SC-200 Perform threat hunting • Set 17
SC-200 Perform threat hunting Practice Test 17 — 15 questions with explanations. Free, no signup.
You run the KQL query above in Microsoft Sentinel. The query returns zero results even though you know some devices have connected to malicious IPs. What is the most likely cause?
Refer to the exhibit. ```kusto let timeframe = 7d; let maliciousIPs = externaldata(IP:string) ["https://raw.githubusercontent.com/.../malicious_ips.txt"] with (format="csv"); DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteIP in (maliciousIPs) | summarize count() by DeviceName, RemoteIP ```