# PantherFlow Examples: Panther Audit Logs Query the `panther_logs.public.panther_audit` table: ```kusto panther_logs.public.panther_audit ``` Return up to 10 results: ```kusto panther_logs.public.panther_audit | limit 10 ``` Sort by `p_event_time`: ```kusto panther_logs.public.panther_audit | sort p_event_time desc | limit 10 ``` Filter on the last 24 hours: ```kusto panther_logs.public.panther_audit | where p_event_time > time.now() - 1d | sort p_event_time desc | limit 10 ``` Filter on timestamp: ```kusto panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') | sort p_event_time desc | limit 10 ``` Filter on a nested field (using dot notation) ```kusto panther_logs.public.panther_audit | where actor.name == "first.last@example.com" ``` Filter on a nested field (using bracket notation) ```kusto panther_logs.public.panther_audit | where actor['name'] == "first.last@example.com" ``` Check that a deeply nested value within an array exists (i.e., is not null) ```kusto panther_logs.public.panther_audit | where actionParams.dynamic.input.tableProperties[0].propertyId != null ``` Count events: ```kusto panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') | summarize row_count=agg.count() ``` Count number of actions: ```kusto panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED" | summarize num_events=agg.count() by actionName ``` Only show rare actions: ```kusto panther_logs.public.panther_audit | where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED" | summarize num_events=agg.count() by actionName | where num_events < 5 | sort num_events asc ``` Show new IPs used by a user in the last 7 days vs. those they used in the last 60 days: ```kusto let new_logins = panther_logs.public.panther_audit | where p_event_time > time.ago(7d) and p_udm.user.email != null | summarize recent_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email; panther_logs.public.panther_audit | where p_event_time > time.ago(60d) and p_event_time < time.ago(7d) and p_udm.user.email != null | summarize baseline_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email | join kind=inner new=(new_logins) on $left.email == $right.email | where new.recent_ips[0] not in baseline_ips ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/pantherflow/example-queries/panther-audit-logs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.