What are the Best Practices for Performance When Writing a Watchlist Query?

• EDR Server: All Versions
• Hosted EDR Server: All Versions

• Watchlists should always contain search terms.  For example: process_name:, md5:, filemod:, ipaddr: etc. 
• When typing out search terms, use : instead of =
• Searches that contain spaces should be double quoted.  For example: 

  path:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

• Copying and pasting from sources can cause hidden line break characters.
• Copying and pasting from sources with double quotes, make sure the quotes are not curly as they are treated differently.

  " vs “

• Try not to be too broad with searches. For example, searching for modloads that are used normally by a large number of executable, but are not necessary for a match in the query.
• Environments with multiple OS's can add os_type: to the end of the query. This allows Solr to only search documents for that OS reducing the amount of time for a return. os_type:"windows" for example
• Avoid leading wildcards unless necessary.  Searching filemod and modload do not need a wildcard. The search 'filemod:.dll' would return the same results and is faster than the search 'filmod:*.dll'.
• OR's are more expensive. Use where necessary.
• Negates are more expensive. Use where necessary.
• Queries run Right to Left. If you have an idea of what is rare, use this at the end of the search to reduce the amount of documents Solr needs to search.