- A
The query references a column 'count_IPAddress' that does not exist. The summarize operator does not create a column with that name.
The summarize creates columns from the aggregate expressions and group-by columns. 'count_IPAddress' is not defined, so the where clause always evaluates to false.
- B
The query does not filter for failed sign-ins (e.g., ResultType == 0).
Why wrong: The query may also need to filter for success or failure, but the primary reason for no alerts is the missing column, not the lack of a filter.
- C
The rule should use a longer time range, such as 24 hours.
Why wrong: The time range of 1 hour is already longer than the 5-minute window; the issue is not the time range but the incorrect column reference.
- D
The rule needs to use the 'make_set' function to correctly count distinct IP addresses.
Why wrong: While using make_set is a correct approach, the absence of that function is not the reason for the rule failing. The immediate issue is the invalid column name.
Quick Answer
The answer is that the query references a column named `count_IPAddress` which does not exist in the summarized dataset. The `summarize` operator groups by `UserPrincipalName` and `IPAddress`, so it does not automatically create a column called `count_IPAddress`; instead, it produces a table with only the grouping columns and any explicit aggregation columns like `StartTime` and `EndTime`. When the `where` clause tries to filter on a non-existent column, the query either fails silently or returns zero results, which is why the impossible travel rule never alerts. On the SC-200 exam, this tests your ability to read KQL syntax carefully—specifically, understanding that `summarize` only retains columns you explicitly define. A common trap is assuming that `count_IPAddress` is automatically generated, but KQL requires you to use `count()` as an aggregation function. Memory tip: if you don’t see an aggregation like `count()` or `dcount()` in the `summarize` line, any reference to a count column is a phantom column.
SC-200 Mitigate threats using Microsoft Sentinel Practice Question
This SC-200 practice question tests your understanding of mitigate threats using microsoft sentinel. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: the KQL `summarize` operator requires explicit naming for aggregated columns.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A SOC analyst creates a scheduled analytics rule in Microsoft Sentinel with the following KQL query: SigninLogs | where TimeGenerated > ago(1h) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, IPAddress | where EndTime - StartTime < 5m and count_IPAddress > 1 The intended purpose is to detect users logging in from multiple IP addresses in a short time (impossible travel). However, the rule does not generate any alerts. What is the most likely cause?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"most likely"Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
The query references a column 'count_IPAddress' that does not exist. The summarize operator does not create a column with that name.
The query uses `summarize ... by UserPrincipalName, IPAddress` which groups by both fields, so it does not create a column named `count_IPAddress`. The `where` clause then references `count_IPAddress`, which does not exist, causing the query to fail silently or return no results. This is why no alerts are generated.
Key principle: The KQL `summarize` operator requires explicit naming for aggregated columns.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
The query references a column 'count_IPAddress' that does not exist. The summarize operator does not create a column with that name.
Why this is correct
The summarize creates columns from the aggregate expressions and group-by columns. 'count_IPAddress' is not defined, so the where clause always evaluates to false.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
The KQL `summarize` operator requires explicit naming for aggregated columns.
- ✗
The query does not filter for failed sign-ins (e.g., ResultType == 0).
Why it's wrong here
The query may also need to filter for success or failure, but the primary reason for no alerts is the missing column, not the lack of a filter.
- ✗
The rule should use a longer time range, such as 24 hours.
Why it's wrong here
The time range of 1 hour is already longer than the 5-minute window; the issue is not the time range but the incorrect column reference.
- ✗
The rule needs to use the 'make_set' function to correctly count distinct IP addresses.
Why it's wrong here
While using make_set is a correct approach, the absence of that function is not the reason for the rule failing. The immediate issue is the invalid column name.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates may focus on the logic of impossible travel detection (e.g., time range, distinct IPs) and overlook the simple syntax error of referencing a column that was never created by the `summarize` operator.
Detailed technical explanation
How to think about this question
In KQL, the `summarize` operator creates columns only from the aggregation functions and the `by` clause. Here, `min(TimeGenerated)` and `max(TimeGenerated)` create `StartTime` and `EndTime`, but no count column is defined. To count IP addresses per user, you would need `summarize StartTime = min(...), EndTime = max(...), count_IPAddress = count() by UserPrincipalName` (without IPAddress in the group-by). The original query groups by IPAddress, so each group has only one IP, making the count always 1.
KKey Concepts to Remember
- The KQL `summarize` operator requires explicit naming for aggregated columns.
- Columns in the `by` clause of `summarize` are not automatically counted with a `count_` prefix.
- Referencing a non-existent column in KQL will cause the query to fail or return no results.
- To count occurrences in `summarize`, an explicit `count()` or `dcount()` aggregation function must be used.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
The KQL `summarize` operator requires explicit naming for aggregated columns.
Real-world example
How this comes up in practice
A cloud solutions architect for a retail company is evaluating services for a new workload. The correct answer here reflects best practice for the specific scenario described — not a general cloud recommendation. The KQL `summarize` operator requires explicit naming for aggregated columns. Cloud exam questions reward reading the constraint carefully: the same technology can be right or wrong depending on the use case.
What to study next
Got this wrong? Here's your next step.
Review the KQL `summarize` operator requires explicit naming for aggregated columns., then practise related SC-200 questions on the same topic to reinforce the concept.
- →
Mitigate threats using Microsoft Sentinel — study guide chapter
Learn the concepts, then practise the questions
- →
Mitigate threats using Microsoft Sentinel practice questions
Targeted practice on this topic area only
- →
All SC-200 questions
1,639 questions across all exam domains
- →
Microsoft Security Operations Analyst SC-200 study guide
Full concept coverage aligned to exam objectives
- →
SC-200 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SC-200 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Manage a security operations environment practice questions
Practise SC-200 questions linked to Manage a security operations environment.
Respond to security incidents practice questions
Practise SC-200 questions linked to Respond to security incidents.
Perform threat hunting practice questions
Practise SC-200 questions linked to Perform threat hunting.
Mitigate threats using Microsoft Defender XDR practice questions
Practise SC-200 questions linked to Mitigate threats using Microsoft Defender XDR.
Mitigate threats using Microsoft Defender for Cloud practice questions
Practise SC-200 questions linked to Mitigate threats using Microsoft Defender for Cloud.
Mitigate threats using Microsoft Sentinel practice questions
Practise SC-200 questions linked to Mitigate threats using Microsoft Sentinel.
SC-200 fundamentals practice questions
Practise SC-200 questions linked to SC-200 fundamentals.
SC-200 scenario practice questions
Practise SC-200 questions linked to SC-200 scenario.
SC-200 troubleshooting practice questions
Practise SC-200 questions linked to SC-200 troubleshooting.
Practice this exam
Start a free SC-200 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SC-200 question test?
Mitigate threats using Microsoft Sentinel — This question tests Mitigate threats using Microsoft Sentinel — The KQL `summarize` operator requires explicit naming for aggregated columns..
What is the correct answer to this question?
The correct answer is: The query references a column 'count_IPAddress' that does not exist. The summarize operator does not create a column with that name. — The query uses `summarize ... by UserPrincipalName, IPAddress` which groups by both fields, so it does not create a column named `count_IPAddress`. The `where` clause then references `count_IPAddress`, which does not exist, causing the query to fail silently or return no results. This is why no alerts are generated.
What should I do if I get this SC-200 question wrong?
Review the KQL `summarize` operator requires explicit naming for aggregated columns., then practise related SC-200 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
The KQL `summarize` operator requires explicit naming for aggregated columns.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 11, 2026
This SC-200 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-200 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.