SC-200 • Practice Test 5
Free SC-200 practice test — 10 questions with explanations. Set 5. No signup required.
A SOC analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect a possible password spray attack. The rule must trigger when a single source IP address has more than 10 failed logon attempts on different user accounts within a 30-minute window. The analyst writes a KQL query starting with 'SigninLogs | where ResultType == 50057' (failed logon). Which operator should the analyst use to group events by source IP and count distinct user accounts, then filter for counts above 10?