In Microsoft Sentinel workbooks, when you want to display query results in a tabular format and visually emphasize numeric values through color intensity (such as counts or frequencies), you use the Grid visualization type combined with the Heatmap column renderer.

In this scenario, the query aggregates failed sign-in events from SigninLogs and AADNonInteractiveUserSignInLogs, summarizing them by ErrorCode, FailureReason, and Category with a calculated count (errCount). The errCount column holds numeric data that indicates how many times each unique failure pattern occurred.

To visually represent the severity or frequency of these counts, you configure:

Visualization = Grid — Displays tabular data in a workbook. It’s the standard view type for showing multiple columns of query output (such as error codes and counts).

Column renderer = Heatmap — Applies a gradient color scheme to the selected numeric column (errCount) so that higher values are highlighted with darker or more intense colors, making patterns or anomalies easier to spot.

Microsoft Sentinel workbook documentation explains:

“Heatmap rendering can be applied to numerical columns in Grid visualizations to provide color-coded representation of value ranges.”

Alternative renderers like Text or Big number do not provide dynamic color intensity, and Thresholds are used for conditional formatting rather than continuous color gradients.

✅ Final configuration:

Visualization: Grid

Column renderer: Heatmap

In Microsoft Sentinel (Defender XDR SIEM), access control is based on Azure RBAC (Role-Based Access Control) to ensure least privilege operations. According to Microsoft’s Sentinel role documentation:

Logic App Contributor: This role is required to create and run playbooks (automated workflows built on Azure Logic Apps). Although Sentinel integrates with Logic Apps, playbook creation and execution permissions are governed by the Logic App Contributor role at the resource group or subscription level where playbooks are deployed. Without this role, a user cannot design or execute automated responses.

Azure Sentinel Contributor: This role grants permission to create, edit, and delete analytic rules, workbooks, and hunting queries within the Sentinel workspace. It does not allow modifying playbooks or executing automation unless combined with Logic App Contributor. It’s the appropriate role for analysts or engineers who manage detection content (rules and visualizations).

The Azure Sentinel Reader role only allows viewing incidents, workbooks, and rules but not editing or creating them. The Sentinel Responder role focuses on handling and closing incidents, not authoring content or automation.

✅ Final Mapping:

Create and run playbooks → Logic App Contributor

Create workbooks and analytic rules → Azure Sentinel Contributor

Microsoft Sentinel uses the Advanced Security Information Model (ASIM) to normalize logs into a consistent schema, enabling unified queries, analytics rules, and hunting queries across multiple data sources.

Each ASIM function has a structured parser hierarchy, typically consisting of:

A master (or orchestrator) parser, which aggregates and calls all source-specific parsers.

Source-specific parsers, which map raw data from each data source (like Windows SecurityEvents, Sysmon, or custom logs) to the ASIM schema fields.

In the case of ProcessCreate events:

_Im_ProcessCreate is the master parser. Its role is to call all ProcessCreate parsers, including both built-in and custom ones (for example, imProcessCreate, vimProcessCreate, or other vendor-specific parsers).

Parsers like imProcessCreate (for native sources) and vimProcessCreate (for custom or vendor-specific sources) are source-specific parsers. They are responsible for standardizing and mapping raw fields into the ASIM Process schema, ensuring consistent naming such as ActorProcessName, TargetProcessName, and TargetProcessCommandLine.

“The _Im_ functions are orchestrators that call all source-specific parsers. Each im or vim parser converts native data into the ASIM schema for its respective source.”

Therefore:

To call all ProcessCreate parsers, modify _Im_ProcessCreate.

To standardize fields to the Process schema, modify vimProcessCreate (the new source-specific parser you created).

✅ Final Answers:

Call all the ProcessCreate parsers: _Im_ProcessCreate

Standardize fields to the Process schema: vimProcessCreate

 Table: DeviceFileEvents

 Aggregation function: count()

In Microsoft Defender XDR advanced hunting, data tables such as DeviceFileEvents, DeviceProcessEvents, and CloudAppEvents are used to investigate various types of activities. Since this query aims to investigate an issue related to file activity—specifically identifying when files have been accessed, modified, or created repeatedly—the correct data source table is DeviceFileEvents. This table contains information about file-level activities recorded by Defender for Endpoint sensors, including file path, file name, action type, and user account involved.

The KQL structure shown in the image follows standard hunting query syntax:

DeviceFileEvents

| where Timestamp > ago(2d)

| summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName

| where activityCount > 5

Here’s why:

The where Timestamp > ago(2d) clause filters results from the last 2 days, a typical timeframe for immediate investigations.

The summarize operator groups events by FolderPath, FileName, ActionType, and AccountDisplayName, then uses count() to determine how many times each file was acted upon.

Finally, where activityCount > 5 filters to show only unusually high-frequency activity, which might indicate suspicious or automated file manipulation.

Microsoft Defender XDR documentation highlights that DeviceFileEvents is the correct schema for file activity investigations, while DeviceProcessEvents focuses on process creation and execution, and CloudAppEvents targets cloud application usage.

Thus, the verified and documented correct completions are:

Table: DeviceFileEvents

Aggregation function: count()

To create a playbook in Microsoft Sentinel, you must first create an Azure Logic App.

Playbooks in Sentinel are built on top of Logic Apps—they define automated workflows that can be triggered by alerts or incidents. Once the Logic App exists, you can connect it to Sentinel via an automation rule or directly from an analytic rule.

A (Azure Function trigger): Used for custom code execution, not for Sentinel automation.

C (Hunting query): Used for threat hunting, not automation.

D (Automation rule): Connects an alert to a playbook but can’t exist before a playbook (Logic App) is created.

✅ Answer: B. an Azure Logic App

In this scenario, App1 is a custom web app published through Microsoft Entra Application Proxy and authenticated using Active Directory Domain Services (AD DS). Because it’s integrated with Microsoft Entra ID (formerly Azure AD) for access control, the most appropriate and supported way to require MFA for users accessing the application is through Conditional Access.

Microsoft Entra Conditional Access policies evaluate user sign-in conditions such as risk level, device compliance, location, and sensitivity of data before granting access. Specifically, Microsoft’s documentation states:

“Conditional Access policies allow administrators to require multi-factor authentication, block access, or enforce specific controls such as app protection or session policies for cloud and on-premises applications integrated with Microsoft Entra ID.”

Therefore, to make MFA mandatory for users accessing App1, a Conditional Access policy must be created targeting that application.

For the second part, to implement a session policy that controls or monitors user behavior (such as downloading highly confidential documents), the correct choice is Microsoft Defender for Cloud Apps (MDA). Microsoft’s official guidance says:

“Session policies in Microsoft Defender for Cloud Apps provide real-time session controls that enable administrators to monitor and restrict user activity in cloud apps, including download, cut/copy, and upload actions based on sensitivity labels or user risk.”

These session policies integrate seamlessly with Conditional Access via the “Use Conditional Access App Control” setting to apply continuous access evaluation during a user’s session.

Hence, the correct verified configuration is:

Require MFA: Conditional Access

Implement session policy: Microsoft Defender for Cloud Apps