A KQL hunting query joins SecurityIncident with SecurityAlert but returns duplicate rows for incidents with multiple alerts. What KQL approach best preserves one row per incident while summarizing alert details?
Correct for the stated requirement.
Why this answer
Option D is correct because `summarize make_set()` or `arg_max()` grouped by `IncidentNumber` collapses multiple alert rows into a single incident row while preserving alert details in an array or the most recent alert. This directly addresses the duplicate rows caused by a one-to-many join between SecurityIncident and SecurityAlert, ensuring one row per incident without data loss.
Exam trap
The trap here is that candidates often confuse sorting or limiting rows (options A and C) with deduplication, or incorrectly think a union can replace a join, missing the fundamental need to aggregate after a one-to-many relationship.
How to eliminate wrong answers
Option A is wrong because `order by TimeGenerated desc` only sorts the results and does not remove duplicate rows; it leaves the duplicates intact. Option B is wrong because `union` combines rows from two tables without any join logic, which would not correlate incidents with their alerts and would produce a completely different, incorrect result set. Option C is wrong because `take 1` before the join arbitrarily limits the input rows before the join, which can discard relevant alerts and still produce duplicates if the incident has multiple alerts in the remaining data.