --> 00:15:54,934 running smoothly and ahead of the curve. Whether 428 00:15:54,934 --> 00:15:57,014 you are a small organization with just a 429 00:15:57,014 --> 00:15:59,429 few users up to an organization of several 430 00:15:59,429 --> 00:16:00,490 thousand employees, 431 00:16:00,870 --> 00:16:02,790 they want to partner with you to implement 432 00:16:02,790 --> 00:16:05,529 and administer your Microsoft cloud technology. 433 00:16:06,309 --> 00:16:09,850 Visit them at inteliginc.com/podcast. 434 00:16:10,070 --> 00:16:16,754 That's intelligink.com/podcast 435 00:16:17,134 --> 00:16:19,295 for more information or to schedule a thirty 436 00:16:19,295 --> 00:16:21,394 minute call to get started with them today. 437 00:16:21,615 --> 00:16:24,975 Remember, Intelligink focuses on the Microsoft cloud so 438 00:16:24,975 --> 00:16:26,519 you can focus on your business. 439 00:16:29,080 --> 00:16:31,820 So other things that kinda tie in the 440 00:16:32,120 --> 00:16:32,620 Sentinel, 441 00:16:32,920 --> 00:16:33,420 this 442 00:16:33,800 --> 00:16:36,920 security ecosystem is and there were some announcements 443 00:16:36,920 --> 00:16:39,654 around Security Copilot. Have you started playing with 444 00:16:39,654 --> 00:16:43,034 Security Copilot yet with your Sentinel data and 445 00:16:43,095 --> 00:16:45,414 looking at that? No. We have not because 446 00:16:45,414 --> 00:16:47,274 it had the cost have been an issue 447 00:16:47,334 --> 00:16:49,194 for us from day one. Right? 448 00:16:49,495 --> 00:16:51,779 Because of the ACU cost. The c level 449 00:16:51,779 --> 00:16:54,019 said no because it's too expensive. And, I 450 00:16:54,019 --> 00:16:55,700 mean, what's the value if we look at 451 00:16:55,700 --> 00:16:58,500 it? I mean Right. Yeah. And then where 452 00:16:58,500 --> 00:17:00,360 there were all those hacks that you could 453 00:17:00,419 --> 00:17:02,820 spin up the ACUs, then shut them down, 454 00:17:02,820 --> 00:17:04,740 spin them up next day, and stuff like 455 00:17:04,740 --> 00:17:07,264 that. But we didn't bother in our enterprise 456 00:17:07,325 --> 00:17:10,144 because it didn't give that value. But now, 457 00:17:10,204 --> 00:17:12,384 with the new e five, yes, 458 00:17:12,684 --> 00:17:14,524 it's gonna be exciting. It is. And that 459 00:17:14,524 --> 00:17:16,204 was one of the announcements. So have you 460 00:17:16,204 --> 00:17:17,964 started playing with it yet? Have you guys 461 00:17:18,044 --> 00:17:19,724 well, though you probably haven't gotten it yet, 462 00:17:19,724 --> 00:17:21,184 you didn't have security copilot. 463 00:17:21,619 --> 00:17:23,859 No. Not yet. Not yet. But we have 464 00:17:23,859 --> 00:17:25,619 you five. But you have you five, so 465 00:17:25,619 --> 00:17:27,460 you're ready. This was and this was one 466 00:17:27,460 --> 00:17:28,920 of those announcements. And 467 00:17:29,220 --> 00:17:30,820 Scott and I talked about it a little 468 00:17:30,820 --> 00:17:32,200 bit on the last podcast, 469 00:17:32,740 --> 00:17:34,420 but we only had the book of news 470 00:17:34,420 --> 00:17:37,154 to go by. Yeah. Now Microsoft has announced 471 00:17:37,154 --> 00:17:39,734 it. There's blog posts out there about it 472 00:17:39,795 --> 00:17:40,295 that 473 00:17:40,674 --> 00:17:42,914 e fives are going to get a certain 474 00:17:42,914 --> 00:17:43,894 level of copilot. 475 00:17:44,275 --> 00:17:46,035 Have you started looking at that? How many 476 00:17:46,035 --> 00:17:47,634 details do you have around that you wanna 477 00:17:47,634 --> 00:17:50,039 share? We are definitely gonna use it for 478 00:17:50,039 --> 00:17:52,859 the intra ID one and the conditional access 479 00:17:53,240 --> 00:17:55,420 one. The optimization Yeah. The optimization. 480 00:17:55,799 --> 00:17:58,279 Yeah. That's the one we probably the most 481 00:17:58,279 --> 00:17:59,579 most important one, 482 00:17:59,960 --> 00:18:01,720 and then we'll look into the others. I 483 00:18:01,720 --> 00:18:03,134 mean, we can probably 484 00:18:03,515 --> 00:18:06,095 burn through those SCUs. Through all SCUs. Yeah. 485 00:18:06,474 --> 00:18:09,115 Because it's also nice because even though it's 486 00:18:09,115 --> 00:18:11,535 in the license now, it's not that much 487 00:18:11,674 --> 00:18:12,174 anyways. 488 00:18:13,115 --> 00:18:14,795 Right. And I looked at 489 00:18:15,289 --> 00:18:16,730 so have you looked at the cost and 490 00:18:16,730 --> 00:18:18,250 how they're doing all this with the SCUs 491 00:18:18,250 --> 00:18:19,769 and then Yes. I looked into it, and 492 00:18:19,769 --> 00:18:22,289 I think it's gonna be a journey Yeah. 493 00:18:22,490 --> 00:18:25,210 As they say. More journeys. More journeys. Lots 494 00:18:25,210 --> 00:18:27,289 of journeys we are on. It's a step 495 00:18:27,289 --> 00:18:29,325 in the right direction, I would say. Because 496 00:18:29,325 --> 00:18:31,404 if you wanna get people to use Security 497 00:18:31,404 --> 00:18:33,565 Copilot, this is the right step to do 498 00:18:33,565 --> 00:18:36,525 because nobody in their mind would do it. 499 00:18:36,525 --> 00:18:38,444 Right. And let's look at it going. And 500 00:18:38,444 --> 00:18:40,859 I started looking at the pricing, and it's, 501 00:18:41,179 --> 00:18:42,940 to your point, it's a journey. It's gonna 502 00:18:42,940 --> 00:18:45,019 be interesting to see how this pricing works 503 00:18:45,019 --> 00:18:46,559 out because you essentially 504 00:18:46,859 --> 00:18:48,960 get Microsoft gave an example 505 00:18:49,660 --> 00:18:52,319 of for every it was a thousand 506 00:18:52,859 --> 00:18:53,839 e five licenses, 507 00:18:54,474 --> 00:18:56,335 you would get 400 508 00:18:57,274 --> 00:18:57,774 SCUs. 509 00:18:58,075 --> 00:19:00,875 Yeah. Which is the security compute units. Yes. 510 00:19:00,875 --> 00:19:02,234 But I had to shift it in my 511 00:19:02,234 --> 00:19:03,994 mind because at first it was like, oh, 512 00:19:03,994 --> 00:19:07,375 currently it's like $4 per hour per SCU, 513 00:19:07,960 --> 00:19:10,380 and this is a 400 514 00:19:10,759 --> 00:19:11,259 SCUs 515 00:19:12,279 --> 00:19:12,779 per 516 00:19:13,480 --> 00:19:13,980 month. 517 00:19:14,440 --> 00:19:16,519 So it's like it was a per hour 518 00:19:16,519 --> 00:19:17,019 pricing. 519 00:19:17,880 --> 00:19:19,799 Now it's changing to, like, a quota per 520 00:19:19,799 --> 00:19:22,220 month, and they said there's also no minimum. 521 00:19:22,384 --> 00:19:24,545 So if you have like one e five 522 00:19:24,545 --> 00:19:26,244 you get point four 523 00:19:26,545 --> 00:19:27,904 Yeah. SCUs per month. I don't know how 524 00:19:27,904 --> 00:19:30,085 that's gonna work out. But it's not 525 00:19:30,625 --> 00:19:32,465 and at first I was super excited. I'm 526 00:19:32,465 --> 00:19:33,985 like, oh I get two SCUs. And in 527 00:19:33,985 --> 00:19:35,585 my head I was still thinking per hour 528 00:19:35,585 --> 00:19:38,419 not per month. Yeah. Because a thousand users, 529 00:19:38,480 --> 00:19:40,259 400 SCUs a month 530 00:19:40,640 --> 00:19:42,559 only gives you, like you divide that by 531 00:19:42,559 --> 00:19:43,380 thirty days, 532 00:19:43,759 --> 00:19:44,819 you're down to 533 00:19:45,279 --> 00:19:47,279 what, like it's just over, it's like a 534 00:19:47,279 --> 00:19:48,900 120 535 00:19:49,440 --> 00:19:52,154 it no, a hundred and twenty thirty ish. 536 00:19:52,535 --> 00:19:54,555 Yeah. 130 ish SCUs 537 00:19:55,255 --> 00:19:57,734 per day Are gonna be burned through. Break 538 00:19:57,734 --> 00:19:59,755 it down by hour, and you're like, well, 539 00:19:59,815 --> 00:20:01,674 wait a minute. Now I'm down to, like, 540 00:20:01,734 --> 00:20:02,694 1.5 541 00:20:02,694 --> 00:20:05,494 or two SCUs per hour Yeah. For a 542 00:20:05,494 --> 00:20:06,394 thousand users? 543 00:20:07,019 --> 00:20:09,220 I hope we'll be able to make that 544 00:20:09,340 --> 00:20:12,220 the Intune guys get so much and the 545 00:20:12,220 --> 00:20:14,539 InfID guys get so much, and the other 546 00:20:14,539 --> 00:20:17,019 security guys get the so like you you 547 00:20:17,019 --> 00:20:18,940 could do today, right, if you bought the 548 00:20:18,940 --> 00:20:20,720 norm the regular old SCUs. 549 00:20:21,615 --> 00:20:23,214 Yeah. So I'm curious to see how that 550 00:20:23,214 --> 00:20:24,654 works because then they said, well, if you 551 00:20:24,654 --> 00:20:26,115 go over, you buy SCUs. 552 00:20:26,654 --> 00:20:28,255 Yeah. And then we are right back at 553 00:20:28,255 --> 00:20:30,575 square one. Right. Well, now it's an hourly, 554 00:20:30,575 --> 00:20:32,355 but I'm like, well, how do you do 555 00:20:32,414 --> 00:20:34,755 it if you're doing a quota of SCUs 556 00:20:35,775 --> 00:20:36,515 per month 557 00:20:36,849 --> 00:20:39,009 and now you need SCUs, do you start 558 00:20:39,009 --> 00:20:40,549 buying just individual 559 00:20:41,009 --> 00:20:43,029 SCUs now per month? 560 00:20:43,490 --> 00:20:45,970 Or once you run out, do you have 561 00:20:45,970 --> 00:20:46,950 to start paying 562 00:20:47,329 --> 00:20:49,990 per hour for the rest of the month? 563 00:20:50,325 --> 00:20:52,804 Yes. Like and that's where I think it's 564 00:20:52,804 --> 00:20:55,444 gonna be a journey of the documentation I 565 00:20:55,444 --> 00:20:57,544 looked at wasn't super clear 566 00:20:58,644 --> 00:21:01,524 in my mind on how the $6 per 567 00:21:01,524 --> 00:21:02,024 SCU 568 00:21:02,565 --> 00:21:03,304 per hour 569 00:21:03,900 --> 00:21:06,400 or if it's just $6 per SCU now 570 00:21:06,619 --> 00:21:09,259 in the quota per month kinda Yeah. Very 571 00:21:09,420 --> 00:21:10,700 and I didn't know if you looked at 572 00:21:10,700 --> 00:21:13,099 any of that or started trying to figure 573 00:21:13,099 --> 00:21:14,859 that out because you have any vibes and 574 00:21:14,859 --> 00:21:16,380 you wanna go home and use your SCU. 575 00:21:16,380 --> 00:21:19,284 Yes. I'm looking forward. Probably when I get 576 00:21:19,284 --> 00:21:21,924 home, somebody have probably started up paying with 577 00:21:21,924 --> 00:21:25,044 it because it's for free now. Yeah. Otherwise 578 00:21:25,365 --> 00:21:26,724 so this was the other part of what 579 00:21:26,724 --> 00:21:28,404 I saw is if you were paying for 580 00:21:28,404 --> 00:21:30,680 Security Copilot now, you 581 00:21:31,220 --> 00:21:33,220 would get transitioned right away to this new 582 00:21:33,220 --> 00:21:35,860 pricing model. And if you aren't paying for 583 00:21:35,860 --> 00:21:36,759 Security Copilot, 584 00:21:37,700 --> 00:21:38,200 you 585 00:21:38,740 --> 00:21:40,259 have to wait. So you might not be 586 00:21:40,259 --> 00:21:41,799 able to play with the right one again. 587 00:21:41,860 --> 00:21:43,940 But we can wait because, I mean, let's 588 00:21:43,940 --> 00:21:46,894 face it. The need hasn't been there. Yeah. 589 00:21:47,195 --> 00:21:49,835 So are there any other yeah. Or security. 590 00:21:49,835 --> 00:21:52,075 Any other security announcements from Ignite that you 591 00:21:52,075 --> 00:21:54,394 were excited about other than you can start 592 00:21:54,394 --> 00:21:57,035 playing with security Copilot now? That would be 593 00:21:57,035 --> 00:21:57,775 the agents. 594 00:21:58,154 --> 00:21:59,994 The a there were a bunch of like, 595 00:21:59,994 --> 00:22:02,769 there's a bunch the security Copilot agents. Yes. 596 00:22:02,769 --> 00:22:05,009 A bunch of them. I haven't actually looked 597 00:22:05,009 --> 00:22:07,509 into them. Okay. I can't remember their names. 598 00:22:09,170 --> 00:22:11,650 I remember a few only because I've seen 599 00:22:11,650 --> 00:22:14,450 them already. Like, there were some agents that 600 00:22:14,450 --> 00:22:17,829 already existed. The conditional access optimization agent, 601 00:22:18,914 --> 00:22:22,194 the phishing remediation agent. Yeah. That one. That's 602 00:22:22,194 --> 00:22:24,914 also a really nice one. Yeah. Those but 603 00:22:24,914 --> 00:22:26,994 I think there were, like Five or six 604 00:22:26,994 --> 00:22:29,154 months? Well, there were five or six before. 605 00:22:29,154 --> 00:22:30,534 I think there's at least, 606 00:22:30,869 --> 00:22:32,630 I think there's, like, another six to 10 607 00:22:32,630 --> 00:22:35,430 agents Ugh. That came out now. So I 608 00:22:35,509 --> 00:22:37,029 again, if there were any of those that 609 00:22:37,029 --> 00:22:39,609 you were excited about that you've looked at. 610 00:22:39,670 --> 00:22:40,329 I haven't. 611 00:22:40,789 --> 00:22:43,109 I can almost imagine now it's gonna be 612 00:22:43,109 --> 00:22:44,809 governance towards agents. 613 00:22:45,704 --> 00:22:47,464 Well, there is. We got agent three sixty 614 00:22:47,464 --> 00:22:49,484 five now for configuring our agents. Right? 615 00:22:50,505 --> 00:22:52,984 I saw so here's another one. I'm curious 616 00:22:52,984 --> 00:22:54,605 if you think this one will help. 617 00:22:55,704 --> 00:22:57,545 I saw some talk too about, like, a 618 00:22:57,545 --> 00:23:00,070 DLP agent around DLP remediations 619 00:23:00,609 --> 00:23:03,330 Yeah. Where an agent now and I can't 620 00:23:03,330 --> 00:23:05,269 remember if it's here or if it's coming. 621 00:23:05,330 --> 00:23:07,509 We're, like, you send an email, and 622 00:23:07,809 --> 00:23:09,990 instead of maybe using some of the regular 623 00:23:10,049 --> 00:23:13,029 expressions and detection there for sensitive information, 624 00:23:13,734 --> 00:23:16,394 starting to leverage an AI agent to detect, 625 00:23:16,774 --> 00:23:18,934 was this a sensitive email? And then if 626 00:23:18,934 --> 00:23:19,595 it is, 627 00:23:20,134 --> 00:23:21,734 instead of sending it to the sock right 628 00:23:21,734 --> 00:23:24,075 away, sending it back to the end user, 629 00:23:24,375 --> 00:23:26,474 like, maybe it's a Teams message or something. 630 00:23:26,569 --> 00:23:28,329 Did you mean to send this email? Did 631 00:23:28,329 --> 00:23:30,429 you realize there was sensitive information in 632 00:23:30,730 --> 00:23:32,890 it? Almost to let the end user self 633 00:23:32,890 --> 00:23:33,390 remediate. 634 00:23:34,009 --> 00:23:36,329 And if it turns out that, no. I 635 00:23:36,329 --> 00:23:38,329 didn't send this email, then it goes to 636 00:23:38,329 --> 00:23:39,529 the Slack team or if it's, yeah, I 637 00:23:39,529 --> 00:23:41,515 sent this email. No. I didn't realize there 638 00:23:41,515 --> 00:23:43,035 was sensitive information in it. We need to 639 00:23:43,035 --> 00:23:44,955 open an incident, then it goes to the 640 00:23:44,955 --> 00:23:47,035 SOC team. So trying to eliminate some of 641 00:23:47,035 --> 00:23:48,714 that noise that goes to the SOC team. 642 00:23:48,714 --> 00:23:51,195 That's actually really smart. Right? Yeah. I thought 643 00:23:51,195 --> 00:23:53,275 the same thing. I was like, oh, I 644 00:23:53,275 --> 00:23:55,515 like the work. On the SEO cost, of 645 00:23:55,515 --> 00:23:58,109 course. Depending on the SEO cost. But it's 646 00:23:58,109 --> 00:23:59,490 free now with an e five. 647 00:24:01,549 --> 00:24:04,210 Yes. Whoever comes first that day. 648 00:24:05,309 --> 00:24:06,990 Yeah. The fir the first two or three 649 00:24:06,990 --> 00:24:09,710 people get the agent for Yeah. DLP, and 650 00:24:09,710 --> 00:24:11,649 then after that, it's all over. Yeah. 651 00:24:12,085 --> 00:24:13,125 I know. I had to keep an eye 652 00:24:13,125 --> 00:24:15,125 on time. We've been doing some labs. You 653 00:24:15,125 --> 00:24:17,605 and I both been practicing labs this week. 654 00:24:17,605 --> 00:24:19,765 Those have been fun. Any other highlights from 655 00:24:19,765 --> 00:24:20,265 Ignite? 656 00:24:21,285 --> 00:24:22,965 Okay. I know how you feel about San 657 00:24:22,965 --> 00:24:23,465 Francisco. 658 00:24:24,019 --> 00:24:25,720 We don't need to talk about San Francisco. 659 00:24:25,940 --> 00:24:27,700 We're not talking we're not gonna make fun 660 00:24:27,700 --> 00:24:29,139 of San Francisco. We can't talk about San 661 00:24:29,139 --> 00:24:31,079 Francisco. Actually, my experiences 662 00:24:31,460 --> 00:24:33,859 has been nice, but being a proctor and 663 00:24:33,859 --> 00:24:36,759 having the expert badge with the special inferences 664 00:24:36,980 --> 00:24:39,460 helps a lot. It does. I must admit 665 00:24:39,460 --> 00:24:42,154 that seeing these people rock walking through metal 666 00:24:42,154 --> 00:24:42,654 detectors 667 00:24:42,955 --> 00:24:45,835 constantly, it's a pain. Right? It is. I 668 00:24:45,835 --> 00:24:47,914 heard it from and getting the back search 669 00:24:47,914 --> 00:24:48,654 each time, 670 00:24:48,955 --> 00:24:52,075 it's it's really frustrating for some. I heard 671 00:24:52,075 --> 00:24:53,835 it from all the colleagues I'm with and 672 00:24:53,835 --> 00:24:56,609 the other fellow Danes. Okay. They really hate 673 00:24:56,609 --> 00:24:58,769 it going from building to building building to 674 00:24:58,769 --> 00:25:01,570 building. Yeah. And the the venue is so 675 00:25:01,570 --> 00:25:03,650 fast spread. Right? If you have sessions down 676 00:25:03,650 --> 00:25:04,150 at 677 00:25:04,849 --> 00:25:05,349 Marquis 678 00:25:05,809 --> 00:25:06,309 Yeah. 679 00:25:06,930 --> 00:25:08,944 It's a walk. I walked over there this 680 00:25:08,944 --> 00:25:11,025 morning. Yeah. It's fifteen minutes or something before 681 00:25:11,025 --> 00:25:13,505 you actually reach the room. Uh-huh. And then 682 00:25:13,505 --> 00:25:15,825 you have to go back into, the West 683 00:25:15,825 --> 00:25:18,464 Moscone Center. Yeah. You you use you use 684 00:25:18,464 --> 00:25:20,545 a lot of time walking. You do. And 685 00:25:20,545 --> 00:25:22,850 it does feel I'm glad I'm here. I 686 00:25:22,850 --> 00:25:25,090 still love being at Ignite. It's bigger than 687 00:25:25,090 --> 00:25:27,350 last year. Yep. Definitely. But it feels 688 00:25:27,970 --> 00:25:30,130 smaller to me because of how spread out 689 00:25:30,130 --> 00:25:32,930 everything is. Like, I miss everything being when 690 00:25:32,930 --> 00:25:35,585 it was closer together, there were definitely it 691 00:25:35,585 --> 00:25:37,424 was harder in some respects, it was harder 692 00:25:37,424 --> 00:25:38,944 to get around because everybody was shoulder to 693 00:25:38,944 --> 00:25:41,184 shoulder. Yeah. But I felt like you saw 694 00:25:41,184 --> 00:25:41,924 more people. 695 00:25:42,464 --> 00:25:43,204 You did. 696 00:25:43,825 --> 00:25:45,744 Yeah. I it's all but I like the 697 00:25:45,744 --> 00:25:47,984 expo, the hub area and the expo in 698 00:25:47,984 --> 00:25:50,569 the Moscone's in the South. It's pretty nice. 699 00:25:50,789 --> 00:25:53,589 What? Any highlights? Any vendors you've seen or 700 00:25:53,589 --> 00:25:55,589 any highlights from the hub? People you've run 701 00:25:55,589 --> 00:25:56,089 into? 702 00:25:56,630 --> 00:25:58,569 I like the MVP wall, the new MVP 703 00:25:58,630 --> 00:26:01,909 wall. Yes. It's curvy. Right? It's curvy. And 704 00:26:01,909 --> 00:26:04,244 a lot of names. A lot of names. 705 00:26:04,404 --> 00:26:05,684 Did you get your picture by the MVP? 706 00:26:05,684 --> 00:26:07,684 Yes. I did. Of course. Hey. That's what 707 00:26:07,765 --> 00:26:10,085 Were you on the MVP? So the wall's 708 00:26:10,085 --> 00:26:12,404 curvy. Right? Yeah. But if you're on one 709 00:26:12,404 --> 00:26:14,424 end of it, you can't see the MVP 710 00:26:14,484 --> 00:26:17,470 logo and your name because it's curved. Thank 711 00:26:17,470 --> 00:26:18,369 you for that. 712 00:26:19,230 --> 00:26:20,990 I am down in the corner. You're down 713 00:26:20,990 --> 00:26:22,829 in the corner? Yeah. Let's go down. The 714 00:26:22,990 --> 00:26:24,349 okay. So you're in front so you can 715 00:26:24,349 --> 00:26:26,109 see the MVP logo when you're by your 716 00:26:26,109 --> 00:26:28,429 name? Nope. Oh, you're down to, like, around 717 00:26:28,429 --> 00:26:29,950 the corner. Yes. I'm around the corner. Oh, 718 00:26:29,950 --> 00:26:32,715 I'm sorry. Yeah. No. I can actually oh. 719 00:26:32,715 --> 00:26:34,875 And now that I'm thinking about it, maybe 720 00:26:34,875 --> 00:26:36,555 I just took it from the wrong side, 721 00:26:36,555 --> 00:26:37,615 the picture. Yeah. 722 00:26:38,715 --> 00:26:40,154 Oh, man. I need to go ahead and 723 00:26:40,154 --> 00:26:41,035 check. We'll go back and do that. Yeah. 724 00:26:41,035 --> 00:26:42,795 We'll go back. Any other highlights from Ignite? 725 00:26:42,795 --> 00:26:45,089 Like, what have you despite some of the 726 00:26:45,089 --> 00:26:47,250 differences with it being out here, what have 727 00:26:47,250 --> 00:26:49,029 you enjoyed from being out here? Highlights? 728 00:26:49,890 --> 00:26:52,769 Like social or really Ignite stuff? Anything. I 729 00:26:52,769 --> 00:26:54,450 like the city. I like the tourist stuff. 730 00:26:54,450 --> 00:26:56,529 It's my first time in San Francisco. I 731 00:26:56,529 --> 00:26:57,015 like it. 732 00:26:58,055 --> 00:27:00,055 Certain areas you have to avoid, of course. 733 00:27:00,055 --> 00:27:02,375 Yeah. But I'm guessing that's normal probably in 734 00:27:02,375 --> 00:27:04,454 each city. And it's normal. I would say 735 00:27:04,454 --> 00:27:06,695 in Jacksonville, it's normal. Like, there's areas of 736 00:27:06,695 --> 00:27:07,195 Jacksonville. 737 00:27:07,575 --> 00:27:10,214 There's areas it's been in Orlando before. There's 738 00:27:10,214 --> 00:27:11,835 areas of Orlando you should avoid. 739 00:27:12,150 --> 00:27:14,630 Chicago, it's been in there are absolutely areas 740 00:27:14,710 --> 00:27:16,789 I grew up close to Chicago. There's absolutely 741 00:27:16,789 --> 00:27:18,789 areas of Chicago you just do not go 742 00:27:18,789 --> 00:27:21,269 into. I've had friends that were escorted by 743 00:27:21,269 --> 00:27:21,769 police 744 00:27:22,070 --> 00:27:23,450 out of areas of Chicago 745 00:27:24,434 --> 00:27:26,554 because it was so dangerous. But Yeah. Okay. 746 00:27:26,755 --> 00:27:29,154 Anyways, that's beside the point. You you've enjoyed 747 00:27:29,154 --> 00:27:31,075 some of the tourists walking up. So did 748 00:27:31,075 --> 00:27:32,694 you get out to, like, Pier 39? 749 00:27:32,755 --> 00:27:34,534 Yeah. I've I've been I've been all over. 750 00:27:35,394 --> 00:27:37,575 Alright. What about from Ignite? Any highlights 751 00:27:38,700 --> 00:27:39,679 from the conference? 752 00:27:40,299 --> 00:27:42,539 I actually liked the keynote. It was fun. 753 00:27:42,539 --> 00:27:43,759 Was it? Yeah. 754 00:27:44,299 --> 00:27:46,140 I mean, it was a bit high level. 755 00:27:46,140 --> 00:27:48,700 Some it wasn't technical and that Yeah. Keynotes 756 00:27:48,700 --> 00:27:50,480 never are. No. So 757 00:27:50,804 --> 00:27:53,204 I liked it on a marketing level. Alright. 758 00:27:53,204 --> 00:27:54,664 Have you had fun with the labs? 759 00:27:55,044 --> 00:27:57,625 Oh, yeah. Well, you know how it went. 760 00:27:57,845 --> 00:27:59,845 I had fun today. You have fun today 761 00:27:59,845 --> 00:28:02,404 with the labs. Today? The labs actually worked 762 00:28:02,404 --> 00:28:04,424 today. Okay. Yeah. We had issues 763 00:28:04,859 --> 00:28:07,019 because getting back from the keynote because it 764 00:28:07,019 --> 00:28:10,380 was thirty minute drive away. Yep. So people 765 00:28:10,380 --> 00:28:12,640 getting back in time for the first laps 766 00:28:12,859 --> 00:28:15,019 when the conference started, really started after the 767 00:28:15,019 --> 00:28:17,900 keynote. They didn't because there were traffic jams 768 00:28:17,900 --> 00:28:19,440 and Okay. People were late. 769 00:28:19,819 --> 00:28:22,515 And what you what even what's more worse 770 00:28:22,515 --> 00:28:25,474 is that the Cloudflare incident happened that day. 771 00:28:25,474 --> 00:28:28,275 Yes. So that meant all the labs were 772 00:28:28,275 --> 00:28:30,755 in hosted in GitHub, and the repos were 773 00:28:30,755 --> 00:28:33,794 down, couldn't be accessed. So our instructions for 774 00:28:33,794 --> 00:28:35,154 our labs were Got 775 00:28:35,929 --> 00:28:37,929 it's funny because it went down and everybody's 776 00:28:37,929 --> 00:28:40,009 like, but GitHub's a Microsoft company. Why are 777 00:28:40,009 --> 00:28:42,829 these in CloudFlare and not, like, Azure? Yeah. 778 00:28:42,970 --> 00:28:44,890 Yeah. The front door. It is what it 779 00:28:44,890 --> 00:28:46,410 is. It is. I would say like, I 780 00:28:46,410 --> 00:28:47,929 proctored labs too, and I would say that's 781 00:28:47,929 --> 00:28:49,769 been one of the highlights. And even talking 782 00:28:49,769 --> 00:28:50,250 to people 783 00:28:50,765 --> 00:28:52,125 and we've talked about it before, I think, 784 00:28:52,125 --> 00:28:54,205 in the podcast, for Ignite has a little 785 00:28:54,205 --> 00:28:55,725 bit more of a sales feel and less 786 00:28:55,725 --> 00:28:57,884 of a technical feel. But I think the 787 00:28:57,884 --> 00:28:58,384 labs, 788 00:28:58,684 --> 00:29:01,265 I would say, are a well kept secret, 789 00:29:01,485 --> 00:29:03,404 but the labs I've been in have been, 790 00:29:03,404 --> 00:29:06,369 like, jam packed with people. Yeah. Is if 791 00:29:06,369 --> 00:29:08,289 you're gonna come to a future Ignite, because 792 00:29:08,289 --> 00:29:10,230 this is gonna come out after Ignite's been 793 00:29:10,369 --> 00:29:12,529 said and done this year, and you want 794 00:29:12,529 --> 00:29:13,509 more technical 795 00:29:14,130 --> 00:29:16,849 content, I would actually recommend going and doing 796 00:29:16,849 --> 00:29:19,009 the labs for a couple of reasons. One, 797 00:29:19,009 --> 00:29:21,694 yeah, they're click, like, it's the click click. 798 00:29:21,694 --> 00:29:23,954 Right? You follow the instructions, click through, 799 00:29:24,255 --> 00:29:26,115 but you do get to get your hands 800 00:29:26,494 --> 00:29:26,994 on 801 00:29:27,295 --> 00:29:28,755 more technical aspects 802 00:29:29,055 --> 00:29:30,815 than maybe you would learn about if you 803 00:29:30,815 --> 00:29:32,894 went to a session. Yeah. And the other 804 00:29:32,894 --> 00:29:34,414 thing I would say is I don't know 805 00:29:34,414 --> 00:29:36,809 about your lab. My labs, it's the product 806 00:29:36,809 --> 00:29:38,809 group for the features. I've been doing identity 807 00:29:38,809 --> 00:29:39,309 governance. 808 00:29:39,849 --> 00:29:41,929 So I had, like, the product manager for 809 00:29:41,929 --> 00:29:45,549 PIM and one of the product managers for 810 00:29:46,250 --> 00:29:48,250 can't remember if it was for Entra, but 811 00:29:48,250 --> 00:29:50,650 it was different product managers for the products 812 00:29:50,650 --> 00:29:53,024 involved in ID governance. So if you had 813 00:29:53,024 --> 00:29:55,125 questions about the products, 814 00:29:55,504 --> 00:29:57,184 like, it was a great way after the 815 00:29:57,184 --> 00:29:59,664 labs or even during the labs Yeah. To 816 00:29:59,664 --> 00:30:01,365 be able to talk to the people 817 00:30:02,144 --> 00:30:04,224 that are in charge of these different features. 818 00:30:04,224 --> 00:30:05,984 Yes. Was that your experience too in your 819 00:30:06,065 --> 00:30:07,880 Yes. Lab? It was. Because, 820 00:30:08,740 --> 00:30:12,039 our guys also were close to MDE team. 821 00:30:12,099 --> 00:30:14,740 Okay. So, yeah, it was defender related, but 822 00:30:14,740 --> 00:30:16,680 mostly MDO and MDE 823 00:30:17,299 --> 00:30:19,720 stuff were was were in our labs. 824 00:30:20,180 --> 00:30:21,000 But, yeah, 825 00:30:21,585 --> 00:30:23,345 it was a pleasure seeing it because our 826 00:30:23,345 --> 00:30:25,585 laps were also full and the capacity was 827 00:30:25,585 --> 00:30:27,284 around 115 828 00:30:27,424 --> 00:30:30,304 as I recall in our room. Yeah. And, 829 00:30:30,784 --> 00:30:32,784 I'm going back in just a second when 830 00:30:32,784 --> 00:30:34,650 we are done for the last. That's gonna 831 00:30:34,650 --> 00:30:36,509 be the fourth of the laps. Right? 832 00:30:37,049 --> 00:30:39,390 And it's also sold out. So 833 00:30:39,930 --> 00:30:42,029 people really like the laps, but sometimes 834 00:30:42,570 --> 00:30:44,970 they go down and they then people leave. 835 00:30:44,970 --> 00:30:46,430 Yeah. It walkouts 836 00:30:46,809 --> 00:30:48,430 rarely, but it happened again 837 00:30:48,884 --> 00:30:50,105 yesterday because 838 00:30:50,484 --> 00:30:53,285 our tenant provisioning didn't work. So people were 839 00:30:53,285 --> 00:30:55,525 just yeah. We're gonna go with lessons learned, 840 00:30:55,525 --> 00:30:56,884 and then if you're listening to this now, 841 00:30:56,884 --> 00:30:59,285 next year will be better because they've learned 842 00:30:59,285 --> 00:31:01,125 some less I think they've learned some lessons 843 00:31:01,125 --> 00:31:02,404 this year. And I would say even as 844 00:31:02,404 --> 00:31:04,809 the week's gone on, they've learned some lessons 845 00:31:04,809 --> 00:31:07,630 about it's I mean, it's not easy. Capacity 846 00:31:07,690 --> 00:31:09,149 in here is a 115, 847 00:31:09,369 --> 00:31:11,130 but there's I don't know how many labs. 848 00:31:11,130 --> 00:31:12,970 There's probably 10 or 15 labs going on 849 00:31:12,970 --> 00:31:13,470 simultaneously. 850 00:31:14,169 --> 00:31:14,909 Yep. Precisely. 851 00:31:15,210 --> 00:31:17,154 That's like 1,500 852 00:31:17,154 --> 00:31:18,615 tenants getting provisioned 853 00:31:18,914 --> 00:31:20,595 to these labs at the same time. It's 854 00:31:20,595 --> 00:31:21,095 not 855 00:31:21,475 --> 00:31:22,215 a insignificant 856 00:31:22,674 --> 00:31:24,674 feat to do something like that. And it's 857 00:31:24,674 --> 00:31:26,835 a fully live tenant, right, in our labs? 858 00:31:26,835 --> 00:31:28,375 So it's a 115 859 00:31:28,835 --> 00:31:29,654 live tenants 860 00:31:30,289 --> 00:31:33,109 spinning up. Yeah. Yeah. It's complicated. 861 00:31:33,410 --> 00:31:36,210 Yeah. For sure. Awesome. Well, thanks, Hendrik. Thanks 862 00:31:36,210 --> 00:31:37,650 for joining me. I know you have a 863 00:31:37,650 --> 00:31:39,650 lab to get to. Yes. Thanks. I might 864 00:31:39,650 --> 00:31:41,009 go down to the hub and try to 865 00:31:41,009 --> 00:31:43,809 find more Swag. Yeah. See what I can 866 00:31:43,809 --> 00:31:44,869 come up with. Yeah. 867 00:31:45,315 --> 00:31:47,734 Glad that we've talked about doing this for 868 00:31:48,274 --> 00:31:50,355 A long time. A long time. We yeah. 869 00:31:50,355 --> 00:31:52,595 At MVP Summit or other Ignites, and it 870 00:31:52,595 --> 00:31:54,914 just it hasn't worked out. You got sick 871 00:31:54,914 --> 00:31:57,730 once on me. Yeah. But glad we could 872 00:31:57,730 --> 00:31:59,349 sit down and do it here at Ignite. 873 00:31:59,409 --> 00:31:59,909 And 874 00:32:00,369 --> 00:32:02,450 Yeah. Same to you. It was nice doing 875 00:32:02,450 --> 00:32:04,609 it. Alright. Well, thanks. Yeah. Glad you enjoyed 876 00:32:04,609 --> 00:32:05,890 it. Hope you enjoy your lab and the 877 00:32:05,890 --> 00:32:07,730 rest of Ignite. And Yes. I hope you 878 00:32:07,730 --> 00:32:09,809 get some swag. Thanks. And hopefully, we'll catch 879 00:32:09,809 --> 00:32:12,345 up again soon. Yeah. Bye. Bye 880 00:32:14,345 --> 00:32:16,825 bye. If you enjoyed the podcast, go leave 881 00:32:16,825 --> 00:32:18,904 us a five star rating in iTunes. It 882 00:32:18,904 --> 00:32:20,585 helps to get the word out so more 883 00:32:20,585 --> 00:32:22,904 IT pros can learn about Office three sixty 884 00:32:22,904 --> 00:32:23,804 five and Azure. 885 00:32:24,265 --> 00:32:25,944 If you have any questions you want us 886 00:32:25,944 --> 00:32:28,160 to address on the show, or feedback about 887 00:32:28,160 --> 00:32:30,480 the show, feel free to reach out via 888 00:32:30,480 --> 00:32:33,759 our website, Twitter, or Facebook. Thanks again for 889 00:32:33,759 --> 00:32:35,380 listening, and have a great day.