SC-200 • Timed Practice Test 5
This is a timed practice session. You have 10 minutes to answer 10 questions — approximately 1 minute per question, matching real SC-200 exam pace. Answer every question before time expires.
Time remaining
10:00
Exam-pace drill
Allow 1 minute per question. On the real SC-200 exam you have approximately 72 seconds per question — this session trains you to maintain that pace under pressure.
A SOC analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect a possible password spray attack. The rule must trigger when a single source IP address has more than 10 failed logon attempts on different user accounts within a 30-minute window. The analyst writes a KQL query starting with 'SigninLogs | where ResultType == 50057' (failed logon). Which operator should the analyst use to group events by source IP and count distinct user accounts, then filter for counts above 10?