01x12_df3ndr.eof.01.tar.gz

📍 Live from Times Square, New York City 🇺🇸 This was the first edition of Experts Live in the United States, and we couldn’t be more proud to be part of it!

We wrap up Season One with a special in-person recording from Microsoft’s office in NYC during Experts Live US.
No planning, no script – just good conversation, best practices, and bad Sentinel acronyms. 😉 Chris and Koos will both be talking about their sessions they gave at the event. Chris will discuss securitu baseline best-practices. And Koos will be sharing Sentinel tips from the field.

🔐 Security Baselines in Microsoft 365

Chris brought a fresh look at building, maintaining, and automating security baselines in M365 environments.

Why Baselines Matter

Not all security risks come from attackers—some come from insecure defaults and configuration drift. Chris explains the difference between:

• Baseline risk – inherent misconfigurations or risky defaults (e.g., Teams external messaging or anonymous sharing)
• Threat actor risk – malicious activity like phishing, token theft, brute force attacks

“Most users don’t go in and change things. They just assume someone smarter than them chose the settings that are best for them…”

“The tyranny of the default” - Steve Gibson

The Security Baseline Lifecycle

Chris walked through his five-step model:

1. Assess – Understand where your current security posture stands (warts and all)
2. Define – Choose a framework (CIS, NIST, ISO) and define your secure baseline
3. Implement – Put the controls and processes in place
4. Monitor – Watch for drift and misconfigurations over time
5. Improve – Feed real-world lessons back into your process

Tools & Demos

Chris demoed several tools including:

• M365 Maester Toolkit – By Merill Fernando & community
• MaesterDiff – Track baseline drift over time
• Azure Automation – Run Maester weekly & notify via Teams/Email
• MCP Server – Future potential for integrating with detection/response pipelines

Start small. Focus on one domain (e.g., identity) and iterate.

Check out Chris’ slidedeck with a lot of valuable links here!

Links

• Maester Toolkit
• Maester Github
• Maester Diff
• MaesterDiff.ps1

🌊 Getting the Most Bang for Your Logs – Again!

Koos couldn’t help himself—he brought more Sentinel content, including some very practical demos and updates on data lake, MCP Server, and cost-saving strategies.

Sentinel Cost Optimization

Koos shared a story from that very morning where a customer accidentally enabled Sentinel on an operational Log Analytics workspace—leading to an unnecessary €2,000/month bill. That’s why it’s important to really understand the pricing model and be aware of the different discounts that are available.

Automate Commitment Tier Management

Koos a plethora of practical tips and tricks from the field he gathered during the last years.

• Architecture decisions are more important than you’d think
• Automatically scale commitment tiers based on past 90-day usage
• Use Azure Monitor to trigger on cost spikes to prevent unpleasant surprises at the end of the month
• Leverage SCU (Sentinel Commitment Units) (another SCU acronym, thanks Microsoft);-) with pre-payment plans for even higher discounts

Sentinel data lake

Not just that Scooby-Doo meme but an actual game-changer: Sentinel data lake.

• Simple setup (no DCRs/DCEs)
• Raw log mirroring from Sentinel
• Long-term storage + post-ingestion querying
• Asset tables — great for incident correlation

GitHub Copilot + data lake = Magic?

Koos previewed how GitHub Copilot can now query the Sentinel data lake using natural language KQL via MCP Server in VS Code:

“Give me all Graph activity from an app with this display name…”
Copilot brute-forced the AppId collection based of a DisplayName and generated a working query, pretty wild.

Some caveats:

• GitHub Copilot not aware of Asset Tables (yet)
• Limited to VS Code
• Costs still apply when querying data lake

Check out Koos’ slidedeck with embedded pre-recorded demos here!

Links

• Sentinel Commit Units (SCUs)
• Microsoft Sentinel support for MCP Server
• Microsoft Sentinel data lake
• Experts Live US

🛠️ Community Project: Experts Live US: Vibes & Gratitude

• We loved meeting the community in person
• The event was full of energy, new ideas, and hallway chats
• Sessions were not recorded, but we’ll share slides and demos on LinkedIn + GitHub
• Big thanks to the organizers for an amazing first US edition!

🎙️ Finalizing our first season

It’s been a great year of podcasting! This unscripted episode was a fun way to wrap up Season One. Thanks for listening! Hope you see you again next year! 👋🏻