SC-200 logo
Focused certification exam prep
Start practice

SC-200 Domain 3: Perform threat hunting (20-25%) - Complete Study Guide 2026

TL;DR
  • Domain 3 (Perform threat hunting) makes up 20-25% of the SC-200 exam, the smallest of three domains.
  • KQL fluency is tested indirectly through query interpretation, not just memorized syntax.
  • Hunting queries, notebooks, and livestream sessions inside Microsoft Sentinel are core exam topics.
  • The exam allows 100 minutes and requires a scaled score of 700 or higher to pass.

Domain 3 Overview: Why Threat Hunting Carries 20-25%

Perform threat hunting is the smallest of the three official domain groups on Exam SC-200, weighted at 20-25%, compared to 40-45% for Manage a security operations environment and 35-40% for Respond to security incidents. But "smallest" does not mean "skippable." Because the exam typically contains 40-60 questions delivered in a 100-minute window, even a 20% weighting can translate into a meaningful block of questions that determine whether you clear the passing score of 700.

Threat hunting on SC-200 is fundamentally about proactive investigation: querying data with KQL, building and refining hunting queries in Microsoft Sentinel, using threat intelligence to enrich hunts, and automating repeatable hunting workflows with notebooks. Unlike Domain 2, which centers on reacting to alerts and incidents that already exist, Domain 3 tests whether you can go looking for threats that haven't triggered an alert yet.

If you haven't already mapped out how this domain fits with the other two, the SC-200 Exam Domains 2026: Complete Guide to All 3 Content Areas breaks down all three groups side by side. This article goes deep specifically on threat hunting.

Scope Reminder: Microsoft's official skills-measured document (last updated June 26, 2026, reflecting skills as of July 28, 2026) can shift domain weightings and subtopics before your test date. Always cross-check the live Microsoft Learn page against what you study.

KQL Mastery: The Non-Negotiable Skill

You cannot pass Domain 3 without being comfortable reading and reasoning about Kusto Query Language (KQL). The exam sandbox includes multiple choice, drag-and-drop, hot area, build list, and active screen formats - several of which are used specifically to test whether you understand what a KQL query does, not whether you can type one from scratch under exam pressure.

Expect scenarios where you're shown a partial query and asked to complete a missing operator, or shown a query's output and asked what it's hunting for. Core KQL concepts you need cold:

KQL Operators and Functions for Threat Hunting

Candidates must be able to interpret and sometimes construct queries using core Kusto operators against Sentinel and Defender XDR tables.

  • summarize, project, extend, and where for filtering and shaping hunt results
  • join and union for correlating identity, device, and network log tables
  • Time-window functions like ago() and bin() used to scope a hunt to a suspicious activity window
  • Parsing functions (parse, extract) for pulling indicators out of raw log fields
  • Understanding which Sentinel/Defender tables (IdentityLogonEvents, DeviceNetworkEvents, EmailEvents) apply to a given hunting scenario

You do not need to memorize every function signature, but you should be able to look at a query and predict its output - that's the pattern the exam rewards.

Key Takeaway

Practice reading unfamiliar KQL queries out loud and explaining what each clause does. The exam tests comprehension more than blind recall of syntax.

Proactive Hunting Workflows in Microsoft Sentinel

Microsoft Sentinel's hunting blade is the operational home for this domain. Candidates are expected to know how to:

  • Use built-in hunting queries organized by MITRE ATT&CK tactic and run them against connected data sources
  • Create custom hunting queries and save them for reuse across the SOC
  • Convert a successful hunting query into a scheduled analytics rule so future occurrences generate incidents automatically
  • Track hunts using bookmarks to capture evidence and link it to an investigation
  • Use entity pages to pivot from a user, host, or IP address into related hunting queries

This overlaps conceptually with Domain 1's SOC configuration work and Domain 2's incident response work, which is exactly why Microsoft groups them as related-but-distinct domains. If you're unclear on how Domain 1 responsibilities differ from Domain 3, the dedicated breakdown in SC-200 Domain 1: Manage a security operations environment (40-45%) - Complete Study Guide 2026 is worth reading alongside this one, and the incident-response counterpart is covered in SC-200 Domain 2: Respond to security incidents (35-40%) - Complete Study Guide 2026.

Exam Pattern: Scenario questions in Domain 3 often describe a suspicious pattern (unusual sign-ins, lateral movement, data exfiltration attempts) and ask which hunting approach or KQL construct surfaces it fastest - not just "what tool do you open."

Threat Intelligence and IOC Management

Threat hunting doesn't happen in a vacuum - it's driven by threat intelligence. Domain 3 expects familiarity with:

  • Importing and managing threat indicators (IPs, hashes, domains, URLs) inside Microsoft Sentinel's threat intelligence workspace
  • Using TI matching analytics rules to correlate ingested indicators against log data automatically
  • Understanding how threat intelligence feeds (including STIX/TAXII sources) integrate with Sentinel
  • Applying threat intelligence context to prioritize which hunting leads to pursue first
  • Recognizing how Microsoft Defender Threat Intelligence and Microsoft Security Copilot surface enrichment data during a hunt

Because Microsoft explicitly calls out AI agents and Copilot experiences as expected knowledge for SC-200 candidates, don't be surprised if a question asks how Security Copilot accelerates a hunting workflow rather than replacing analyst judgment entirely.

Automating Hunts with Notebooks and Livestream

Beyond ad hoc queries, Domain 3 tests knowledge of repeatable, automatable hunting techniques:

Sentinel Notebooks and Livestream

Candidates should understand when to escalate from a single query to a structured, repeatable hunting workflow.

  • Jupyter notebooks integrated with Sentinel for multi-step, code-driven hunting investigations
  • Livestream sessions used to test a hunting query in near real time before formalizing it as a rule
  • Saving and sharing hunting queries across a SOC team for consistency
  • Converting validated hunt logic into detection rules to close the loop from hunting to automated alerting

This "hunt now, automate later" lifecycle is a recurring theme: a good hunter doesn't just find one instance of malicious activity, they operationalize the detection so the SOC catches it automatically next time.

How Domain 3 Questions Are Actually Written

Microsoft does not publish exact formats in advance, but the exam sandbox for SC-200 explicitly includes active screen, build list, case study, drag-and-drop, hot area, and multiple choice items, plus possible labs. For threat hunting specifically, expect:

  • Case studies describing a hunt scenario with several related questions requiring you to reference earlier details
  • Drag-and-drop or build list items asking you to sequence hunting steps or assemble a KQL query from fragments
  • Hot area questions where you select the correct portion of a query or log output that reveals malicious activity
  • Multiple choice questions testing whether you know which data source or Sentinel feature applies to a described hunting need

Because Microsoft Learn access is available during the exam within the Learn domain (with the timer still running), you can look up unfamiliar syntax - but relying on that heavily during a 100-minute exam is a losing strategy. Build genuine KQL fluency instead of planning to look everything up live. For a broader sense of how tough this exam feels overall, see How Hard Is the SC-200 Exam? Complete Difficulty Guide 2026.

Key Takeaway

Time-box practice questions to under two minutes each so you build the pacing needed to finish all 40-60 questions within 100 minutes, including case studies.

Scheduling Domain 3 Inside Your Study Plan

Given its 20-25% weighting, Domain 3 deserves a focused but not disproportionate slice of your prep calendar. A reasonable approach places the domains in study order matching their real-world dependency: SOC configuration first, incident response second, then hunting - since hunting builds on knowledge of both the environment and the incident lifecycle.

Week 1-2

Foundations from Domain 1

  • Configure Sentinel workspaces, data connectors, and Defender XDR settings
  • Get comfortable navigating the Sentinel and Defender portals
Week 3

Domain 2 Incident Response

  • Practice triage, correlation, and remediation workflows
  • Review automation via playbooks and Logic Apps
Week 4

Domain 3 Threat Hunting Deep Dive

  • Drill KQL query comprehension daily
  • Run built-in hunting queries against a lab or trial tenant
  • Practice converting hunting queries into analytics rules
Week 5

Integration and Practice Exams

  • Mix all three domains in full-length practice tests
  • Review missed KQL and hunting scenario questions closely

If you want a more complete week-by-week framework covering all three domains together, the flagship SC-200 Study Guide 2026: How to Pass on Your First Attempt lays out the full timeline, and running timed sets on our SC-200 practice test platform is the fastest way to see whether your KQL comprehension holds up under exam conditions.

Domain 3 vs. the Other Two Domains

DomainWeightPrimary FocusKey Tools
Domain 1: Manage a security operations environment40-45%Configuring SOC, connectors, roles, automationSentinel, Defender XDR, Entra ID, Purview
Domain 2: Respond to security incidents35-40%Triage, investigate, remediate active incidentsDefender XDR, Sentinel incidents, playbooks
Domain 3: Perform threat hunting20-25%Proactive queries, TI correlation, hunt automationKQL, Sentinel hunting blade, notebooks, TI feeds

Notice how KQL threads through all three domains, but it's Domain 3 where query-writing and interpretation skills are tested most directly and repeatedly.

Who Hires for These Threat Hunting Skills

SC-200 credential holders with strong threat hunting skills are typically targeted for SOC analyst tier 2/3 roles, threat hunter positions, and detection engineering roles inside managed security service providers (MSSPs) and enterprise security teams. Employers value candidates who can move beyond reactive alert triage into proactive detection engineering - exactly what Domain 3 is designed to validate.

To understand how this maps to job titles and postings, browse SC-200 Jobs. If you're weighing whether the investment in exam fees, study time, and lab access pays off, the Is the SC-200 Certification Worth It? Complete ROI Analysis 2026 and SC-200 Salary Guide 2026: Complete Earnings Analysis articles give more context, and SC-200 Certification Cost 2026: Complete Pricing Breakdown walks through the $165 USD (plus applicable taxes) Associate-level exam fee and what it does and doesn't include.

Certification Maintenance: Once earned, the SC-200 credential expires after 12 months but renews free through an online Microsoft Learn renewal assessment - no need to retake the full proctored exam, including its threat hunting section, every year.

Frequently Asked Questions

How many questions on the SC-200 exam cover threat hunting specifically?

Microsoft does not publish an exact per-domain question count. Domain 3 is weighted at 20-25% of the overall exam, which typically contains 40-60 questions total, so expect roughly a fifth to a quarter of the exam to touch hunting concepts.

Do I need to write KQL from scratch during the exam?

Most Domain 3 questions test your ability to read, complete, or interpret KQL queries through formats like drag-and-drop, build list, or hot area rather than requiring you to write a full query unaided, though solid working knowledge of syntax is essential.

Is threat hunting the hardest domain on SC-200?

Difficulty is subjective, but many candidates find Domain 3 challenging because it demands genuine KQL fluency rather than menu navigation. See How Hard Is the SC-200 Exam? Complete Difficulty Guide 2026 for a full difficulty breakdown across all domains.

Can I use Microsoft Learn during the exam to look up KQL syntax?

Yes, Microsoft Learn access is available during associate and expert-level exams within the Learn domain, but the exam timer continues to run, so heavy reliance on lookups during a 100-minute exam will cost you valuable time.

Where can I practice threat hunting scenarios before test day?

Beyond a Sentinel trial or lab tenant for hands-on KQL practice, running scenario-based questions on our SC-200 practice test platform helps you get comfortable with how Domain 3 concepts are framed as exam questions.

Ready to pass your SC-200 exam?

Put this into practice with free SC-200 questions across every exam domain.