From e07329023ddcc1516c3384201242e020a330a091 Mon Sep 17 00:00:00 2001 From: Liza Mash Date: Sun, 25 Mar 2018 07:49:31 +0000 Subject: [PATCH] Updated advanced-hunting-reference-windows-defender-advanced-threat-protection.md --- ...reference-windows-defender-advanced-threat-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index 1f90bb1c05..25e298ac4d 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -28,11 +28,11 @@ ms.date: 04/16/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) ## Advanced hunting query best practices -The following best practices serve as a guideline for you to maximize the advanced hunting capability. +The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries. - Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/). - Put filters that are expected to remove most of the data in the beginning of the query, following the time filter. -- Prefer 'has' keyword over 'contains' when looking for full tokens. -- Prefer looking in specific column rather than using full text search across all columns. +- Use 'has' keyword over 'contains' when looking for full tokens. +- Use looking in specific column rather than using full text search across all columns. - When joining between two tables - choose the table with less rows to be the first one (left-most). - When joining between two tables - project only needed columns from both sides of the join.