Parser for CISCO ISE in Sentinel consuming too much resources

[tsanjev]

When Running the CiscoISEEvent
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20ISE/Parsers/CiscoISEEvent.yaml

Returns the following
Your query is consuming too much resources due to heavy use of 'sort' operator.

• Use the portal to sort the results or try to use 'sort' as the final operator of the query.
• Apply early filtering to reduce the number of values.
• Consider using sampling.

Time Range = sentinel defaults ; 24h & max 1k results