Question 545 of 1,639
Mitigate threats using Microsoft SentinelmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is the KQL pattern using `dcount(IPAddress)` aggregated by `UserPrincipalName` and `bin(TimeGenerated, 15m)`, then filtered with `where DistinctIPs > 10`. This works because `dcount()` provides an approximate distinct count of IP addresses per user within each 15-minute window, directly matching the requirement to detect failed sign-ins from different IPs rather than counting total failed attempts. On the SC-200 exam, this pattern tests your understanding of when to use distinct counting versus simple counting—a common trap is using `count()` instead of `dcount()`, which would flag a user who fails 11 times from the same IP, missing the multi-IP threat. Remember the memory tip: "Different IPs demand dcount, not count"—if the question specifies "different IP addresses," always reach for `dcount()`.

SC-200 Mitigate threats using Microsoft Sentinel Practice Question

This SC-200 practice question tests your understanding of mitigate threats using microsoft sentinel. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: the `dcount()` KQL function counts distinct values of an expression.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A SOC analyst needs to create a Microsoft Sentinel scheduled analytics rule that triggers when an Microsoft Entra ID user performs more than 10 failed sign-in attempts from different IP addresses within 15 minutes, using the SigninLogs table. Which KQL query aggregate pattern should be used?

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

SigninLogs | summarize DistinctIPs = dcount(IPAddress) by UserPrincipalName, bin(TimeGenerated, 15m) | where DistinctIPs > 10

Option B is correct because the query uses `dcount(IPAddress)` to count distinct IP addresses per user within a 15-minute time window, then filters for users with more than 10 distinct IPs. This directly matches the requirement to detect failed sign-ins from different IP addresses, not just total failed attempts.

Key principle: The `dcount()` KQL function counts distinct values of an expression.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • SigninLogs | summarize FailedCount = count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 15m) | where FailedCount > 10

    Why it's wrong here

    This counts total failed attempts per IP, not distinct IPs per user.

  • SigninLogs | summarize DistinctIPs = dcount(IPAddress) by UserPrincipalName, bin(TimeGenerated, 15m) | where DistinctIPs > 10

    Why this is correct

    This correctly calculates distinct IPs per user per 15-minute bin and filters for more than 10.

    Related concept

    The `dcount()` KQL function counts distinct values of an expression.

  • SigninLogs | summarize DistinctIPs = count() by UserPrincipalName, IPAddress | where DistinctIPs > 10

    Why it's wrong here

    Missing time bin and counts per IP instead of distinct IPs per user.

  • SigninLogs | where Status contains 'Failed' | summarize by UserPrincipalName, IPAddress | count > 10

    Why it's wrong here

    Invalid KQL syntax; does not use summarize correctly and lacks time filtering.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse counting total events with counting distinct values, leading them to pick Option A which counts all failures instead of distinct IPs.

Detailed technical explanation

How to think about this question

The `dcount()` function uses HyperLogLog algorithm for approximate distinct counts, which is efficient for large datasets like SigninLogs. In a real SOC scenario, an attacker might rotate IPs via proxies or VPNs to evade detection; counting distinct IPs per user within a short window is a classic brute-force detection pattern. The `bin(TimeGenerated, 15m)` creates fixed 15-minute buckets, ensuring the rule evaluates sliding windows correctly when used with a scheduled query.

KKey Concepts to Remember

  • The `dcount()` KQL function counts distinct values of an expression.
  • The `bin()` operator groups data into fixed-size time intervals.
  • Scheduled analytics rules in Sentinel use KQL for detection logic.
  • `SigninLogs` table contains Microsoft Entra ID sign-in activity.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

The `dcount()` KQL function counts distinct values of an expression.

Real-world example

How this comes up in practice

A cloud solutions architect for a retail company is evaluating services for a new workload. The correct answer here reflects best practice for the specific scenario described — not a general cloud recommendation. The `dcount()` KQL function counts distinct values of an expression. Cloud exam questions reward reading the constraint carefully: the same technology can be right or wrong depending on the use case.

What to study next

Got this wrong? Here's your next step.

Review the `dcount()` KQL function counts distinct values of an expression., then practise related SC-200 questions on the same topic to reinforce the concept.

Related practice questions

Related SC-200 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SC-200 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SC-200 question test?

Mitigate threats using Microsoft Sentinel — This question tests Mitigate threats using Microsoft Sentinel — The `dcount()` KQL function counts distinct values of an expression..

What is the correct answer to this question?

The correct answer is: SigninLogs | summarize DistinctIPs = dcount(IPAddress) by UserPrincipalName, bin(TimeGenerated, 15m) | where DistinctIPs > 10 — Option B is correct because the query uses `dcount(IPAddress)` to count distinct IP addresses per user within a 15-minute time window, then filters for users with more than 10 distinct IPs. This directly matches the requirement to detect failed sign-ins from different IP addresses, not just total failed attempts.

What should I do if I get this SC-200 question wrong?

Review the `dcount()` KQL function counts distinct values of an expression., then practise related SC-200 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

The `dcount()` KQL function counts distinct values of an expression.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SC-200

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A SOC analyst needs to create a Microsoft Sentinel scheduled analytics rule that detects a potential brute-force attack. The rule should alert when a single IP address attempts to sign in to more than 10 different user accounts within 5 minutes. The data is in the 'SigninLogs' table. Which KQL operator should the analyst use to count distinct users per IP address per 5-minute time window?

medium
  • A.summarize dcount(UserPrincipalName) by IPAddress, bin(TimeGenerated, 5m)
  • B.summarize count(UserPrincipalName) by IPAddress
  • C.summarize dcount(IPAddress) by UserPrincipalName, bin(TimeGenerated, 5m)
  • D.make-set(UserPrincipalName) by IPAddress

Why A: Option A is correct because the requirement is to count distinct user accounts per IP address within a 5-minute window. The `dcount()` function estimates the number of distinct values of `UserPrincipalName`, `bin(TimeGenerated, 5m)` groups the logs into 5-minute buckets, and `summarize ... by IPAddress` ensures the count is per source IP. This directly matches the brute-force detection logic of more than 10 distinct users from a single IP in 5 minutes.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SC-200 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-200 exam.