- Domain 3 Overview: Why Threat Hunting Carries 20-25%
- KQL Mastery: The Non-Negotiable Skill
- Proactive Hunting Workflows in Microsoft Sentinel
- Threat Intelligence and IOC Management
- Automating Hunts with Notebooks and Livestream
- How Domain 3 Questions Are Actually Written
- Scheduling Domain 3 Inside Your Study Plan
- Domain 3 vs. the Other Two Domains
- Who Hires for These Threat Hunting Skills
- Frequently Asked Questions
- Domain 3 (Perform threat hunting) makes up 20-25% of the SC-200 exam, the smallest of three domains.
- KQL fluency is tested indirectly through query interpretation, not just memorized syntax.
- Hunting queries, notebooks, and livestream sessions inside Microsoft Sentinel are core exam topics.
- The exam allows 100 minutes and requires a scaled score of 700 or higher to pass.
Domain 3 Overview: Why Threat Hunting Carries 20-25%
Perform threat hunting is the smallest of the three official domain groups on Exam SC-200, weighted at 20-25%, compared to 40-45% for Manage a security operations environment and 35-40% for Respond to security incidents. But "smallest" does not mean "skippable." Because the exam typically contains 40-60 questions delivered in a 100-minute window, even a 20% weighting can translate into a meaningful block of questions that determine whether you clear the passing score of 700.
Threat hunting on SC-200 is fundamentally about proactive investigation: querying data with KQL, building and refining hunting queries in Microsoft Sentinel, using threat intelligence to enrich hunts, and automating repeatable hunting workflows with notebooks. Unlike Domain 2, which centers on reacting to alerts and incidents that already exist, Domain 3 tests whether you can go looking for threats that haven't triggered an alert yet.
If you haven't already mapped out how this domain fits with the other two, the SC-200 Exam Domains 2026: Complete Guide to All 3 Content Areas breaks down all three groups side by side. This article goes deep specifically on threat hunting.
KQL Mastery: The Non-Negotiable Skill
You cannot pass Domain 3 without being comfortable reading and reasoning about Kusto Query Language (KQL). The exam sandbox includes multiple choice, drag-and-drop, hot area, build list, and active screen formats - several of which are used specifically to test whether you understand what a KQL query does, not whether you can type one from scratch under exam pressure.
Expect scenarios where you're shown a partial query and asked to complete a missing operator, or shown a query's output and asked what it's hunting for. Core KQL concepts you need cold:
KQL Operators and Functions for Threat Hunting
Candidates must be able to interpret and sometimes construct queries using core Kusto operators against Sentinel and Defender XDR tables.
summarize,project,extend, andwherefor filtering and shaping hunt resultsjoinandunionfor correlating identity, device, and network log tables- Time-window functions like
ago()andbin()used to scope a hunt to a suspicious activity window - Parsing functions (
parse,extract) for pulling indicators out of raw log fields - Understanding which Sentinel/Defender tables (IdentityLogonEvents, DeviceNetworkEvents, EmailEvents) apply to a given hunting scenario
You do not need to memorize every function signature, but you should be able to look at a query and predict its output - that's the pattern the exam rewards.
Key Takeaway
Practice reading unfamiliar KQL queries out loud and explaining what each clause does. The exam tests comprehension more than blind recall of syntax.
Proactive Hunting Workflows in Microsoft Sentinel
Microsoft Sentinel's hunting blade is the operational home for this domain. Candidates are expected to know how to:
- Use built-in hunting queries organized by MITRE ATT&CK tactic and run them against connected data sources
- Create custom hunting queries and save them for reuse across the SOC
- Convert a successful hunting query into a scheduled analytics rule so future occurrences generate incidents automatically
- Track hunts using bookmarks to capture evidence and link it to an investigation
- Use entity pages to pivot from a user, host, or IP address into related hunting queries
This overlaps conceptually with Domain 1's SOC configuration work and Domain 2's incident response work, which is exactly why Microsoft groups them as related-but-distinct domains. If you're unclear on how Domain 1 responsibilities differ from Domain 3, the dedicated breakdown in SC-200 Domain 1: Manage a security operations environment (40-45%) - Complete Study Guide 2026 is worth reading alongside this one, and the incident-response counterpart is covered in SC-200 Domain 2: Respond to security incidents (35-40%) - Complete Study Guide 2026.
Threat Intelligence and IOC Management
Threat hunting doesn't happen in a vacuum - it's driven by threat intelligence. Domain 3 expects familiarity with:
- Importing and managing threat indicators (IPs, hashes, domains, URLs) inside Microsoft Sentinel's threat intelligence workspace
- Using TI matching analytics rules to correlate ingested indicators against log data automatically
- Understanding how threat intelligence feeds (including STIX/TAXII sources) integrate with Sentinel
- Applying threat intelligence context to prioritize which hunting leads to pursue first
- Recognizing how Microsoft Defender Threat Intelligence and Microsoft Security Copilot surface enrichment data during a hunt
Because Microsoft explicitly calls out AI agents and Copilot experiences as expected knowledge for SC-200 candidates, don't be surprised if a question asks how Security Copilot accelerates a hunting workflow rather than replacing analyst judgment entirely.
Automating Hunts with Notebooks and Livestream
Beyond ad hoc queries, Domain 3 tests knowledge of repeatable, automatable hunting techniques:
Sentinel Notebooks and Livestream
Candidates should understand when to escalate from a single query to a structured, repeatable hunting workflow.
- Jupyter notebooks integrated with Sentinel for multi-step, code-driven hunting investigations
- Livestream sessions used to test a hunting query in near real time before formalizing it as a rule
- Saving and sharing hunting queries across a SOC team for consistency
- Converting validated hunt logic into detection rules to close the loop from hunting to automated alerting
This "hunt now, automate later" lifecycle is a recurring theme: a good hunter doesn't just find one instance of malicious activity, they operationalize the detection so the SOC catches it automatically next time.
How Domain 3 Questions Are Actually Written
Microsoft does not publish exact formats in advance, but the exam sandbox for SC-200 explicitly includes active screen, build list, case study, drag-and-drop, hot area, and multiple choice items, plus possible labs. For threat hunting specifically, expect:
- Case studies describing a hunt scenario with several related questions requiring you to reference earlier details
- Drag-and-drop or build list items asking you to sequence hunting steps or assemble a KQL query from fragments
- Hot area questions where you select the correct portion of a query or log output that reveals malicious activity
- Multiple choice questions testing whether you know which data source or Sentinel feature applies to a described hunting need
Because Microsoft Learn access is available during the exam within the Learn domain (with the timer still running), you can look up unfamiliar syntax - but relying on that heavily during a 100-minute exam is a losing strategy. Build genuine KQL fluency instead of planning to look everything up live. For a broader sense of how tough this exam feels overall, see How Hard Is the SC-200 Exam? Complete Difficulty Guide 2026.
Key Takeaway
Time-box practice questions to under two minutes each so you build the pacing needed to finish all 40-60 questions within 100 minutes, including case studies.
Scheduling Domain 3 Inside Your Study Plan
Given its 20-25% weighting, Domain 3 deserves a focused but not disproportionate slice of your prep calendar. A reasonable approach places the domains in study order matching their real-world dependency: SOC configuration first, incident response second, then hunting - since hunting builds on knowledge of both the environment and the incident lifecycle.
Foundations from Domain 1
- Configure Sentinel workspaces, data connectors, and Defender XDR settings
- Get comfortable navigating the Sentinel and Defender portals
Domain 2 Incident Response
- Practice triage, correlation, and remediation workflows
- Review automation via playbooks and Logic Apps
Domain 3 Threat Hunting Deep Dive
- Drill KQL query comprehension daily
- Run built-in hunting queries against a lab or trial tenant
- Practice converting hunting queries into analytics rules
Integration and Practice Exams
- Mix all three domains in full-length practice tests
- Review missed KQL and hunting scenario questions closely
If you want a more complete week-by-week framework covering all three domains together, the flagship SC-200 Study Guide 2026: How to Pass on Your First Attempt lays out the full timeline, and running timed sets on our SC-200 practice test platform is the fastest way to see whether your KQL comprehension holds up under exam conditions.
Domain 3 vs. the Other Two Domains
| Domain | Weight | Primary Focus | Key Tools |
|---|---|---|---|
| Domain 1: Manage a security operations environment | 40-45% | Configuring SOC, connectors, roles, automation | Sentinel, Defender XDR, Entra ID, Purview |
| Domain 2: Respond to security incidents | 35-40% | Triage, investigate, remediate active incidents | Defender XDR, Sentinel incidents, playbooks |
| Domain 3: Perform threat hunting | 20-25% | Proactive queries, TI correlation, hunt automation | KQL, Sentinel hunting blade, notebooks, TI feeds |
Notice how KQL threads through all three domains, but it's Domain 3 where query-writing and interpretation skills are tested most directly and repeatedly.
Who Hires for These Threat Hunting Skills
SC-200 credential holders with strong threat hunting skills are typically targeted for SOC analyst tier 2/3 roles, threat hunter positions, and detection engineering roles inside managed security service providers (MSSPs) and enterprise security teams. Employers value candidates who can move beyond reactive alert triage into proactive detection engineering - exactly what Domain 3 is designed to validate.
To understand how this maps to job titles and postings, browse SC-200 Jobs. If you're weighing whether the investment in exam fees, study time, and lab access pays off, the Is the SC-200 Certification Worth It? Complete ROI Analysis 2026 and SC-200 Salary Guide 2026: Complete Earnings Analysis articles give more context, and SC-200 Certification Cost 2026: Complete Pricing Breakdown walks through the $165 USD (plus applicable taxes) Associate-level exam fee and what it does and doesn't include.
Frequently Asked Questions
Microsoft does not publish an exact per-domain question count. Domain 3 is weighted at 20-25% of the overall exam, which typically contains 40-60 questions total, so expect roughly a fifth to a quarter of the exam to touch hunting concepts.
Most Domain 3 questions test your ability to read, complete, or interpret KQL queries through formats like drag-and-drop, build list, or hot area rather than requiring you to write a full query unaided, though solid working knowledge of syntax is essential.
Difficulty is subjective, but many candidates find Domain 3 challenging because it demands genuine KQL fluency rather than menu navigation. See How Hard Is the SC-200 Exam? Complete Difficulty Guide 2026 for a full difficulty breakdown across all domains.
Yes, Microsoft Learn access is available during associate and expert-level exams within the Learn domain, but the exam timer continues to run, so heavy reliance on lookups during a 100-minute exam will cost you valuable time.
Beyond a Sentinel trial or lab tenant for hands-on KQL practice, running scenario-based questions on our SC-200 practice test platform helps you get comfortable with how Domain 3 concepts are framed as exam questions.