Exam SC-200 topic 3 question 15 discussion

0,1 The first scenario will not generate any alerts, as each series by Caller generates a single result; there is only one caller, therefore 1 result, which is below the threshold (results > 2). In the second scenario, there will be 3 results (one for each caller), so one alert will be generated (as this is above the threshold and the results are grouped into a single alert).

0,1 make-series is going to make lists of all the EventSubmissionTimestamp values for each user, with each user being on a separate row. This means that if 1 user creates 3 machines, it will aggregate them all into 1 row. And if 3 users create 1 virtual machine we will see 3 separate rows. https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/make-seriesoperator#examples

correct

0, 1. The key really is make-series.

On the exam July 7 2023

I think answer should be 0 and 1. The make-series operator creates a series of specified aggregated values along a specified axis. In this case the "Caller", this will make 3 rows, 1 row. This will create a table that shows arrays of the ResourceID's of each query result from each "Caller" ordered by specified time range. The rule specifies when the query returns 2 results in a 5 minute timespan, trigger the alert, in this case the first scenario would only trigger 1 row on the results table as it uses "DCOUNT". In the second scenario it will trigger 1 alert as the threshold is 2 results and group results on a single alert option is selected. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/make-seriesoperator

I think the answer 1,1 is correct. The alert will be based on 5 hours and it will only trigger when it is having 2 counts. You will end up with 3 counts of computers been created through a single deployment, regardless this should be visible under the 5 hours log.

I would say if all 3 individual users created a VM within 5 minutes of each other i.e. 3 VM's created within the 5 minute window, then an alert would be triggered/generated. Correct answer would then be 1 and 1 alert.

I wonder if 2nd answer should be 0. Please correct me with appropriate justification. Thanks.