let

    // Storage Account containing the blobs
    Source = AzureStorage.Blobs("mystorageaccount"),
    
    // Select the container containing azuread user risk events 
    Container = Source{[Name="insights-logs-userriskevents"]}[Data],
    
    // Get only blobs for a specific day (parameter ReportDate must be defined)
    // The tenantId below is a random example -- use your own tenantId, or add a parameter
    FilteredRows = Table.SelectRows(Container, each Text.StartsWith([Name], "tenantId=63cc8934-5723-42fe-ab52-0bc17d946172/y=" & DateTime.ToText(ReportDate, [Format="yyyy"]) & "/m=" & DateTime.ToText(ReportDate, [Format="MM"]) & "/d=" & DateTime.ToText(ReportDate, [Format="dd"]) & "/")),
    
    // Call the ParseJsonBlob function
    ExpandedTable = ParseJsonBlob(FilteredRows[Content]),
    
    // Expand the "properties" nested record
    ExpandedProperties = Table.ExpandRecordColumn(ExpandedTable, "properties", {"id", "requestId", "correlationId", "riskType", "riskEventType", "riskState", "riskLevel", "riskDetail", "source", "detectionTimingType", "activity", "ipAddress", "location", "activityDateTime", "detectedDateTime", "lastUpdatedDateTime", "userId", "userDisplayName", "userPrincipalName", "additionalInfo", "tokenIssuerType", "resourceTenantId", "homeTenantId", "userType", "crossTenantAccessType"}, {"properties.id", "properties.requestId", "properties.correlationId", "properties.riskType", "properties.riskEventType", "properties.riskState", "properties.riskLevel", "properties.riskDetail", "properties.source", "properties.detectionTimingType", "properties.activity", "properties.ipAddress", "properties.location", "properties.activityDateTime", "properties.detectedDateTime", "properties.lastUpdatedDateTime", "properties.userId", "properties.userDisplayName", "properties.userPrincipalName", "properties.additionalInfo", "properties.tokenIssuerType", "properties.resourceTenantId", "properties.homeTenantId", "properties.userType", "properties.crossTenantAccessType"})
    
in
    ExpandedProperties