FPL offers arguments support to allow customization of saved FPL reports at run-time. This functionality can be used for investigation purposes. For instance, the results from a Behavior Summary/Alert can be supplied to the FPL report for deeper analysis and reporting.


Arguments are designated by the argument command.

By convention, it is preferred that the argument start with two (2) underscores. Ex. __argumentname.


function loginByApp()
  let {username="userPrincipalName", clientApp="appDisplayName", city=""} = f("@azureSignIn")
  aggregate  count=count(), cities=values(city) by clientApp

function loginByLocation()
  let {IP="ipAddress"} = f("@azureSignIn")
  let {city, country="countryOrRegion", state,latitude="geoCoordinates.latitude", longitude="geoCoordinates.longitude"} = f("@azureSignIn.location") 
  aggregate  count=count(), city=max(city), country=max(country), state=max(state), latitude=max(latitude), longitude=max(longitude) by IP

argument __username ""
argument __from  "-48h@h"
argument __to "@h"

env from=__from, to=__to, query=sContent("@event_type", "@azureSignIn") and sContent("@azureSignIn.userPrincipalName",__username) and sContent("@azureSignIn.status.errorCode", "0")

stream clientApps=loginByApp()
stream locations=loginByLocation()

Note: When building the FPL in the editor, a “default” value needs to be supploed for all arguments before the task will run. The supplied default value can be changed/removed from the Report scheduling page after the initial run, and when the report is saved.

All three arguments in the above example have ‘default’ values supplied.

