October 9, 2025 • 32 mins
Welcome to Episode 412 of the Microsoft Cloud IT Pro Podcast. In this episode, we explore three announcements from Microsoft that are reshaping how security teams work with Sentinel. From a reimagined data architecture to AI integration and new visualization capabilities, Microsoft is doubling down on making security operations more intelligent, efficient, and accessible. Whether you're a seasoned SOC analyst or just getting started with cloud security, these updates offer powerful new ways to detect threats, investigate incidents, and understand your security posture.
Your support makes this show possible! Please consider becoming a premium member for access to live shows and more. Check out our membership options.
Show Notes
Logitech MX Master 4, Ergonomic Wireless Mouse with Advanced Performance Haptic Feedback, Ultra-Fast Scrolling, USB-C Charging, Bluetooth, Windows, MacOS - Graphite
Microsoft Sentinel data lake is now generally available
Announcing Microsoft Sentinel Model Context Protocol (MCP) server – Public Preview
What is Microsoft Sentinel’s support for Model Context Protocol (MCP)?
Add Microsoft Sentinel's collection of MCP tools
Introducing Microsoft Sentinel graph (Public Preview)
Graph models overview (preview)
About the sponsors
Would you like to become the irreplaceable Microsoft 365 resource for your organization? Let us know!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:03):
Welcome to episode 412
of the Microsoft Cloud IT Pro podcast recorded
live on 10/03/2025.
This is a show about Microsoft three sixty
five and Azure from the perspective of IT
pros and end users, where we discuss a
topic or recent news and how it relates
to you. Microsoft Sentinel gets its own data
lake, graph, and MCP server, and we have
(00:26):
all the details. Whether you're a seasoned SOC
analyst or just getting started with cloud security,
you don't want to miss the powerful new
ways to detect threats, investigate incidents, and understand
your security posture that these new features offer.
I have a problem, Scott. Is that the
first thing to having a problem is admitting
(00:47):
you have a problem? It's part of the
steps. Yeah. Oh, weird. Now Teams is kinda
doing it for me, but I only see
it in Teams, like, with your video.
Microsoft is gonna Microsoft. No. I squirrel yeah.
Squirrel. Logitech MX
Master four came out the other day, and
I may have bought two, like, the day
it came out for same day delivery on
Amazon. I have a problem.
(01:10):
I needed one for my desk and one
for when I'm not at my desk. Okay.
So you're gonna be living that haptic
mouse lifestyle,
I'm looking at my mouse as I talk
about it. The haptic to me is like,
whatever. I like the way they move the
button though because I had the Logitech MX
Master three s two, and they had, like,
the thumb button that was like under your
thumb knuckle, and that was just a weird
(01:31):
motion for me to push down on the
thumb knuckle. They kinda moved it up so
you can now push in with your thumb
to get that button, which is kinda nice.
But I'm still
it feels different than the three s, and
I've seen some other comments about this. I
don't know if it's a little bit thinner
or if it's not the rubbery.
But do you when you use a mouse,
(01:51):
do you, like, squeeze it and pick it
up sometimes and move it around on your
desk because you run into your keyboard or
run into
something else on your desk.
All the time. I couldn't tell you why.
That feels different on this mouse, and it's,
like, not as comfortable different. Like, it's a
little bit harder for me to grab and
pick up, and I couldn't tell you exactly
(02:12):
why. I'd have to, like, get them and
put them side by side. But I've seen
some other people make some similar comments about
it. I've got a three an MX Master
three and a three s, and because same
thing. Like, hey, like day mouse, night mouse,
or
you need one in your backpack when you
travel, things like that. I don't like how
the rubber always, like, gives way on them,
and they are actually kind of big. So
(02:33):
I think what I'm gonna do is rather
than go into the MX4,
I'm gonna go to maybe one of, like,
the gaming mice, like a high DPI gaming
mouse, and so so Logitech
has some of those as well. And then
my honestly, my biggest nit about the MX
Master
in general is, like, it's got, like, great
ergonomics with this, like, slant on the front
(02:55):
of it. But the slant for the right
button,
it slides right underneath the charging mat for
my Ember Mug. So, like, if I'm sliding
my hand up because I'm gonna go grab
my coffee and then but then I've got
my mouse there too, and I'm just gonna,
like, park my mouse up there, It gets
all the way up, and it goes underneath,
like, the little charging
like, the charging pad for the ember mug
(03:16):
kinda thing. And then it gets stuck there
or it just clicks, and every single time.
So I need a mouse that's, like, a
little bit taller or where both the buttons
are shorter, and then I can just I
can live a different life. First world problems
when your mouse and your It's hard to
be over here. Yeah. First world problems, for
sure. Your ember mug and your mouse are
(03:36):
not compatible. They're not. Yeah. So the one
thing I like, I've tried other mice before.
I've played with different ones. I haven't looked
enough at the gaming mice. Do any of
the gaming mice have the horizontal
scroll
it's not real I guess it's a scroll
wheel, the horizontal scroll
wheel thing on them. Some do. So I've
mostly looked at, like, the not I'm not
(03:56):
talking all about, like, a Razer gaming mouse,
but Logitech makes, like, a G series. So
if you go look at, like, the G
series, they have the same thing with the
infinite scroll
and all they have a lot of similarities
to the MX masters just without
the ergonomics
slash
productivity thing. And then I guess one other
(04:16):
question for you before we move on. So
Logitech makes
absolutely
horrible software. Like their software is the worst
in Logi options and things like that. My
understanding was for the MX4 and what I
saw in the reviews was for that haptic
trackpad with the little, like, pioneer ish circle
that that that comes up, that requires Logi
(04:37):
options.
And I don't think I'm willing to reinstall
Logi options on my Mac. Like, I've ripped
it off so many times and just don't
use it. See, I've always had it on
because
I use it for, like, my spotlight
presenter
and,
yeah, I've just resigned myself to the fact
that I need it on there. So but
that is I've seen the same thing, and
(04:59):
I've had Logi options, so I haven't tried
it without it. But
given how it works, it feels like it
would not work without the software. But the
rubber thing that you said, that's the other
thing that people have not liked. Well, mixed
reviews on it is that this one, they
took away a lot of the rubber. It's
much more hard plastic than rubber on the
(05:20):
four. That's good though. Like, because the rubber
the other thing is, like, if you I
mean, if you just Mine looks Yeah. It's
pretty bad.
Like, I'd be willing to throw them out
just based on the and you can't really
clean them either. Like, they start to, like,
eat away and disintegrate, and, yeah, they're just
not Doctor. Because it's rubber. Like Doctor. Not
Doctor. Whatever you'd use to clean it would
disintegrate the rubber, make it worse, and yeah.
(05:42):
So it is much more hard plastic with
the four. But it again, because of that,
I'm so used to the rubber on the
three s. It does it just feels different,
and that might even be part of the
grip thing as it just isn't as sticky.
I don't know. I don't know if you
want your mouse to be sticky or if
that's just gross if you have a sticky
mouse. Not the way that you said sticky
the first time, but, you you know.
(06:04):
Yeah. Okay. New mice are out there. So
if anybody has a suggestion for Scott on
a mouse that is not the MX Master
four or the MX Master three or the
three s, but, you you know, maybe something
to move on to next. The other one
I've been toying with, and not that I
have it, I haven't had RSI for a
long time, but thankfully, but I was thinking
(06:25):
about, like, maybe going back to a vertical
mouse for a little bit and trying some
of that. Doesn't Keychron I feel like Keychron
did Keychron make, like, an knockoff MX Master?
They made something. Yeah. It's not that one.
Yeah. They have some
I haven't tried theirs. This one, like, the
Keychron m six
wireless totally looks like a knockoff of the
(06:47):
MX Master.
Yeah. They've got some. Anyways, yes. Give Scott
a suggestion. Reach out to Scott on LinkedIn.
Let him know which mouse he should get,
and we can talk about it. Alright. News.
Your news, my news, all the news. We
have, like I wouldn't say a bunch of
news. There were I wasn't sure what I
was gonna talk about, and then yesterday, there
were a bunch of announcements
(07:07):
around a certain topic that I was like,
oh, this is fun. But then you had
some too. What do you wanna talk about
first? We start wherever
you would like. You want to start on
the Azure side or
the M365 side? Or I guess kind of
both, right? So you had some Sentinel stuff
in there, but Yeah. Mine is more like
crossover. It's all Sentinel stuff, which could be
either or. Why don't we start with some
(07:28):
Sentinel stuff and see where it takes us?
The first one, this is one let me
go up to here. Sentinel Data Lake. Have
you seen how you can start, like, just
turning on Sentinel now to go into Data
Lake? This was in preview for the last
couple months or so. Lots of services are
starting to do this, right? They're taking their
kinda their more formal structured data and then
(07:48):
giving you the opportunity to, like, either export
that structured data. So, like, maybe Yep. Like
if Sentinel is being driven by a graph
and a bunch of parquet files, things like
that, or a Delta Lake, Delta Table in
the background. Why not just let you push
those artifacts over someplace else or also start
to do, like, more granular exports and all
sorts of good stuff like that? Like, got
(08:08):
a storage account? Export. Here you go. I've
had it in preview for a little bit,
and I'm like, for what I have done
so far with Sentinel, it didn't make a
big difference,
but I ran it in preview. Well, that
is now GA'd. So yesterday, Septem well, not
yesterday. This was September 30. A few days
ago, beginning of the week, this Sentinel data
lake is now
(08:28):
generally available. So if you want to
go turn that on, like, it's just a
click click through
the
security center. So I don't think you can
do this, and this ties back to one
of our other announcements.
If you go to Sentinel via Azure, like,
if you go to Azure and search for
Sentinel,
I haven't seen this pop up there. But
(08:51):
if you go to your security center in
or Defender, I guess, security.microsoft.com,
where Sentinel's gonna live down the road all
the time anyways,
you can go connect Sentinel there. And then
once Sentinel's connected there, you get the option
to
go turn on data lake for Sentinel, and
you still have to pick, like you're gonna
(09:12):
still pay for it. You pick an Azure
subscription, you pick a resource
group, and click, and it goes and creates
the data lake and wires it all up
and connects it all. And
based on what I've seen in Sentinel so
far too, it isn't
necessarily
pushing it all over. Like, if I go
look through Sentinel now, I have two different
icons for some of my
(09:33):
data tables in Sentinel,
ones that are still in the typical log
analytics and then a bunch of them that
are now
in Data Lake. Yeah. I think it'll be
good.
Certainly, there's there's
there's that pesky cost component, right, of of
being in the cloud and running those things
through. So there's things that I think customers
(09:54):
would want to do
with
longer term trends
based on some of these things. So maybe
like anomalous user logins over time is really
nice for the past couple days, it's nice
for the past month,
it could be nice to go back six
months or a year. Maybe you wanna track
some kind of like a
KPI for yourself to improve your business or
(10:15):
make sure that you're moving in the right
direction.
So for these systems, things like Sentinel that
are generating a large amount of what's really
just time series driven data.
So here's a time, here's an event, and
I'm sure the text of the event strippers,
but to be able to go back in
time over those things
is important.
(10:36):
And then it's also expensive to generate a
bunch of time series data and have it
just sitting there, especially in, like, some kind
of, like, really hot, like, queryable
thing. So Sentinel in the background, when you're
writing, like, your queries, they're all KQL queries.
Like, you don't have to go too high
too far to imagine that, oh, it's just
Azure Data Explorer in the back end, right,
(10:57):
with with all that. So so you're dealing
with those constraints and those things there. So
it's nice to have the option to export
it out, but then be able to continue
to query it and do those things that
you need to do, albeit with additional latency
and things like that. But I think that's
all good stuff. Gives customers
more options
(11:18):
and allows you also to do things like
have these kinda longer term
initiatives that you can actually track over time
without having to, like, oh, no. I gotta
export all the data for this month, right?
Lay it in a spreadsheet, and if I
don't do it next month or I do
it on a different day, then it's inconsistent,
things like that. That all goes away. Yeah.
And there's some other updates that have come
along with this. The whole article's there around
(11:41):
different use cases for it, but some upgrades
and benefits too when it comes
to some of those enhancements around your notebooks
in Sentinel.
Yeah. Like you said, some cost benefits there
to going into
Data Lake. But then they also
and this is what really caught my eye.
Like, I was like, okay. Great. It went
GA. But if you look on the GA
(12:03):
announcement,
it also you'll notice on the screen, and
it talks about it in the announcement, they're
also introducing some new platform capabilities
built on Sentinel data lake. So once you
get your data there, you're starting to do
it, there is now a Sentinel graph.
And we can talk about this. I've played
with this a little bit. But then, also,
(12:24):
an MCP server for Sentinel that's like a
Microsoft
native one. So we had talked about MCP
servers a few episodes back, like the loca
that Merrill had created.
I think I mentioned I had gone out
and found, like, a third party Sentinel one
because I was like, oh, a Sentinel MCP
server would be kinda cool. And we talked
(12:44):
about some of the security concerns, and, ironically,
like, a week ago, I sent you an
article
as well from the first malicious MCP server
found where it was stealing emails and rogue
rogue postmark
settings, and we kinda talked about that. Right?
Like, you go grab a third party MCP
server without looking at the code. What is
it doing? Obviously, something like Sentinel you wanna
(13:06):
trust. So seeing Microsoft come out with this
MCP server as well, that was all kind
of rolled into Data Lakes, GA.
Now you can go look at this graph
in this MCP server as well if you
wanna go swing over to Sentinel Data Lake.
I wonder over time, I don't know if
I think things will continue to like kind
of churn and consolidate still. So we've seen
(13:29):
a bunch of this at least with the
things like the Kusto MCP server. Like, there
was a Kusto one, and then it got
rolled into the Fabric one. Fabric one's out
there. Now you have a a Sentinel one.
You have all these different, like, flavors and
variations as folks are chasing things. Like, I
do wonder or and I also kinda hope
over time that it does consolidate a little
(13:49):
bit. I I I don't know how it's
getting for you since we did that MCP
episode. I just have more and more MCP
servers that are, like, going in. And for
every MCP server that's being added into my
client that I'm working in that day, like
Versus Code, things like that, it's also getting
really hard
to wrangle the servers, especially the ones that
(14:10):
have lots of tools associated with them. So
I think the Azure MCP server is actually
a good example of this because it's got,
like, tools for a whole bunch of different
Azure services.
And I think at one point, it had,
like, 40 plus tools in it. So you're
sitting here trying to figure out, like, okay.
I'm having a chat with this LLM. I
wanted to form out some knowledge to this
MCP or this set of MCPs.
(14:33):
But I now I need to be, like,
really constrained and figure out how to get
it into
e even the right tool or the right
space. So stuff like this is gonna I
wonder, like, do you find it confusing in
this world of saying, like, hey. I have
an MCP for Sentinel, which is doing this
graph thing. I have an MCP for
the Microsoft Graph. I have an MCP for
LearnDocs. I have an MCP for Kusto,
(14:55):
like, all these different thing or Fabric. Right.
Are are you finding that hard to rationalize
along the way? Like, I've started like, I
was just going in and, like, turning on
all my MCP servers, like, every time I
started Versus Code, and now I'm actually being,
like, more careful about that. Like, alright. Always
gonna start, like, the learn docs one because
that's easy. It's a remote server. Boom, boom,
(15:15):
out Yeah. Out. No problem. But some of
the other ones, like, you really do have
to kinda pick and choose. But then it
makes me wonder, alright. Great. I had to
do that just to make my own life
easier, but now what am I missing out
on by not turning them all out? Do
you feel overwhelmed by trying to manage your
Office Office three sixty five environment? Are you
facing unexpected issues that disrupt your company's productivity?
(15:38):
Intelligink is here to help. Much like you
take your car to the mechanic that has
specialized knowledge on how to best keep your
car running, Intelligent helps you with your Microsoft
cloud environment because that's their expertise.
Intelligent keeps up with the latest updates in
the Microsoft cloud to help keep your business
running smoothly and ahead of the curve. Whether
you are a small organization with just a
(15:59):
few users up to an organization liligink.com/podcast
(16:19):
for more information or to schedule a thirty
minute call to get started with them today.
Remember, Intelligink focuses on the Microsoft cloud so
you can focus on your business.
Some of that the other thing I've seen
and I just ran into this the other
day when I started playing with this MCP
server, and we can go talk about this
(16:39):
a little bit more. And how to turn
this one on, because this was interesting, is
I added this one and I went to
go ask a query about Sentinel, and it
hit
my loca MCP server because I didn't at
mention the specific MCP server. So there's that
trade off to, like, what you said is,
one,
if you don't turn them all on, what
(17:00):
are you missing? Or if you do turn
them all on, as
you ask AI questions, does it end up
going to the wrong MCP server when you
want it? Like, does it go to Graph
when you want it to go pull from
Sentinel? Or maybe it was just me. I
had to be a little bit more specific
in my query,
but there's
it is. One of them is just, how
do I make sure I'm going to the
(17:22):
right right MCP server at the right time?
How am I not missing out on it?
Absolutely
an additional cognitive load there, I think, around
MCP servers. And the other one I found,
and this was the first time I've kinda
hit this one, is when you go look
at this MCP server for Sentinel,
they only give you steps on how
(17:44):
to leverage this one with Visual Studio Code.
And this is a remote MCP server. It's
sentinel.microsoft.com/mcpdataexploration.
And I tried to go add this one
to
Claude, and I couldn't figure out a way
to do it
because it uses some it appears
(18:06):
that it uses some of the underlying authentication
mechanisms
in Visual Studio Code. Like, if I go
add this to Claude and try to query
it, I don't get the prompts. Like, there's
no way to, like, set up a authentication
mechanism to it, no way to set up
a service principle to it,
nowhere to say, like, go enter a username
that I could find or trigger in Claude.
(18:27):
But when you go add it to Visual
Studio Code and
the first time you add it, it's like,
oh, go log in to your Microsoft three
sixty five tenant with your account. And I
think there's some things going on there where
I couldn't actually
add this to anything but Visual Studio Code.
And
then obviously you have to have
(18:47):
GitHub Copilot in order to use it versus
using another LLM that I have. It's hard.
Like there's niceties
to being in
these
systems that do require, like, authentication authorization, like,
just to be able to do, like, the
quick, like, fire and forget to enter,
do your sign in, oauth and to end
all the way. So typically in, like, at
(19:09):
least the way it works in, like, the
SDKs
for Azure and things like that is there
there's a class in the identity SDK
that composes an object, and it's called default
Azure credential. And it's just this magical thing
where, like, you you put, I wanna use
default Azure credential to sign in, and then
it just kinda figures out based on the
client it's on. Like, you so you can
(19:31):
write, like, an application,
say, with, like, the dot net SDK for
Azure for any Azure service, and say, I
wanna use default Azure credential. You put throw
compile it as an executable, throw that executable
on an Azure VM,
and it will,
like, automatically know that, hey, I'm on a
VM in Azure, and
I should try MSI authentication,
(19:52):
and try and come through that way. Oh,
MSI failed. Okay. Let me pop up a
user prompt and come through. So sometimes it's
the way, like, developers are building them, Randall.
Like, so if they use something like default
Azure credential,
then it's got, like, that weird underlying behavior,
which has a bunch of niceties to it,
but you kinda gotta, like, know how the
niceties work and how to land your app
in the right place.
(20:13):
So I wonder if it's some of that
kind of stuff
over just being, like, it's not, like, malicious
intent
to lock you out. It's like, hey. There's
this ecosystem of stuff, and
the people building the stuff also kinda leverage
the same ecosystem.
So while you're out there
maybe saying, hey. I'm an Azure customer. Okay.
(20:34):
Hey. We're all Azure customers. I hope We're
all out there building our services on top
of these things as well and building these
capabilities
and all that out there. So it could
also be things like the clients are also
in in various states. So the Cloud desktop
client
is constantly iterating,
as is, like, the desktop client for Perplexity,
(20:55):
for Copilot, for ChargePD, all the all these
things. Right? Like, every single day they get
an update, they might just need to update
to allow things like
the pop ups for authentication
and everything else that comes through there. The
other place this will integrate to is Security
Copilot. Like, they also mentioned that. The Sentinel
MCP server is gonna have native integration with
Security Copilot, but I don't know about you.
(21:17):
I'd rather pay $20 a month for Copilot
GitHub
than $20,000
for
Security Copilot. Obviously, other benefits with Security Copilot,
people that have it, you'd wanna have this
in there. But to me, this was I'm
still kinda curious to see
where Security Copilot goes because
while there's other functionality
(21:37):
in there, as
these MCP servers continue to grow and you
look at GraphMCP
server and
now you have the MCP server for Sentinel,
if other
third parties
that you can integrate with I don't know.
Like, if you integrate other third parties with
Sentinel and you can do an MCP server
with Sentinel,
(21:58):
you lose some of the built in functionality
in different places of Security Copilot, but to
me, this lessens
the need for something like Security Copilot. Maybe
I'm not supposed to say that, but that's
what I'm seeing. Like I have less and
less of a need for Security Copilot because
of MCPs. I think the world of the
iGentik stuff, it's going to continue to morph
(22:19):
and continue to change.
It's one of those places where
I don't even know that
service providers,
like
none of us know where it's going to
end up, basically.
So
everybody's racing to create these kinds of experiences,
but they're going to continue to change over
(22:39):
time.
Like, this whole
local versus remote MCP server,
that's not fully baked,
and that's not a done deal
as to the way that composes.
But I do think it offers,
(23:01):
integrates over there is just add a tool.
Right? Like, you're not adding an MCP server.
You're adding a tool. What's it using in
the background? The MCP server. So now we're
starting to equate local MCP server with tools
and resources and all the things in them.
That same kind of nomenclature
and
architecture is coming to these cloud based
(23:24):
and SaaS based things as well. I think
you'll see
more and more of this, like this mix
of remote MCP
and then some other piece of functionality
in a part of the service itself
or in, like, a parallel service. Oh, like,
great. Now I can use that too
and come across.
(23:44):
What'll be interesting to see is, like, a
year from now, is, like, MCP server is
even a thing, or did we all settle
on just exposing, like, the tools through, like,
some other endpoint mechanism or things like that?
Like,
I don't know. TBD. We'll see where it
all ends up. It'll be interesting. Shall be
weird for a while. It's kinda like a
fun ride though if you're a technologist.
Oh, absolutely.
(24:05):
So and then the third should we dive
into the third one? The Sentinel Graph. This
was kind of a cool one, and this
is also in public preview now where
now within Sentinel, we've always been able to
do KQL queries, right, where you can go
in and query stuff and get your results
however you query it. And you could go
look at incidents and kind of within different
incidents, you're able to see connections between different
(24:27):
events and different devices and all of that.
What this does is it allows you to
go do a,
essentially, a graph based query
against your Sentinel data. So instead of, like,
waiting for an incident to occur and then
seeing all the connections for the incident or
instead of just writing a KQL query and
getting data back, you can go in and
(24:48):
this
I'm trying to think if there's a screenshot
in here
where you can this is probably a decent
one that I have on my screen. But
for people
listening,
I could go in and it's preview, so
it was somewhat limited, but I could say,
like, show me this device, and I just
picked two devices. You can pick two different
entities. But I picked my laptop and I
(25:08):
picked my desktop, and I said, show me
the relationship between them, and it essentially created
a graph with all the different ways
these two devices were linked together, whether it
was through users or linked together. I think
it showed, like, my user account was one
link. I think it maybe showed, like, Intune
as another link between them or other services.
(25:30):
So it was
gave me, I would say, more of a
proactive way to say, okay. So if this
device was compromised,
what are all the ways it could be
linked to this other device, or what are
all the ways my user is linked to
different entities? And instead of giving me tabular
data, it gave me a graph, a view
(25:51):
of connections
between different things in my tenant. If I
was reading between the lines on this one,
because
we're back to the whole, like, KQL thing
and what's it used under the hood, what's
a capability that recently came to
Azure Data Explorer and to Kusto? Well, a
capability that recently came to Kusto
(26:12):
is
the ability to
execute
queries
with graph models.
So taking
database objects
that
represent
your property graph and that are stored in
Data Explorer and then being able to bounce
those
against each other.
So if you can do it in KQL
(26:34):
and you can get at it, you might
be able to do some even more interesting
things with it along the way. And if
you're into it, I'd recommend going and reading
the Kusto documentation for graph models
and seeing kinda
if you can wrap your head around a
little bit. How do I run that? They
have some good, like, work working examples
and things in there. So but absolutely. So
(26:55):
so KQL now has this it has a
a graph, right? So much like you'd have
like a database or table name kind of
thing. You have a graph out there, so
there's an object for graphs, and then you
and you know how you have like where
clauses and summarizes and and things like that.
There's also now a graph match,
(27:16):
and
so it's basically graph match, what's the pattern
you input where these filters are true, and
then output
these fields
based on
the graph and how it comes together. The
syntax is really weird and kinda wild. Like,
it is not like other KQL syntax at
all, when you especially when you're doing, like,
(27:36):
the filtering and things like that, but it
works pretty well. I've been playing around with
it for some other stuff. I wonder if
this is even using
and this might be kinda what even you're
getting at it. If this is using that
under the covers, if this is a little
bit more of a UI
interface,
and then behind the scenes, it's creating those
KQL
(27:56):
graph type of queries. It'd be an easy
thing to do or a smart thing to
do if the underline if the underlying database
engine provides for it, why not?
Yeah. Lots of improvements around Sentinel and different
things you can do, especially with the data
lake integration
going GA. They layered
all of these on top of it. So
all of this does depend on you having
(28:16):
Sentinel and Defender, making that connection between your
workspace and Defender, and then enabling the graph,
and then you'll be able to go light
this stuff up. And I've seen some things.
I'm in a few security groups where people
weren't getting it necessarily right away. It might
take some time in preview,
trickling out. Yep. SaaS rollouts, all that good
stuff. Yeah. All that stuff. So no. These
(28:37):
were some fun announcements in the last
week or so that came out that I've
started playing with. The nice thing about those
data lakes too is like you mentioned, you're
provisioning those within your own infrastructure.
So, you know, it's your
Azure subscription, your resource group, so you still
get the choice over, like, where does that
data lake reside? So if you have, like,
(28:59):
data residency requirements,
anything like that, you could spin that up.
You can also choose your redundancy,
every everything like that that you might wanna
do. So it's nice to have kinda that
level of control too, but just watch out
because it is a PAYGo component. So it
is kinda sitting out there now churning month
over month or however long you turn it
on for. Yep. And then I think Data
(29:19):
Lake too, you'd get charged based on queries
and how much you use it and yeah.
All those same things apply. This is not
a free data lake with your Azure subscription.
It's a PAYGo data lake that they automatically
connect up and ingest all the data and
do that for you. Yeah. Compute still costs
money. Yes.
Alright. We've spent, like, a bunch of time
(29:40):
on mine. Do you want to talk about
yours anymore today, or should we save those
for round two? Let's save a we'll do
an I'm just going to talk about some
Kubernetes stuff, so we'll do a kind of
AKS ish day
coming up in the future here. Sounds good.
AKS
ish. Yeah. There we go. AKS
ish. Yeah.
All that said, if you're gonna be at
(30:00):
any conf I Scott, I have a few
conferences coming up. I'm still trying to get
you to one. I'm down at Dev Intersections,
Cybersecurity Intersections, which they added next week. So
if you're down in Orlando at that one,
October,
like, six through ten or something. And then
I did get accepted to go help Proctor
Labs again at Ignite. So I'll be out
(30:21):
at Oh, nice. Yeah. I'll be out at
Ignite in November if anybody's going to be
out there. And then I think I mentioned
that I'm doing cybersecurity
or not wow. Workplace Ninja is down in
Dallas in December. So we're still working on
getting you out to Ignite. We'll see, Scott.
We need to get you out there yet.
Yeah. Well, for the other stuff, give me
(30:41):
some links, and
I'll put them in the show notes. I
will do that. So links to all those
conferences will be in the show notes. Come
find me and hopefully
Scott at Ignite. And if you have any
feedback for Scott, don't forget, let Scott know
what mouse you should get. And any questions,
comments,
thoughts,
future topics, future guests, we'd love to hear
(31:02):
from people. So
reach out. LinkedIn has turned into our social
media platform of choice or we do still
have the contact form on the website if
you want to go there and fill that
out as well. All good stuff. If you
have complaints, only reach out to Ben though.
Yes. My email address is scott@msclouditpropodcast.com.
Bring on the spam. It's a good thing
(31:22):
your spam filter is good. It is. Hopefully,
it won't get spam too much out of
that. Alright. With that, Scott, go enjoy your
weekend. Thanks, Ben. It's getting nice in Florida.
Go enjoy some time outside. It's not It
is. Stupid hot anymore. Although, it's we're under,
marine watch tomorrow. So a small craft device
here tomorrow, so can't go out on the
boat. Oh, so enjoy time outdoors not on
the boat. Go fly a kite on the
(31:43):
beach. Marine advisory means wind for a kite.
Right? It's getting windy already. Yeah. Well, thanks,
Scott. Enjoy your weekend. We'll talk to you
next time. You too. Thanks, Ben.
If you enjoyed the podcast,
go leave us a five star rating in
iTunes. It helps to get the word out
so more IT pros pros can learn about
Office three sixty five and Azure.
If you have any questions you want us
(32:04):
to address on the show, or feedback about
the show, feel free to reach out via
our website, Twitter, or Facebook.
Thanks again for listening, and have a great
day.
Welcome to episode 412
of the Microsoft Cloud IT Pro podcast recorded
live on 10/03/2025.
This is a show about Microsoft three sixty
five and Azure from the perspective of IT
pros and end users, where we discuss a
topic or recent news and how it relates
to you. Microsoft Sentinel gets its own data
lake, graph, and MCP server, and we have
(00:26):
all the details. Whether you're a seasoned SOC
analyst or just getting started with cloud security,
you don't want to miss the powerful new
ways to detect threats, investigate incidents, and understand
your security posture that these new features offer.
I have a problem, Scott. Is that the
first thing to having a problem is admitting
(00:47):
you have a problem? It's part of the
steps. Yeah. Oh, weird. Now Teams is kinda
doing it for me, but I only see
it in Teams, like, with your video.
Microsoft is gonna Microsoft. No. I squirrel yeah.
Squirrel. Logitech MX
Master four came out the other day, and
I may have bought two, like, the day
it came out for same day delivery on
Amazon. I have a problem.
(01:10):
I needed one for my desk and one
for when I'm not at my desk. Okay.
So you're gonna be living that haptic
mouse lifestyle,
I'm looking at my mouse as I talk
about it. The haptic to me is like,
whatever. I like the way they move the
button though because I had the Logitech MX
Master three s two, and they had, like,
the thumb button that was like under your
thumb knuckle, and that was just a weird
(01:31):
motion for me to push down on the
thumb knuckle. They kinda moved it up so
you can now push in with your thumb
to get that button, which is kinda nice.
But I'm still
it feels different than the three s, and
I've seen some other comments about this. I
don't know if it's a little bit thinner
or if it's not the rubbery.
But do you when you use a mouse,
(01:51):
do you, like, squeeze it and pick it
up sometimes and move it around on your
desk because you run into your keyboard or
run into
something else on your desk.
All the time. I couldn't tell you why.
That feels different on this mouse, and it's,
like, not as comfortable different. Like, it's a
little bit harder for me to grab and
pick up, and I couldn't tell you exactly
(02:12):
why. I'd have to, like, get them and
put them side by side. But I've seen
some other people make some similar comments about
it. I've got a three an MX Master
three and a three s, and because same
thing. Like, hey, like day mouse, night mouse,
or
you need one in your backpack when you
travel, things like that. I don't like how
the rubber always, like, gives way on them,
and they are actually kind of big. So
(02:33):
I think what I'm gonna do is rather
than go into the MX4,
I'm gonna go to maybe one of, like,
the gaming mice, like a high DPI gaming
mouse, and so so Logitech
has some of those as well. And then
my honestly, my biggest nit about the MX
Master
in general is, like, it's got, like, great
ergonomics with this, like, slant on the front
(02:55):
of it. But the slant for the right
button,
it slides right underneath the charging mat for
my Ember Mug. So, like, if I'm sliding
my hand up because I'm gonna go grab
my coffee and then but then I've got
my mouse there too, and I'm just gonna,
like, park my mouse up there, It gets
all the way up, and it goes underneath,
like, the little charging
like, the charging pad for the ember mug
(03:16):
kinda thing. And then it gets stuck there
or it just clicks, and every single time.
So I need a mouse that's, like, a
little bit taller or where both the buttons
are shorter, and then I can just I
can live a different life. First world problems
when your mouse and your It's hard to
be over here. Yeah. First world problems, for
sure. Your ember mug and your mouse are
(03:36):
not compatible. They're not. Yeah. So the one
thing I like, I've tried other mice before.
I've played with different ones. I haven't looked
enough at the gaming mice. Do any of
the gaming mice have the horizontal
scroll
it's not real I guess it's a scroll
wheel, the horizontal scroll
wheel thing on them. Some do. So I've
mostly looked at, like, the not I'm not
(03:56):
talking all about, like, a Razer gaming mouse,
but Logitech makes, like, a G series. So
if you go look at, like, the G
series, they have the same thing with the
infinite scroll
and all they have a lot of similarities
to the MX masters just without
the ergonomics
slash
productivity thing. And then I guess one other
(04:16):
question for you before we move on. So
Logitech makes
absolutely
horrible software. Like their software is the worst
in Logi options and things like that. My
understanding was for the MX4 and what I
saw in the reviews was for that haptic
trackpad with the little, like, pioneer ish circle
that that that comes up, that requires Logi
(04:37):
options.
And I don't think I'm willing to reinstall
Logi options on my Mac. Like, I've ripped
it off so many times and just don't
use it. See, I've always had it on
because
I use it for, like, my spotlight
presenter
and,
yeah, I've just resigned myself to the fact
that I need it on there. So but
that is I've seen the same thing, and
(04:59):
I've had Logi options, so I haven't tried
it without it. But
given how it works, it feels like it
would not work without the software. But the
rubber thing that you said, that's the other
thing that people have not liked. Well, mixed
reviews on it is that this one, they
took away a lot of the rubber. It's
much more hard plastic than rubber on the
(05:20):
four. That's good though. Like, because the rubber
the other thing is, like, if you I
mean, if you just Mine looks Yeah. It's
pretty bad.
Like, I'd be willing to throw them out
just based on the and you can't really
clean them either. Like, they start to, like,
eat away and disintegrate, and, yeah, they're just
not Doctor. Because it's rubber. Like Doctor. Not
Doctor. Whatever you'd use to clean it would
disintegrate the rubber, make it worse, and yeah.
(05:42):
So it is much more hard plastic with
the four. But it again, because of that,
I'm so used to the rubber on the
three s. It does it just feels different,
and that might even be part of the
grip thing as it just isn't as sticky.
I don't know. I don't know if you
want your mouse to be sticky or if
that's just gross if you have a sticky
mouse. Not the way that you said sticky
the first time, but, you you know.
(06:04):
Yeah. Okay. New mice are out there. So
if anybody has a suggestion for Scott on
a mouse that is not the MX Master
four or the MX Master three or the
three s, but, you you know, maybe something
to move on to next. The other one
I've been toying with, and not that I
have it, I haven't had RSI for a
long time, but thankfully, but I was thinking
(06:25):
about, like, maybe going back to a vertical
mouse for a little bit and trying some
of that. Doesn't Keychron I feel like Keychron
did Keychron make, like, an knockoff MX Master?
They made something. Yeah. It's not that one.
Yeah. They have some
I haven't tried theirs. This one, like, the
Keychron m six
wireless totally looks like a knockoff of the
(06:47):
MX Master.
Yeah. They've got some. Anyways, yes. Give Scott
a suggestion. Reach out to Scott on LinkedIn.
Let him know which mouse he should get,
and we can talk about it. Alright. News.
Your news, my news, all the news. We
have, like I wouldn't say a bunch of
news. There were I wasn't sure what I
was gonna talk about, and then yesterday, there
were a bunch of announcements
(07:07):
around a certain topic that I was like,
oh, this is fun. But then you had
some too. What do you wanna talk about
first? We start wherever
you would like. You want to start on
the Azure side or
the M365 side? Or I guess kind of
both, right? So you had some Sentinel stuff
in there, but Yeah. Mine is more like
crossover. It's all Sentinel stuff, which could be
either or. Why don't we start with some
(07:28):
Sentinel stuff and see where it takes us?
The first one, this is one let me
go up to here. Sentinel Data Lake. Have
you seen how you can start, like, just
turning on Sentinel now to go into Data
Lake? This was in preview for the last
couple months or so. Lots of services are
starting to do this, right? They're taking their
kinda their more formal structured data and then
(07:48):
giving you the opportunity to, like, either export
that structured data. So, like, maybe Yep. Like
if Sentinel is being driven by a graph
and a bunch of parquet files, things like
that, or a Delta Lake, Delta Table in
the background. Why not just let you push
those artifacts over someplace else or also start
to do, like, more granular exports and all
sorts of good stuff like that? Like, got
(08:08):
a storage account? Export. Here you go. I've
had it in preview for a little bit,
and I'm like, for what I have done
so far with Sentinel, it didn't make a
big difference,
but I ran it in preview. Well, that
is now GA'd. So yesterday, Septem well, not
yesterday. This was September 30. A few days
ago, beginning of the week, this Sentinel data
lake is now
(08:28):
generally available. So if you want to
go turn that on, like, it's just a
click click through
the
security center. So I don't think you can
do this, and this ties back to one
of our other announcements.
If you go to Sentinel via Azure, like,
if you go to Azure and search for
Sentinel,
I haven't seen this pop up there. But
(08:51):
if you go to your security center in
or Defender, I guess, security.microsoft.com,
where Sentinel's gonna live down the road all
the time anyways,
you can go connect Sentinel there. And then
once Sentinel's connected there, you get the option
to
go turn on data lake for Sentinel, and
you still have to pick, like you're gonna
(09:12):
still pay for it. You pick an Azure
subscription, you pick a resource
group, and click, and it goes and creates
the data lake and wires it all up
and connects it all. And
based on what I've seen in Sentinel so
far too, it isn't
necessarily
pushing it all over. Like, if I go
look through Sentinel now, I have two different
icons for some of my
(09:33):
data tables in Sentinel,
ones that are still in the typical log
analytics and then a bunch of them that
are now
in Data Lake. Yeah. I think it'll be
good.
Certainly, there's there's
there's that pesky cost component, right, of of
being in the cloud and running those things
through. So there's things that I think customers
(09:54):
would want to do
with
longer term trends
based on some of these things. So maybe
like anomalous user logins over time is really
nice for the past couple days, it's nice
for the past month,
it could be nice to go back six
months or a year. Maybe you wanna track
some kind of like a
KPI for yourself to improve your business or
(10:15):
make sure that you're moving in the right
direction.
So for these systems, things like Sentinel that
are generating a large amount of what's really
just time series driven data.
So here's a time, here's an event, and
I'm sure the text of the event strippers,
but to be able to go back in
time over those things
is important.
(10:36):
And then it's also expensive to generate a
bunch of time series data and have it
just sitting there, especially in, like, some kind
of, like, really hot, like, queryable
thing. So Sentinel in the background, when you're
writing, like, your queries, they're all KQL queries.
Like, you don't have to go too high
too far to imagine that, oh, it's just
Azure Data Explorer in the back end, right,
(10:57):
with with all that. So so you're dealing
with those constraints and those things there. So
it's nice to have the option to export
it out, but then be able to continue
to query it and do those things that
you need to do, albeit with additional latency
and things like that. But I think that's
all good stuff. Gives customers
more options
(11:18):
and allows you also to do things like
have these kinda longer term
initiatives that you can actually track over time
without having to, like, oh, no. I gotta
export all the data for this month, right?
Lay it in a spreadsheet, and if I
don't do it next month or I do
it on a different day, then it's inconsistent,
things like that. That all goes away. Yeah.
And there's some other updates that have come
along with this. The whole article's there around
(11:41):
different use cases for it, but some upgrades
and benefits too when it comes
to some of those enhancements around your notebooks
in Sentinel.
Yeah. Like you said, some cost benefits there
to going into
Data Lake. But then they also
and this is what really caught my eye.
Like, I was like, okay. Great. It went
GA. But if you look on the GA
(12:03):
announcement,
it also you'll notice on the screen, and
it talks about it in the announcement, they're
also introducing some new platform capabilities
built on Sentinel data lake. So once you
get your data there, you're starting to do
it, there is now a Sentinel graph.
And we can talk about this. I've played
with this a little bit. But then, also,
(12:24):
an MCP server for Sentinel that's like a
Microsoft
native one. So we had talked about MCP
servers a few episodes back, like the loca
that Merrill had created.
I think I mentioned I had gone out
and found, like, a third party Sentinel one
because I was like, oh, a Sentinel MCP
server would be kinda cool. And we talked
(12:44):
about some of the security concerns, and, ironically,
like, a week ago, I sent you an
article
as well from the first malicious MCP server
found where it was stealing emails and rogue
rogue postmark
settings, and we kinda talked about that. Right?
Like, you go grab a third party MCP
server without looking at the code. What is
it doing? Obviously, something like Sentinel you wanna
(13:06):
trust. So seeing Microsoft come out with this
MCP server as well, that was all kind
of rolled into Data Lakes, GA.
Now you can go look at this graph
in this MCP server as well if you
wanna go swing over to Sentinel Data Lake.
I wonder over time, I don't know if
I think things will continue to like kind
of churn and consolidate still. So we've seen
(13:29):
a bunch of this at least with the
things like the Kusto MCP server. Like, there
was a Kusto one, and then it got
rolled into the Fabric one. Fabric one's out
there. Now you have a a Sentinel one.
You have all these different, like, flavors and
variations as folks are chasing things. Like, I
do wonder or and I also kinda hope
over time that it does consolidate a little
(13:49):
bit. I I I don't know how it's
getting for you since we did that MCP
episode. I just have more and more MCP
servers that are, like, going in. And for
every MCP server that's being added into my
client that I'm working in that day, like
Versus Code, things like that, it's also getting
really hard
to wrangle the servers, especially the ones that
(14:10):
have lots of tools associated with them. So
I think the Azure MCP server is actually
a good example of this because it's got,
like, tools for a whole bunch of different
Azure services.
And I think at one point, it had,
like, 40 plus tools in it. So you're
sitting here trying to figure out, like, okay.
I'm having a chat with this LLM. I
wanted to form out some knowledge to this
MCP or this set of MCPs.
(14:33):
But I now I need to be, like,
really constrained and figure out how to get
it into
e even the right tool or the right
space. So stuff like this is gonna I
wonder, like, do you find it confusing in
this world of saying, like, hey. I have
an MCP for Sentinel, which is doing this
graph thing. I have an MCP for
the Microsoft Graph. I have an MCP for
LearnDocs. I have an MCP for Kusto,
(14:55):
like, all these different thing or Fabric. Right.
Are are you finding that hard to rationalize
along the way? Like, I've started like, I
was just going in and, like, turning on
all my MCP servers, like, every time I
started Versus Code, and now I'm actually being,
like, more careful about that. Like, alright. Always
gonna start, like, the learn docs one because
that's easy. It's a remote server. Boom, boom,
(15:15):
out Yeah. Out. No problem. But some of
the other ones, like, you really do have
to kinda pick and choose. But then it
makes me wonder, alright. Great. I had to
do that just to make my own life
easier, but now what am I missing out
on by not turning them all out? Do
you feel overwhelmed by trying to manage your
Office Office three sixty five environment? Are you
facing unexpected issues that disrupt your company's productivity?
(15:38):
Intelligink is here to help. Much like you
take your car to the mechanic that has
specialized knowledge on how to best keep your
car running, Intelligent helps you with your Microsoft
cloud environment because that's their expertise.
Intelligent keeps up with the latest updates in
the Microsoft cloud to help keep your business
running smoothly and ahead of the curve. Whether
you are a small organization with just a
(15:59):
few users up to an organization liligink.com/podcast
(16:19):
for more information or to schedule a thirty
minute call to get started with them today.
Remember, Intelligink focuses on the Microsoft cloud so
you can focus on your business.
Some of that the other thing I've seen
and I just ran into this the other
day when I started playing with this MCP
server, and we can go talk about this
(16:39):
a little bit more. And how to turn
this one on, because this was interesting, is
I added this one and I went to
go ask a query about Sentinel, and it
hit
my loca MCP server because I didn't at
mention the specific MCP server. So there's that
trade off to, like, what you said is,
one,
if you don't turn them all on, what
(17:00):
are you missing? Or if you do turn
them all on, as
you ask AI questions, does it end up
going to the wrong MCP server when you
want it? Like, does it go to Graph
when you want it to go pull from
Sentinel? Or maybe it was just me. I
had to be a little bit more specific
in my query,
but there's
it is. One of them is just, how
do I make sure I'm going to the
(17:22):
right right MCP server at the right time?
How am I not missing out on it?
Absolutely
an additional cognitive load there, I think, around
MCP servers. And the other one I found,
and this was the first time I've kinda
hit this one, is when you go look
at this MCP server for Sentinel,
they only give you steps on how
(17:44):
to leverage this one with Visual Studio Code.
And this is a remote MCP server. It's
sentinel.microsoft.com/mcpdataexploration.
And I tried to go add this one
to
Claude, and I couldn't figure out a way
to do it
because it uses some it appears
(18:06):
that it uses some of the underlying authentication
mechanisms
in Visual Studio Code. Like, if I go
add this to Claude and try to query
it, I don't get the prompts. Like, there's
no way to, like, set up a authentication
mechanism to it, no way to set up
a service principle to it,
nowhere to say, like, go enter a username
that I could find or trigger in Claude.
(18:27):
But when you go add it to Visual
Studio Code and
the first time you add it, it's like,
oh, go log in to your Microsoft three
sixty five tenant with your account. And I
think there's some things going on there where
I couldn't actually
add this to anything but Visual Studio Code.
And
then obviously you have to have
(18:47):
GitHub Copilot in order to use it versus
using another LLM that I have. It's hard.
Like there's niceties
to being in
these
systems that do require, like, authentication authorization, like,
just to be able to do, like, the
quick, like, fire and forget to enter,
do your sign in, oauth and to end
all the way. So typically in, like, at
(19:09):
least the way it works in, like, the
SDKs
for Azure and things like that is there
there's a class in the identity SDK
that composes an object, and it's called default
Azure credential. And it's just this magical thing
where, like, you you put, I wanna use
default Azure credential to sign in, and then
it just kinda figures out based on the
client it's on. Like, you so you can
(19:31):
write, like, an application,
say, with, like, the dot net SDK for
Azure for any Azure service, and say, I
wanna use default Azure credential. You put throw
compile it as an executable, throw that executable
on an Azure VM,
and it will,
like, automatically know that, hey, I'm on a
VM in Azure, and
I should try MSI authentication,
(19:52):
and try and come through that way. Oh,
MSI failed. Okay. Let me pop up a
user prompt and come through. So sometimes it's
the way, like, developers are building them, Randall.
Like, so if they use something like default
Azure credential,
then it's got, like, that weird underlying behavior,
which has a bunch of niceties to it,
but you kinda gotta, like, know how the
niceties work and how to land your app
in the right place.
(20:13):
So I wonder if it's some of that
kind of stuff
over just being, like, it's not, like, malicious
intent
to lock you out. It's like, hey. There's
this ecosystem of stuff, and
the people building the stuff also kinda leverage
the same ecosystem.
So while you're out there
maybe saying, hey. I'm an Azure customer. Okay.
(20:34):
Hey. We're all Azure customers. I hope We're
all out there building our services on top
of these things as well and building these
capabilities
and all that out there. So it could
also be things like the clients are also
in in various states. So the Cloud desktop
client
is constantly iterating,
as is, like, the desktop client for Perplexity,
(20:55):
for Copilot, for ChargePD, all the all these
things. Right? Like, every single day they get
an update, they might just need to update
to allow things like
the pop ups for authentication
and everything else that comes through there. The
other place this will integrate to is Security
Copilot. Like, they also mentioned that. The Sentinel
MCP server is gonna have native integration with
Security Copilot, but I don't know about you.
(21:17):
I'd rather pay $20 a month for Copilot
GitHub
than $20,000
for
Security Copilot. Obviously, other benefits with Security Copilot,
people that have it, you'd wanna have this
in there. But to me, this was I'm
still kinda curious to see
where Security Copilot goes because
while there's other functionality
(21:37):
in there, as
these MCP servers continue to grow and you
look at GraphMCP
server and
now you have the MCP server for Sentinel,
if other
third parties
that you can integrate with I don't know.
Like, if you integrate other third parties with
Sentinel and you can do an MCP server
with Sentinel,
(21:58):
you lose some of the built in functionality
in different places of Security Copilot, but to
me, this lessens
the need for something like Security Copilot. Maybe
I'm not supposed to say that, but that's
what I'm seeing. Like I have less and
less of a need for Security Copilot because
of MCPs. I think the world of the
iGentik stuff, it's going to continue to morph
(22:19):
and continue to change.
It's one of those places where
I don't even know that
service providers,
like
none of us know where it's going to
end up, basically.
So
everybody's racing to create these kinds of experiences,
but they're going to continue to change over
(22:39):
time.
Like, this whole
local versus remote MCP server,
that's not fully baked,
and that's not a done deal
as to the way that composes.
But I do think it offers,
(23:01):
integrates over there is just add a tool.
Right? Like, you're not adding an MCP server.
You're adding a tool. What's it using in
the background? The MCP server. So now we're
starting to equate local MCP server with tools
and resources and all the things in them.
That same kind of nomenclature
and
architecture is coming to these cloud based
(23:24):
and SaaS based things as well. I think
you'll see
more and more of this, like this mix
of remote MCP
and then some other piece of functionality
in a part of the service itself
or in, like, a parallel service. Oh, like,
great. Now I can use that too
and come across.
(23:44):
What'll be interesting to see is, like, a
year from now, is, like, MCP server is
even a thing, or did we all settle
on just exposing, like, the tools through, like,
some other endpoint mechanism or things like that?
Like,
I don't know. TBD. We'll see where it
all ends up. It'll be interesting. Shall be
weird for a while. It's kinda like a
fun ride though if you're a technologist.
Oh, absolutely.
(24:05):
So and then the third should we dive
into the third one? The Sentinel Graph. This
was kind of a cool one, and this
is also in public preview now where
now within Sentinel, we've always been able to
do KQL queries, right, where you can go
in and query stuff and get your results
however you query it. And you could go
look at incidents and kind of within different
incidents, you're able to see connections between different
(24:27):
events and different devices and all of that.
What this does is it allows you to
go do a,
essentially, a graph based query
against your Sentinel data. So instead of, like,
waiting for an incident to occur and then
seeing all the connections for the incident or
instead of just writing a KQL query and
getting data back, you can go in and
(24:48):
this
I'm trying to think if there's a screenshot
in here
where you can this is probably a decent
one that I have on my screen. But
for people
listening,
I could go in and it's preview, so
it was somewhat limited, but I could say,
like, show me this device, and I just
picked two devices. You can pick two different
entities. But I picked my laptop and I
(25:08):
picked my desktop, and I said, show me
the relationship between them, and it essentially created
a graph with all the different ways
these two devices were linked together, whether it
was through users or linked together. I think
it showed, like, my user account was one
link. I think it maybe showed, like, Intune
as another link between them or other services.
(25:30):
So it was
gave me, I would say, more of a
proactive way to say, okay. So if this
device was compromised,
what are all the ways it could be
linked to this other device, or what are
all the ways my user is linked to
different entities? And instead of giving me tabular
data, it gave me a graph, a view
(25:51):
of connections
between different things in my tenant. If I
was reading between the lines on this one,
because
we're back to the whole, like, KQL thing
and what's it used under the hood, what's
a capability that recently came to
Azure Data Explorer and to Kusto? Well, a
capability that recently came to Kusto
(26:12):
is
the ability to
execute
queries
with graph models.
So taking
database objects
that
represent
your property graph and that are stored in
Data Explorer and then being able to bounce
those
against each other.
So if you can do it in KQL
(26:34):
and you can get at it, you might
be able to do some even more interesting
things with it along the way. And if
you're into it, I'd recommend going and reading
the Kusto documentation for graph models
and seeing kinda
if you can wrap your head around a
little bit. How do I run that? They
have some good, like, work working examples
and things in there. So but absolutely. So
(26:55):
so KQL now has this it has a
a graph, right? So much like you'd have
like a database or table name kind of
thing. You have a graph out there, so
there's an object for graphs, and then you
and you know how you have like where
clauses and summarizes and and things like that.
There's also now a graph match,
(27:16):
and
so it's basically graph match, what's the pattern
you input where these filters are true, and
then output
these fields
based on
the graph and how it comes together. The
syntax is really weird and kinda wild. Like,
it is not like other KQL syntax at
all, when you especially when you're doing, like,
(27:36):
the filtering and things like that, but it
works pretty well. I've been playing around with
it for some other stuff. I wonder if
this is even using
and this might be kinda what even you're
getting at it. If this is using that
under the covers, if this is a little
bit more of a UI
interface,
and then behind the scenes, it's creating those
KQL
(27:56):
graph type of queries. It'd be an easy
thing to do or a smart thing to
do if the underline if the underlying database
engine provides for it, why not?
Yeah. Lots of improvements around Sentinel and different
things you can do, especially with the data
lake integration
going GA. They layered
all of these on top of it. So
all of this does depend on you having
(28:16):
Sentinel and Defender, making that connection between your
workspace and Defender, and then enabling the graph,
and then you'll be able to go light
this stuff up. And I've seen some things.
I'm in a few security groups where people
weren't getting it necessarily right away. It might
take some time in preview,
trickling out. Yep. SaaS rollouts, all that good
stuff. Yeah. All that stuff. So no. These
(28:37):
were some fun announcements in the last
week or so that came out that I've
started playing with. The nice thing about those
data lakes too is like you mentioned, you're
provisioning those within your own infrastructure.
So, you know, it's your
Azure subscription, your resource group, so you still
get the choice over, like, where does that
data lake reside? So if you have, like,
(28:59):
data residency requirements,
anything like that, you could spin that up.
You can also choose your redundancy,
every everything like that that you might wanna
do. So it's nice to have kinda that
level of control too, but just watch out
because it is a PAYGo component. So it
is kinda sitting out there now churning month
over month or however long you turn it
on for. Yep. And then I think Data
(29:19):
Lake too, you'd get charged based on queries
and how much you use it and yeah.
All those same things apply. This is not
a free data lake with your Azure subscription.
It's a PAYGo data lake that they automatically
connect up and ingest all the data and
do that for you. Yeah. Compute still costs
money. Yes.
Alright. We've spent, like, a bunch of time
(29:40):
on mine. Do you want to talk about
yours anymore today, or should we save those
for round two? Let's save a we'll do
an I'm just going to talk about some
Kubernetes stuff, so we'll do a kind of
AKS ish day
coming up in the future here. Sounds good.
AKS
ish. Yeah. There we go. AKS
ish. Yeah.
All that said, if you're gonna be at
(30:00):
any conf I Scott, I have a few
conferences coming up. I'm still trying to get
you to one. I'm down at Dev Intersections,
Cybersecurity Intersections, which they added next week. So
if you're down in Orlando at that one,
October,
like, six through ten or something. And then
I did get accepted to go help Proctor
Labs again at Ignite. So I'll be out
(30:21):
at Oh, nice. Yeah. I'll be out at
Ignite in November if anybody's going to be
out there. And then I think I mentioned
that I'm doing cybersecurity
or not wow. Workplace Ninja is down in
Dallas in December. So we're still working on
getting you out to Ignite. We'll see, Scott.
We need to get you out there yet.
Yeah. Well, for the other stuff, give me
(30:41):
some links, and
I'll put them in the show notes. I
will do that. So links to all those
conferences will be in the show notes. Come
find me and hopefully
Scott at Ignite. And if you have any
feedback for Scott, don't forget, let Scott know
what mouse you should get. And any questions,
comments,
thoughts,
future topics, future guests, we'd love to hear
(31:02):
from people. So
reach out. LinkedIn has turned into our social
media platform of choice or we do still
have the contact form on the website if
you want to go there and fill that
out as well. All good stuff. If you
have complaints, only reach out to Ben though.
Yes. My email address is scott@msclouditpropodcast.com.
Bring on the spam. It's a good thing
(31:22):
your spam filter is good. It is. Hopefully,
it won't get spam too much out of
that. Alright. With that, Scott, go enjoy your
weekend. Thanks, Ben. It's getting nice in Florida.
Go enjoy some time outside. It's not It
is. Stupid hot anymore. Although, it's we're under,
marine watch tomorrow. So a small craft device
here tomorrow, so can't go out on the
boat. Oh, so enjoy time outdoors not on
the boat. Go fly a kite on the
(31:43):
beach. Marine advisory means wind for a kite.
Right? It's getting windy already. Yeah. Well, thanks,
Scott. Enjoy your weekend. We'll talk to you
next time. You too. Thanks, Ben.
If you enjoyed the podcast,
go leave us a five star rating in
iTunes. It helps to get the word out
so more IT pros pros can learn about
Office three sixty five and Azure.
If you have any questions you want us
(32:04):
to address on the show, or feedback about
the show, feel free to reach out via
our website, Twitter, or Facebook.
Thanks again for listening, and have a great
day.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!