V1 - Examples - New Users
To check out New Users/latest login, you can extract all the behaviors related to "User" or "log" from the system log/the resource of a specific software. Username/ID and the time of registration/login corresponding to this kind of behaviors are what you need. The main logic is to rearrange the records in a descending order of time.
search sContent("@behaviors","O365_AzureAD_UserLoggedIn")
let {username="ObjectId"}=f("@fields"),
_timestamp=f("@timestamp")
aggregate timestamp=max(_timestamp), count() by username
let createdOn=strftime("%a, %d %b %Y %T %z",timestamp)
sort createdOn
table username, createdOn
Related FPL command: search;sContent;let;f;aggregate;strftime;table