In Kusto (the underlying database engine used for Sentinel) : for the cases when the full worked is looked up - it is better (perf-wise) to use 'has' instead of 'contains'.
"When using string operators:
Prefer has operator over contains when looking for full tokens. has is more performant as it doesn't have to look-up for substrings."
In Kusto (the underlying database engine used for Sentinel) : for the cases when the full worked is looked up - it is better (perf-wise) to use 'has' instead of 'contains'.
See Kusto best query practices: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices
"When using string operators: Prefer has operator over contains when looking for full tokens. has is more performant as it doesn't have to look-up for substrings."