Episode 416 – Microsoft Sentinel, Security, and Ignite with Henrik Wojcik - Microsoft Cloud IT Pro Podcast

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:03):
Welcome to episode 416
of the Microsoft Cloud IT Pro podcast recorded
live on 11/20/2025.
This is a show about Microsoft three sixty
five and Azure from the perspective of IT
pros and end users, where we discuss a
topic or recent news and how it relates
to you. In this episode, I'm still live
from Microsoft Ignite as I sit down with

(00:25):
Henrik, a fellow Microsoft MVP in security,
to record this episode. As we we enjoy
some sun in San Francisco, we spent some
time talking about Microsoft Sentinel,
Data Lake with Microsoft Sentinel, and some of
the announcements from Ignite, as well as some
of our experiences at the conference and things
that we've enjoyed about being live in person

(00:46):
at Ignite.
So here we are sitting at Ignite, recording
another show of the Microsoft Cloud IT Pro
podcast
without Scott because
Scott has bailed on me this year. We've
got carnival music going on the background, sitting
on the sun in the streets of San
Francisco. But since Scott wasn't here, I had

(01:08):
Henrik join me. So he's a
senior cloud specialist, a fellow security MVP.
Well, we met how long have we known
each other? Eight couple years now? Yeah. A
couple of years. Yeah. Yeah. Because we both
did you become an MVP about the same
time I did? Yeah. Yeah. We kinda came
MVPs together. You started as security. I started
as Microsoft March, and then I joined the

(01:29):
dark side, the good side. I don't know.
Security support. The good side. The good side.
Yeah. Do you wanna give a little bit
of introduction, Henrik, just about you, who you
are, where you work, where you
live, how much you love Samsung's system.
Yeah. I'll just start with introducing myself. My
name is Henrik Wysig
from Denmark, and I work at a bank
in the financial sector. That's my doing.

(01:52):
And my area
is security because I'm a security MVP. Yeah.
I work with the Sentinel and Defender, the
whole Defender suite. So, yeah, basically, I love
everything security. Alright. I mean, bank security is
kind of important at banks, I think. Apparently,
something about people's money. Yeah. They kinda like
it to be safe and secure
and not allowed to get in. And you

(02:13):
live in Denmark. I mean, how much better
is that? You live in the same country
as Legoland. Yes. And fun fact is I
actually
I only live, like, the twenty minutes drive
from LEGOLAND and LEGO headquarters. Okay. That's why
I have a lot of LEGO at home.
See, I keep forgetting this. One of these
years, Hendrik, I have you on record now.
You're on the podcast. I would like a

(02:33):
couple of those LEGO sets, like the headquarters
and the tree that you can only get
at LEGO headquarters. Yes.
Any way you can arrange that? I won't
put you on the spot on the podcast.
Yeah. You'll have to show send me a
picture of that. Send you a picture of
the sets that I want? Yeah. Alright. I
heard there's, like, those two sets that you
can only buy at LEGO headquarters
in Denmark. There is there is a collectible.

(02:55):
Also, if you go on a special trip
at the LEGO at LEGO House, which is
Uh-huh. Yeah. Which is really cool. But you
have to pay a lot of money to
get on those tours, but you get a
golden brick almost. Maybe we need to do
Ignite Denmark. Yes.
Yes. It will probably be better than San
Francisco, but I don't know. Maybe. Yeah. We

(03:16):
should probably be nice to San Francisco.
Oh, well. Anyways, we should we talk about
security instead of Legos in San Francisco and
Denmark?
So senior cloud specialist, you do a lot
with security. You probably do more with security
than I do because I tend to spin
a whole bunch of stuff, but there have
been some interesting
changes with Sentinel in the last,

(03:38):
what, probably six months or so. There was
announcements around Sentinel coming into Defender where now
it's really gonna be Defender's gonna be the
place to get to Sentinel. Yes. But, also,
if you connect Sentinel to Defender, you can
do things with data lake now. Yes. So
do you wanna talk a little bit? Like,
we were talking about some of the advantages
there. I know I think Scott and I
mentioned it, but didn't go into a lot

(03:58):
of details. And you were sharing some details
even on some of the advantages, even some
of the reasons. It makes a lot of
sense in the EU. So in the EU,
because of regulation,
and we're driven by regulation, apparently.
There are two new regulations.
One is called NIST two, and the other
is called DORA. And it applies actually
to all critical infrastructure businesses. It's gonna hit

(04:20):
almost everyone in the EU with logging. Okay.
One of the loggings,
logging requirements are that you need to save
all your data or logs, audit logs, and
security logs, and operation logs also for, like,
thirteen months. Oh, wow. Yeah. That's a lot.
Right? Yeah. So and this is just, like,
everything. It doesn't matter what it is. It's
just Yes. If something happens and it's logged

(04:42):
Yes. What if you don't log it? Then
we go far in. Too. Yeah. Yeah. So
you have to log everything, and then you
have to keep all of those for thirteen
months. Yes. It's like GDPR. Okay. So it
follows that.
And,
that has meant that especially us in the
finance sector in Denmark have been looking into,
oh, we need to save it for thirteen
months now. Where to put it? Because

(05:04):
yanking it up in log analytics workspace for
thirteen months, that's expensive.
Yeah. Especially I don't know. You don't have
to share how big your bank is, but
I can imagine with the bank and the
amount of data, like, it's not an insignificant
amount of logs that you have. This is
probably
is it gigabytes or terabytes of logs? It's
a lot of gigabytes. And it's not

(05:25):
how should I explain my workplace? I work
at a company called Bank Data,
and it's it's owned by different banks in
Denmark, actually. Oh, okay. Yeah. So it's owned
by seven different banks,
and, we adjust the IT development department. So
we do the finance banking apps. Got it.
There's a lot of data, and they all
want different things.

(05:47):
So
go make the button red. No. We want
it blue. Yes. And then you have to
log that you changed the button from red
to blue? Change management.
That's it's a finance sector, so we have
to it's strictly regulated.
So it's not it's not like in consultant
where you just go in, place guns placing,
and Yep. I can fix that for you,
my friend. So how does data lake so

(06:08):
you talked about, like, log analytics is super
expensive
when you are it it starts adding up.
Now you can do it data lake. That
helps with the pricing then. Yeah. A lot
because
we actually we are streaming logs from AWS.
Okay. And that's a lot of logs
you get from AWS also. And, specifically,
what has helped us in our use case

(06:30):
is that we don't have to pick and
choose anymore with,
do we lock this or not? It's a
requirement. So we have we have the opportunity
to log it every everything now. And the
ones that we throw directly into data lake
at the moment, the older network logs, which
are the most noisy logs that you can
almost ever find.
So that has saved a lot of money

(06:52):
for us at least. Got it. So how
did you how do you set that up?
Because, like, we were talking about setting a
little log analytics, which is Azure. Yeah. You
know, while you're networking in AWS,
is that through,
like, Sentinel connectors then that are available in
the hub or Yeah. How do you architect,
like okay. All of our networks in AWS,
we're gonna save it on Sentinel Yes. In

(07:13):
data lake. Yes.
So yeah. Because we actually stream it over
from from the AWS. We have a connector.
There's a
a Amazon s three service in Okay. Content
hub in the Sentinel, which we enabled. And
that hooks into all the
guard duty logs and cloud trail logs and

(07:34):
VPC flow logs. And there's one more. I
forgot its name. And that's so we have
already the design before we went into AWS,
we know that we were gonna move it
over to Sentinel Okay. For the c m,
one Centimeters to rule them all. Yep.
And, yeah. And we also got cut off
guard in the early moments because there were
some spikes in the traffic with the network

(07:56):
logs, and it cost us a lot of
money. And those spike was only, like, for
a couple of hours, one day or two
days, and it cost us a lot of
money. That was before we enabled data lake,
and that's what actually made us enable data
lake to get it cheaper and then move
the network logs directly into the data lake
now. So we are saving money. Got it.
So how does that work with data lake?

(08:17):
Because I've started doing this. I've enabled data
lake in mind, and it looks like
by default, when you enable data lake for
Sentinel,
there's only certain tables from log analytics
that go into data lake. Is that something
that you can customize
and tweak? Or have you
We have only, we have only looked at
those that cost us most money.

(08:40):
So, yeah, it's a we have, like, I
don't know, 290
tables or something like that. Okay. And we
did the quick one. Show us the most
top 20 expensive tables, and then we did
it from there. And all of those twenties,
we could convert them into data lakes, but
some don't actually make sense because you don't
wanna move

(09:01):
device events from MDE over to data lake
because that correlates with all the other stuff
on the attack vector. So you can't move
that from away from log analytics, actually. Got
it. So there are certain tables that like
those device tables that, at least at this
point in time,
just have to stay in log analytics. There's
no option. So you end up with a

(09:22):
mix of tables and some in data lakes,
some in log analytics.
Yeah. Because if you put it if you
had to put it into data lake, then
you had to make KQL queries instead of
analytic rules.
And it's a bit slow, and the SOC
doesn't like that.
The sock, like, send their data right away?
Yes. Apparently. Okay.

(09:43):
But, I mean, they are doing something that
most of the logs for from the defender
stays in the in the new tables for
thirty days. Okay. So they have something to
look into. And, I mean, who whoever comes
back looking at logs at some point that
needs them to go back a year, they're
looking for something specific. Right? Right. So I
haven't looked at this yet with the data
lake. Can you set it then? So, like,

(10:05):
logs from certain tables will go into data
lake after a period of time? So, like
you said, thirty days of device in log
analytics and then thirty one days out to
the thirteen months go to data lake? Yes.
That's actually how we do it. In our
case, we do ninety days. Okay. So we
do ninety days log analytics tiering and then
the rest in the data lake after that.

(10:26):
Got it. For the other ones, we do
directly to data lake. Okay. Network logs. Okay.
And then you mentioned the analytics rules too.
Again, like, I knew this, and I've kinda
played with it, but haven't spent as much
time with you. You talked about, like, the
analytics rules and writing the queries. Does that
differ then based on where the data is
and how you write those queries? Or even

(10:47):
if you wanna correlate data across different tables
where you have some in log analytics and
some in data lake, do you have to
get a little more creative in how you
write those? Yes. You have. So if we
do, normally, all the Hondas do within KQL
in the analytics, rule and then about something.
And it's not that very seldom that we

(11:08):
actually look back more than three months. That's
why we landed on the magic ninety days.
Got it. So so because it's not necessary,
but if you have analytic queries for certain
tables, then you have to convert them over
because you can't cross over the search. So
you have to you have to make another
KQL job that runs to through the data

(11:28):
lake. Okay. Yeah. Where if it's older than
three months. Sorry. Ninety days. Okay. Ninety days,
three months. They're about the same. Right? Yeah.
Most months, they're close. Yeah.
So can you write a query that because
you can, like, look up. Like, you wanna
look up log information for a device. And
if you have those tables in two different
sources,
can you write a query? Yeah. So it

(11:49):
will cross over. No. Because it there are
two different things. Analytics ones will only do
the ninety days. Yep. And then you have
to switch over to the other ones. Got
it. Yeah. For,
yeah, but we haven't had the use case
yet for that. Okay. Where you have to
cross over, like, correlate network logs with device
logs within ninety days when they're in two
different sources?
We haven't had that issue yet. Okay.

(12:11):
Knock on wood. Let me know when that
happens? Yeah. For
you. It's a nice case because we actually
had one that does advanced hunting. He asked
about it. So if I'm doing this and
this, but this table for the network logs
is down here. As far as I said,
we keep the devices because he's writing on
the devices
with the MDE data.
Yeah. So we haven't had the use case

(12:32):
for that because
one thing is Azure logs and VPC flow
logs from AWS firewalls.
That's a whole another ballgame versus the MDE
data that come from Got it. Laptops. Yep.
Yeah.
So and that's where the interesting stuff is.
Got it. That makes sense.
There was something else I was gonna ask
and now I can't remember what it was

(12:54):
around some of that. Must be the carnival
music. Yeah. It's the carnival music in the
background that people walking by. And the lack
of sleep over the last few days. I'm
getting tired.
Yeah. So so you did say speed. That's
one thing too that if you're querying data
like that, your queries do is it, like,
noticeably
slower, or is it just, like, maybe it's

(13:14):
a few seconds slower?
What have you seen from a speed perspective
when you're querying it? It was only, like,
a couple of minutes. Okay. But and we
had to build the query specifically. I wanna
see it that I was searching for something
in here and go pick those days only
in this time span. So we were pretty
precise because it costs money to query the

(13:35):
data lake. So you gotta kind of have
to optimize your
your statements. Your queries. Yeah. Like, so is
that something different with is it more, like,
it's cheaper to store data in the data
lake, but more expensive to query it? Yes.
Precisely. That's but I that's with all the
products actually today. So
but, yes,
that's one of the four pits. So you

(13:56):
don't wanna have a guy that that does
a search in the data lake for five
years back or something like that. Okay. If
you saw data for five years back. Right?
Sort of that long. That's gonna cost a
lot of money. Okay. Just firing the query
off, and that's why we also said it
would be nice before doing the statements or
the k 12 queries.
What is the approximate cost if I throw

(14:18):
this query
Right. Yeah. Turn it on. So is it
with the data lake queries and the cost,
is it based on how much data gets
returned from the query, or is it based
on how many tables The lookup of the
data. Okay. It's the lookup of how much
data it has to go through. Got it.
As as far as I know, but it's
still new to us. I mean, it's like

(14:39):
two months ago. Right. It hasn't been out
very long. So people are still trying to
figure it out. It'll be interesting to see
even how Microsoft
evolves it because I can imagine
the scenario is gonna arise where someone has
to query data in both data sources and
how hopefully, they come up with a way
to maybe make that a little bit more
seamless
as time goes on. Yeah. It's gonna

(15:01):
as a true Microsoft employee would say, it's
a journey we are on.
And we have no idea how long this
journey is gonna take us. But we have
never been closer.
Every day it's just like your birthday. Right?
Every day, you get one day closer to
your birthday. Yeah. Yay. Every day, we get
one day closer to the destination on this
journey with Microsoft. Yeah.

(15:22):
It's funny. Oh, man.
Do you feel overwhelmed by trying to manage
your Office three sixty five environment? Are you
facing unexpected issues that disrupt your company's productivity?
Intelligink is here to help. Much like you
take your car to the mechanic that has
specialized knowledge on how to best keep your
car running, Intelligent helps you with your Microsoft

(15:45):
cloud environment because that's their expertise.
Intelligent keeps up with the latest updates in
the Microsoft cloud to help keep your business
running smoothly and ahead of the curve. Whether
you are a small organization with just a
few users up to an organization of several
thousand employees,
they want to partner with you to implement
and administer your Microsoft cloud technology.

(16:06):
Visit them at inteliginc.com/podcast.
That's intelligink.com/podcast
for more information or to schedule a thirty
minute call to get started with them today.
Remember, Intelligink focuses on the Microsoft cloud so
you can focus on your business.

(16:29):
So other things that kinda tie in the
Sentinel,
this
security ecosystem is and there were some announcements
around Security Copilot. Have you started playing with
Security Copilot yet with your Sentinel data and
looking at that? No. We have not because
it had the cost have been an issue
for us from day one. Right?

(16:49):
Because of the ACU cost. The c level
said no because it's too expensive. And, I
mean, what's the value if we look at
it? I mean Right. Yeah. And then where
there were all those hacks that you could
spin up the ACUs, then shut them down,
spin them up next day, and stuff like
that. But we didn't bother in our enterprise
because it didn't give that value. But now,

(17:10):
with the new e five, yes,
it's gonna be exciting. It is. And that
was one of the announcements. So have you
started playing with it yet? Have you guys
well, though you probably haven't gotten it yet,
you didn't have security copilot.
No. Not yet. Not yet. But we have
you five. But you have you five, so
you're ready. This was and this was one
of those announcements. And
Scott and I talked about it a little

(17:30):
bit on the last podcast,
but we only had the book of news
to go by. Yeah. Now Microsoft has announced
it. There's blog posts out there about it
that
e fives are going to get a certain
level of copilot.
Have you started looking at that? How many
details do you have around that you wanna
share? We are definitely gonna use it for
the intra ID one and the conditional access

(17:53):
one. The optimization Yeah. The optimization.
Yeah. That's the one we probably the most
most important one,
and then we'll look into the others. I
mean, we can probably
burn through those SCUs. Through all SCUs. Yeah.
Because it's also nice because even though it's
in the license now, it's not that much
anyways.
Right. And I looked at

(18:15):
so have you looked at the cost and
how they're doing all this with the SCUs
and then Yes. I looked into it, and
I think it's gonna be a journey Yeah.
As they say. More journeys. More journeys. Lots
of journeys we are on. It's a step
in the right direction, I would say. Because
if you wanna get people to use Security
Copilot, this is the right step to do
because nobody in their mind would do it.

(18:36):
Right. And let's look at it going. And
I started looking at the pricing, and it's,
to your point, it's a journey. It's gonna
be interesting to see how this pricing works
out because you essentially
get Microsoft gave an example
of for every it was a thousand
e five licenses,
you would get 400

(18:57):
SCUs.
Yeah. Which is the security compute units. Yes.
But I had to shift it in my
mind because at first it was like, oh,
currently it's like $4 per hour per SCU,
and this is a 400
SCUs
per
month.
So it's like it was a per hour
pricing.

(19:17):
Now it's changing to, like, a quota per
month, and they said there's also no minimum.
So if you have like one e five
you get point four
Yeah. SCUs per month. I don't know how
that's gonna work out. But it's not
and at first I was super excited. I'm
like, oh I get two SCUs. And in
my head I was still thinking per hour
not per month. Yeah. Because a thousand users,

(19:38):
400 SCUs a month
only gives you, like you divide that by
thirty days,
you're down to
what, like it's just over, it's like a
120
it no, a hundred and twenty thirty ish.
Yeah. 130 ish SCUs
per day Are gonna be burned through. Break
it down by hour, and you're like, well,

(19:59):
wait a minute. Now I'm down to, like,
1.5
or two SCUs per hour Yeah. For a
thousand users?
I hope we'll be able to make that
the Intune guys get so much and the
InfID guys get so much, and the other
security guys get the so like you you
could do today, right, if you bought the
norm the regular old SCUs.

(20:21):
Yeah. So I'm curious to see how that
works because then they said, well, if you
go over, you buy SCUs.
Yeah. And then we are right back at
square one. Right. Well, now it's an hourly,
but I'm like, well, how do you do
it if you're doing a quota of SCUs
per month
and now you need SCUs, do you start
buying just individual
SCUs now per month?

(20:43):
Or once you run out, do you have
to start paying
per hour for the rest of the month?
Yes. Like and that's where I think it's
gonna be a journey of the documentation I
looked at wasn't super clear
in my mind on how the $6 per
SCU
per hour

(21:03):
or if it's just $6 per SCU now
in the quota per month kinda Yeah. Very
and I didn't know if you looked at
any of that or started trying to figure
that out because you have any vibes and
you wanna go home and use your SCU.
Yes. I'm looking forward. Probably when I get
home, somebody have probably started up paying with
it because it's for free now. Yeah. Otherwise

(21:25):
so this was the other part of what
I saw is if you were paying for
Security Copilot now, you
would get transitioned right away to this new
pricing model. And if you aren't paying for
Security Copilot,
you
have to wait. So you might not be
able to play with the right one again.
But we can wait because, I mean, let's
face it. The need hasn't been there. Yeah.

(21:47):
So are there any other yeah. Or security.
Any other security announcements from Ignite that you
were excited about other than you can start
playing with security Copilot now? That would be
the agents.
The a there were a bunch of like,
there's a bunch the security Copilot agents. Yes.
A bunch of them. I haven't actually looked
into them. Okay. I can't remember their names.

(22:09):
I remember a few only because I've seen
them already. Like, there were some agents that
already existed. The conditional access optimization agent,
the phishing remediation agent. Yeah. That one. That's
also a really nice one. Yeah. Those but
I think there were, like Five or six
months? Well, there were five or six before.
I think there's at least,

(22:30):
I think there's, like, another six to 10
agents Ugh. That came out now. So I
again, if there were any of those that
you were excited about that you've looked at.
I haven't.
I can almost imagine now it's gonna be
governance towards agents.
Well, there is. We got agent three sixty
five now for configuring our agents. Right?
I saw so here's another one. I'm curious

(22:52):
if you think this one will help.
I saw some talk too about, like, a
DLP agent around DLP remediations
Yeah. Where an agent now and I can't
remember if it's here or if it's coming.
We're, like, you send an email, and
instead of maybe using some of the regular
expressions and detection there for sensitive information,

(23:13):
starting to leverage an AI agent to detect,
was this a sensitive email? And then if
it is,
instead of sending it to the sock right
away, sending it back to the end user,
like, maybe it's a Teams message or something.
Did you mean to send this email? Did
you realize there was sensitive information in
it? Almost to let the end user self
remediate.

(23:34):
And if it turns out that, no. I
didn't send this email, then it goes to
the Slack team or if it's, yeah, I
sent this email. No. I didn't realize there
was sensitive information in it. We need to
open an incident, then it goes to the
SOC team. So trying to eliminate some of
that noise that goes to the SOC team.
That's actually really smart. Right? Yeah. I thought
the same thing. I was like, oh, I
like the work. On the SEO cost, of

(23:55):
course. Depending on the SEO cost. But it's
free now with an e five.
Yes. Whoever comes first that day.
Yeah. The fir the first two or three
people get the agent for Yeah. DLP, and
then after that, it's all over. Yeah.
I know. I had to keep an eye
on time. We've been doing some labs. You
and I both been practicing labs this week.

(24:17):
Those have been fun. Any other highlights from
Ignite?
Okay. I know how you feel about San
Francisco.
We don't need to talk about San Francisco.
We're not talking we're not gonna make fun
of San Francisco. We can't talk about San
Francisco. Actually, my experiences
has been nice, but being a proctor and
having the expert badge with the special inferences
helps a lot. It does. I must admit

(24:39):
that seeing these people rock walking through metal
detectors
constantly, it's a pain. Right? It is. I
heard it from and getting the back search
each time,
it's it's really frustrating for some. I heard
it from all the colleagues I'm with and
the other fellow Danes. Okay. They really hate
it going from building to building building to
building. Yeah. And the the venue is so

(25:01):
fast spread. Right? If you have sessions down
at
Marquis
Yeah.
It's a walk. I walked over there this
morning. Yeah. It's fifteen minutes or something before
you actually reach the room. Uh-huh. And then
you have to go back into, the West
Moscone Center. Yeah. You you use you use
a lot of time walking. You do. And
it does feel I'm glad I'm here. I

(25:22):
still love being at Ignite. It's bigger than
last year. Yep. Definitely. But it feels
smaller to me because of how spread out
everything is. Like, I miss everything being when
it was closer together, there were definitely it
was harder in some respects, it was harder
to get around because everybody was shoulder to
shoulder. Yeah. But I felt like you saw
more people.
You did.

(25:43):
Yeah. I it's all but I like the
expo, the hub area and the expo in
the Moscone's in the South. It's pretty nice.
What? Any highlights? Any vendors you've seen or
any highlights from the hub? People you've run
into?
I like the MVP wall, the new MVP
wall. Yes. It's curvy. Right? It's curvy. And
a lot of names. A lot of names.

(26:04):
Did you get your picture by the MVP?
Yes. I did. Of course. Hey. That's what
Were you on the MVP? So the wall's
curvy. Right? Yeah. But if you're on one
end of it, you can't see the MVP
logo and your name because it's curved. Thank
you for that.
I am down in the corner. You're down
in the corner? Yeah. Let's go down. The
okay. So you're in front so you can
see the MVP logo when you're by your

(26:26):
name? Nope. Oh, you're down to, like, around
the corner. Yes. I'm around the corner. Oh,
I'm sorry. Yeah. No. I can actually oh.
And now that I'm thinking about it, maybe
I just took it from the wrong side,
the picture. Yeah.
Oh, man. I need to go ahead and
check. We'll go back and do that. Yeah.
We'll go back. Any other highlights from Ignite?
Like, what have you despite some of the
differences with it being out here, what have

(26:47):
you enjoyed from being out here? Highlights?
Like social or really Ignite stuff? Anything. I
like the city. I like the tourist stuff.
It's my first time in San Francisco. I
like it.
Certain areas you have to avoid, of course.
Yeah. But I'm guessing that's normal probably in
each city. And it's normal. I would say
in Jacksonville, it's normal. Like, there's areas of
Jacksonville.

(27:07):
There's areas it's been in Orlando before. There's
areas of Orlando you should avoid.
Chicago, it's been in there are absolutely areas
I grew up close to Chicago. There's absolutely
areas of Chicago you just do not go
into. I've had friends that were escorted by
police
out of areas of Chicago
because it was so dangerous. But Yeah. Okay.
Anyways, that's beside the point. You you've enjoyed

(27:29):
some of the tourists walking up. So did
you get out to, like, Pier 39?
Yeah. I've I've been I've been all over.
Alright. What about from Ignite? Any highlights
from the conference?
I actually liked the keynote. It was fun.
Was it? Yeah.
I mean, it was a bit high level.
Some it wasn't technical and that Yeah. Keynotes
never are. No. So

(27:50):
I liked it on a marketing level. Alright.
Have you had fun with the labs?
Oh, yeah. Well, you know how it went.
I had fun today. You have fun today
with the labs. Today? The labs actually worked
today. Okay. Yeah. We had issues
because getting back from the keynote because it
was thirty minute drive away. Yep. So people
getting back in time for the first laps

(28:12):
when the conference started, really started after the
keynote. They didn't because there were traffic jams
and Okay. People were late.
And what you what even what's more worse
is that the Cloudflare incident happened that day.
Yes. So that meant all the labs were
in hosted in GitHub, and the repos were
down, couldn't be accessed. So our instructions for

(28:33):
our labs were Got
it's funny because it went down and everybody's
like, but GitHub's a Microsoft company. Why are
these in CloudFlare and not, like, Azure? Yeah.
Yeah. The front door. It is what it
is. It is. I would say like, I
proctored labs too, and I would say that's
been one of the highlights. And even talking
to people
and we've talked about it before, I think,
in the podcast, for Ignite has a little

(28:54):
bit more of a sales feel and less
of a technical feel. But I think the
labs,
I would say, are a well kept secret,
but the labs I've been in have been,
like, jam packed with people. Yeah. Is if
you're gonna come to a future Ignite, because
this is gonna come out after Ignite's been
said and done this year, and you want
more technical
content, I would actually recommend going and doing

(29:16):
the labs for a couple of reasons. One,
yeah, they're click, like, it's the click click.
Right? You follow the instructions, click through,
but you do get to get your hands
on
more technical aspects
than maybe you would learn about if you
went to a session. Yeah. And the other
thing I would say is I don't know
about your lab. My labs, it's the product
group for the features. I've been doing identity

(29:38):
governance.
So I had, like, the product manager for
PIM and one of the product managers for
can't remember if it was for Entra, but
it was different product managers for the products
involved in ID governance. So if you had
questions about the products,
like, it was a great way after the
labs or even during the labs Yeah. To

(29:59):
be able to talk to the people
that are in charge of these different features.
Yes. Was that your experience too in your
Yes. Lab? It was. Because,
our guys also were close to MDE team.
Okay. So, yeah, it was defender related, but
mostly MDO and MDE
stuff were was were in our labs.

(30:20):
But, yeah,
it was a pleasure seeing it because our
laps were also full and the capacity was
around 115
as I recall in our room. Yeah. And,
I'm going back in just a second when
we are done for the last. That's gonna
be the fourth of the laps. Right?
And it's also sold out. So
people really like the laps, but sometimes

(30:42):
they go down and they then people leave.
Yeah. It walkouts
rarely, but it happened again
yesterday because
our tenant provisioning didn't work. So people were
just yeah. We're gonna go with lessons learned,
and then if you're listening to this now,
next year will be better because they've learned
some less I think they've learned some lessons
this year. And I would say even as
the week's gone on, they've learned some lessons

(31:04):
about it's I mean, it's not easy. Capacity
in here is a 115,
but there's I don't know how many labs.
There's probably 10 or 15 labs going on
simultaneously.
Yep. Precisely.
That's like 1,500
tenants getting provisioned
to these labs at the same time. It's
not
a insignificant
feat to do something like that. And it's
a fully live tenant, right, in our labs?

(31:26):
So it's a 115
live tenants
spinning up. Yeah. Yeah. It's complicated.
Yeah. For sure. Awesome. Well, thanks, Hendrik. Thanks
for joining me. I know you have a
lab to get to. Yes. Thanks. I might
go down to the hub and try to
find more Swag. Yeah. See what I can
come up with. Yeah.
Glad that we've talked about doing this for

(31:48):
A long time. A long time. We yeah.
At MVP Summit or other Ignites, and it
just it hasn't worked out. You got sick
once on me. Yeah. But glad we could
sit down and do it here at Ignite.
And
Yeah. Same to you. It was nice doing
it. Alright. Well, thanks. Yeah. Glad you enjoyed
it. Hope you enjoy your lab and the
rest of Ignite. And Yes. I hope you
get some swag. Thanks. And hopefully, we'll catch

(32:09):
up again soon. Yeah. Bye. Bye
bye. If you enjoyed the podcast, go leave
us a five star rating in iTunes. It
helps to get the word out so more
IT pros can learn about Office three sixty
five and Azure.
If you have any questions you want us
to address on the show, or feedback about
the show, feel free to reach out via

(32:30):
our website, Twitter, or Facebook. Thanks again for
listening, and have a great day.

All Episodes

Episode 416 – Microsoft Sentinel, Security, and Ignite with Henrik Wojcik

Show Notes

About the sponsors

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

The Bobby Bones Show

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Episode 416 – Microsoft Sentinel, Security, and Ignite with Henrik Wojcik