# PantherFlow 예제: Panther 감사 로그

쿼리할 `panther_logs.public.panther_audit` 테이블:

```kusto
panther_logs.public.panther_audit
```

최대 10개의 결과 반환:

```kusto
panther_logs.public.panther_audit
| limit 10
```

다음 기준으로 정렬 `p_event_time`:

```kusto
panther_logs.public.panther_audit
| sort p_event_time desc
| limit 10
```

지난 24시간으로 필터링:

```kusto
panther_logs.public.panther_audit
| where p_event_time > time.now() - 1d
| sort p_event_time desc
| limit 10
```

타임스탬프로 필터링:

```kusto
panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| sort p_event_time desc
| limit 10
```

중첩된 필드로 필터링(점 표기법 사용)

```kusto
panther_logs.public.panther_audit
| where actor.name == "first.last@example.com"
```

중첩된 필드로 필터링(대괄호 표기법 사용)

```kusto
panther_logs.public.panther_audit
| where actor['name'] == "first.last@example.com"
```

배열 내 깊게 중첩된 값이 존재하는지 확인(즉, null이 아님)

```kusto
panther_logs.public.panther_audit
| where actionParams.dynamic.input.tableProperties[0].propertyId != null
```

이벤트 수 계산:

```kusto
panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| summarize row_count=agg.count()
```

액션 수 계산:

```kusto
panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName
```

희귀한 액션만 표시:

```kusto
panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName
| where num_events < 5
| sort num_events asc
```

지난 7일 동안 사용자가 사용한 새 IP와 지난 60일 동안 사용한 IP를 표시:

```kusto
let new_logins = panther_logs.public.panther_audit
| where p_event_time > time.ago(7d) and p_udm.user.email != null
| summarize recent_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email;

panther_logs.public.panther_audit
| where p_event_time > time.ago(60d) and p_event_time < time.ago(7d) and p_udm.user.email != null
| summarize baseline_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email
| join kind=inner new=(new_logins) on $left.email == $right.email
| where new.recent_ips[0] not in baseline_ips
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/ko/pantherflow/example-queries/panther-audit-logs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.