As noted inpart/chapter 18, this mini-series on merging data contains two different principles. Reiterated from the last part/chapter…
Union allows you to take the data from two or more tables and display the results (all rows from all tables) together. Join, on the other hand, is intended to produce more specific results by joining rows of just two tables through matching the values of columns you specify.
There’s quite a bit more to theJoin operator(and Join, in general) than I’ll cover in this part/chapter. I want to make sure to keep this focused on those things necessary to help build your first Microsoft Sentinel Analytics Rule in the final part/chapter of this series.
Join, merges the rows of two tables (left table and right table) to form a new pseudo-table by matching values of the specified column(s) from each table. Just like any other query language’s Join, the KQL Join operator supports the following Join methods along with some additional nuanced options –with inner Join being the default.