The KQL example below uses the extend operator to create a new column, StartDir containing the directory a process was started in. The StartDir column is a calculated column containing the results of a substring function. Kusto SecurityEvent |whereProcessName !=""andProcess !=""|extendStartDir ...