Must Learn KQL Part 14: The Project Operator – Azure Cloud & AI Domain Blog (azurecloudai.blog)

As noted in part/chapter 13 of this series, the next few parts/chapters (parts 13-16) will be all about how to manipulate the results of the KQL queries. As shown in part/chapter 13, the Extend operator allows us to create (and even fabricate) special data to show in the results. On its own, that’s hugely valuable. But, also noted throughout this series, the results of the query are the most important part of the process because the types, formats, and ways the data is displayed will allow us to focus on the actual security prospects. And when it comes to identifying threats quickly, efficiency is key.

While part/chapter 13 provided a way to build custom views of the data, that data was still populated among all the rest of the data. Now we get to do something with the data. We get to choose exactly what is displayed to afford our security teams the chance to catch things quickly. We can choose to display our custom data, but then handpick everything else.

This is where the Project operator comes into play. Using the Project operator, I can tell the query engine the exact data columns to show. In this case, by the way, Project is pronounced like as in projector.