# PantherFlow Examples: Panther Audit Logs

Query the `panther_logs.public.panther_audit` table:

```kusto
panther_logs.public.panther_audit
```

Return up to 10 results:

```kusto
panther_logs.public.panther_audit
| limit 10
```

Sort by `p_event_time`:

```kusto
panther_logs.public.panther_audit
| sort p_event_time desc
| limit 10
```

Filter on the last 24 hours:

```kusto
panther_logs.public.panther_audit
| where p_event_time > time.now() - 1d
| sort p_event_time desc
| limit 10
```

Filter on timestamp:

```kusto
panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| sort p_event_time desc
| limit 10
```

Filter on a nested field (using dot notation)

```kusto
panther_logs.public.panther_audit
| where actor.name == "first.last@example.com"
```

Filter on a nested field (using bracket notation)

```kusto
panther_logs.public.panther_audit
| where actor['name'] == "first.last@example.com"
```

Check that a deeply nested value within an array exists (i.e., is not null)

```kusto
panther_logs.public.panther_audit
| where actionParams.dynamic.input.tableProperties[0].propertyId != null
```

Count events:

```kusto
panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z')
| summarize row_count=agg.count()
```

Count number of actions:

```kusto
panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName
```

Only show rare actions:

```kusto
panther_logs.public.panther_audit
| where p_event_time > time.parse_timestamp('2023-09-01 00:00:00Z') and actionResult == "SUCCEEDED"
| summarize num_events=agg.count() by actionName
| where num_events < 5
| sort num_events asc
```

Show new IPs used by a user in the last 7 days vs. those they used in the last 60 days:

```kusto
let new_logins = panther_logs.public.panther_audit
| where p_event_time > time.ago(7d) and p_udm.user.email != null
| summarize recent_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email;

panther_logs.public.panther_audit
| where p_event_time > time.ago(60d) and p_event_time < time.ago(7d) and p_udm.user.email != null
| summarize baseline_ips=agg.make_set(p_udm.source.ip) by email=p_udm.user.email
| join kind=inner new=(new_logins) on $left.email == $right.email
| where new.recent_ips[0] not in baseline_ips
```