Question 1,158 of 1,639
Mitigate threats using Microsoft SentinelmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the query references a column named `count_IPAddress` which does not exist in the summarized dataset. The `summarize` operator groups by `UserPrincipalName` and `IPAddress`, so it does not automatically create a column called `count_IPAddress`; instead, it produces a table with only the grouping columns and any explicit aggregation columns like `StartTime` and `EndTime`. When the `where` clause tries to filter on a non-existent column, the query either fails silently or returns zero results, which is why the impossible travel rule never alerts. On the SC-200 exam, this tests your ability to read KQL syntax carefully—specifically, understanding that `summarize` only retains columns you explicitly define. A common trap is assuming that `count_IPAddress` is automatically generated, but KQL requires you to use `count()` as an aggregation function. Memory tip: if you don’t see an aggregation like `count()` or `dcount()` in the `summarize` line, any reference to a count column is a phantom column.

SC-200 Mitigate threats using Microsoft Sentinel Practice Question

This SC-200 practice question tests your understanding of mitigate threats using microsoft sentinel. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: the KQL `summarize` operator requires explicit naming for aggregated columns.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A SOC analyst creates a scheduled analytics rule in Microsoft Sentinel with the following KQL query: SigninLogs | where TimeGenerated > ago(1h) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, IPAddress | where EndTime - StartTime < 5m and count_IPAddress > 1 The intended purpose is to detect users logging in from multiple IP addresses in a short time (impossible travel). However, the rule does not generate any alerts. What is the most likely cause?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The query references a column 'count_IPAddress' that does not exist. The summarize operator does not create a column with that name.

The query uses `summarize ... by UserPrincipalName, IPAddress` which groups by both fields, so it does not create a column named `count_IPAddress`. The `where` clause then references `count_IPAddress`, which does not exist, causing the query to fail silently or return no results. This is why no alerts are generated.

Key principle: The KQL `summarize` operator requires explicit naming for aggregated columns.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The query references a column 'count_IPAddress' that does not exist. The summarize operator does not create a column with that name.

    Why this is correct

    The summarize creates columns from the aggregate expressions and group-by columns. 'count_IPAddress' is not defined, so the where clause always evaluates to false.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    The KQL `summarize` operator requires explicit naming for aggregated columns.

  • The query does not filter for failed sign-ins (e.g., ResultType == 0).

    Why it's wrong here

    The query may also need to filter for success or failure, but the primary reason for no alerts is the missing column, not the lack of a filter.

  • The rule should use a longer time range, such as 24 hours.

    Why it's wrong here

    The time range of 1 hour is already longer than the 5-minute window; the issue is not the time range but the incorrect column reference.

  • The rule needs to use the 'make_set' function to correctly count distinct IP addresses.

    Why it's wrong here

    While using make_set is a correct approach, the absence of that function is not the reason for the rule failing. The immediate issue is the invalid column name.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may focus on the logic of impossible travel detection (e.g., time range, distinct IPs) and overlook the simple syntax error of referencing a column that was never created by the `summarize` operator.

Detailed technical explanation

How to think about this question

In KQL, the `summarize` operator creates columns only from the aggregation functions and the `by` clause. Here, `min(TimeGenerated)` and `max(TimeGenerated)` create `StartTime` and `EndTime`, but no count column is defined. To count IP addresses per user, you would need `summarize StartTime = min(...), EndTime = max(...), count_IPAddress = count() by UserPrincipalName` (without IPAddress in the group-by). The original query groups by IPAddress, so each group has only one IP, making the count always 1.

KKey Concepts to Remember

  • The KQL `summarize` operator requires explicit naming for aggregated columns.
  • Columns in the `by` clause of `summarize` are not automatically counted with a `count_` prefix.
  • Referencing a non-existent column in KQL will cause the query to fail or return no results.
  • To count occurrences in `summarize`, an explicit `count()` or `dcount()` aggregation function must be used.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

The KQL `summarize` operator requires explicit naming for aggregated columns.

Real-world example

How this comes up in practice

A cloud solutions architect for a retail company is evaluating services for a new workload. The correct answer here reflects best practice for the specific scenario described — not a general cloud recommendation. The KQL `summarize` operator requires explicit naming for aggregated columns. Cloud exam questions reward reading the constraint carefully: the same technology can be right or wrong depending on the use case.

What to study next

Got this wrong? Here's your next step.

Review the KQL `summarize` operator requires explicit naming for aggregated columns., then practise related SC-200 questions on the same topic to reinforce the concept.

Related practice questions

Related SC-200 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SC-200 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SC-200 question test?

Mitigate threats using Microsoft Sentinel — This question tests Mitigate threats using Microsoft Sentinel — The KQL `summarize` operator requires explicit naming for aggregated columns..

What is the correct answer to this question?

The correct answer is: The query references a column 'count_IPAddress' that does not exist. The summarize operator does not create a column with that name. — The query uses `summarize ... by UserPrincipalName, IPAddress` which groups by both fields, so it does not create a column named `count_IPAddress`. The `where` clause then references `count_IPAddress`, which does not exist, causing the query to fail silently or return no results. This is why no alerts are generated.

What should I do if I get this SC-200 question wrong?

Review the KQL `summarize` operator requires explicit naming for aggregated columns., then practise related SC-200 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

The KQL `summarize` operator requires explicit naming for aggregated columns.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More SC-200 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SC-200 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-200 exam.