[{"data":1,"prerenderedAt":2185},["ShallowReactive",2],{"recent-post":3,"trending-post":1420},[4,335,957],{"id":5,"title":6,"body":7,"description":319,"extension":320,"meta":321,"navigation":330,"ogImage":323,"path":331,"seo":332,"stem":333,"__hash__":334},"content/blogs/11. advanced-threat-hunting-xql.md","Advanced Threat Hunting with Cortex XQL",{"type":8,"value":9,"toc":305},"minimark",[10,15,29,36,42,47,50,85,92,95,99,129,136,139,143,146,175,179,182,186,215,223,229,253,257,291,295,298,301],[11,12,14],"h3",{"id":13},"taking-xql-further","Taking XQL Further",[16,17,18,19,23,24,28],"p",{},"In our previous guide, we covered the basics of ",[20,21,22],"strong",{},"Cortex XQL",". Now, it's time to dive into the advanced features that turn a simple search into a powerful threat-hunting tool. We'll focus on data transformation, advanced filtering, and the elusive ",[25,26,27],"code",{},"join"," operation.",[11,30,32,33],{"id":31},"_1-complex-data-transformation-with-alter","1. Complex Data Transformation with ",[25,34,35],{},"alter",[16,37,38,39,41],{},"Sometimes the data in your logs isn't in the format you need. The ",[25,40,35],{}," stage allows you to create new fields on the fly.",[43,44,46],"h4",{"id":45},"extracting-substrings","Extracting Substrings",[16,48,49],{},"If you have a file path and you only want the file name:",[51,52,57],"pre",{"className":53,"code":54,"language":55,"meta":56,"style":56},"language-xql shiki shiki-themes dracula","dataset = xdr_data\n| filter action_file_path != null\n| alter file_name = arraylast(split(action_file_path, \"\\\"))\n| fields file_name, action_file_path\n","xql","",[25,58,59,67,73,79],{"__ignoreMap":56},[60,61,64],"span",{"class":62,"line":63},"line",1,[60,65,66],{},"dataset = xdr_data\n",[60,68,70],{"class":62,"line":69},2,[60,71,72],{},"| filter action_file_path != null\n",[60,74,76],{"class":62,"line":75},3,[60,77,78],{},"| alter file_name = arraylast(split(action_file_path, \"\\\"))\n",[60,80,82],{"class":62,"line":81},4,[60,83,84],{},"| fields file_name, action_file_path\n",[11,86,88,89],{"id":87},"_2-advanced-aggregations-with-comp","2. Advanced Aggregations with ",[25,90,91],{},"comp",[16,93,94],{},"Aggregations are vital for identifying anomalies (e.g., a single user logging into 50 different machines).",[43,96,98],{"id":97},"detecting-horizontal-movement","Detecting Horizontal Movement",[51,100,102],{"className":53,"code":101,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter event_type = \"LOGIN\"\n| comp count(endpoint_name) as distinct_login_count by actor_effective_username\n| filter distinct_login_count > 10\n| sort desc distinct_login_count\n",[25,103,104,108,113,118,123],{"__ignoreMap":56},[60,105,106],{"class":62,"line":63},[60,107,66],{},[60,109,110],{"class":62,"line":69},[60,111,112],{},"| filter event_type = \"LOGIN\"\n",[60,114,115],{"class":62,"line":75},[60,116,117],{},"| comp count(endpoint_name) as distinct_login_count by actor_effective_username\n",[60,119,120],{"class":62,"line":81},[60,121,122],{},"| filter distinct_login_count > 10\n",[60,124,126],{"class":62,"line":125},5,[60,127,128],{},"| sort desc distinct_login_count\n",[11,130,132,133,135],{"id":131},"_3-mastering-the-join-operation","3. Mastering the ",[25,134,27],{}," Operation",[16,137,138],{},"Joins allow you to correlate data across different datasets. This is where XQL truly shines.",[43,140,142],{"id":141},"correlating-process-activity-with-network-traffic","Correlating Process Activity with Network Traffic",[16,144,145],{},"Suppose you find a suspicious process and want to see if it communicated externally:",[51,147,149],{"className":53,"code":148,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter actor_process_image_name == \"powershell.exe\"\n| join (dataset = pan_traffic_raw) as traffic on traffic.source_ip = xdr_data.endpoint_ip\n| filter traffic.destination_port == 443\n| fields xdr_data.endpoint_name, xdr_data.actor_process_command_line, traffic.destination_ip\n",[25,150,151,155,160,165,170],{"__ignoreMap":56},[60,152,153],{"class":62,"line":63},[60,154,66],{},[60,156,157],{"class":62,"line":69},[60,158,159],{},"| filter actor_process_image_name == \"powershell.exe\"\n",[60,161,162],{"class":62,"line":75},[60,163,164],{},"| join (dataset = pan_traffic_raw) as traffic on traffic.source_ip = xdr_data.endpoint_ip\n",[60,166,167],{"class":62,"line":81},[60,168,169],{},"| filter traffic.destination_port == 443\n",[60,171,172],{"class":62,"line":125},[60,173,174],{},"| fields xdr_data.endpoint_name, xdr_data.actor_process_command_line, traffic.destination_ip\n",[11,176,178],{"id":177},"_4-advanced-window-functions","4. Advanced Window Functions",[16,180,181],{},"Window functions allow you to perform calculations across a set of rows related to the current row.",[43,183,185],{"id":184},"calculating-time-deltas-between-events","Calculating Time Deltas between Events",[51,187,189],{"className":53,"code":188,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter actor_effective_username = \"admin\"\n| sort asc _time\n| alter time_diff = _time - prev(_time)\n| filter time_diff \u003C 5000 // events occurring within 5 seconds of each other\n",[25,190,191,195,200,205,210],{"__ignoreMap":56},[60,192,193],{"class":62,"line":63},[60,194,66],{},[60,196,197],{"class":62,"line":69},[60,198,199],{},"| filter actor_effective_username = \"admin\"\n",[60,201,202],{"class":62,"line":75},[60,203,204],{},"| sort asc _time\n",[60,206,207],{"class":62,"line":81},[60,208,209],{},"| alter time_diff = _time - prev(_time)\n",[60,211,212],{"class":62,"line":125},[60,213,214],{},"| filter time_diff \u003C 5000 // events occurring within 5 seconds of each other\n",[11,216,218,219,222],{"id":217},"_5-using-bin-for-time-series-analysis","5. Using ",[25,220,221],{},"bin"," for Time-Series Analysis",[16,224,225,226,228],{},"If you want to visualize data over time, use ",[25,227,221],{}," to group timestamps.",[51,230,232],{"className":53,"code":231,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter event_type = \"FILE\"\n| alter time_bucket = bin(_time, 1h)\n| comp count(event_id) as file_ops_per_hour by time_bucket\n",[25,233,234,238,243,248],{"__ignoreMap":56},[60,235,236],{"class":62,"line":63},[60,237,66],{},[60,239,240],{"class":62,"line":69},[60,241,242],{},"| filter event_type = \"FILE\"\n",[60,244,245],{"class":62,"line":75},[60,246,247],{},"| alter time_bucket = bin(_time, 1h)\n",[60,249,250],{"class":62,"line":81},[60,251,252],{},"| comp count(event_id) as file_ops_per_hour by time_bucket\n",[11,254,256],{"id":255},"best-practices-for-performance","Best Practices for Performance",[258,259,260,275,285],"ol",{},[261,262,263,266,267,270,271,274],"li",{},[20,264,265],{},"Filter Early",": Use ",[25,268,269],{},"filter"," as close to the ",[25,272,273],{},"dataset"," line as possible to reduce the amount of data processed.",[261,276,277,280,281,284],{},[20,278,279],{},"Be Specific",": Avoid ",[25,282,283],{},"dataset = *"," if you know exactly which log source you need.",[261,286,287,290],{},[20,288,289],{},"Limit Fields",": Only use the fields you actually need to see in the final output.",[11,292,294],{"id":293},"conclusion","Conclusion",[16,296,297],{},"Advanced XQL is about more than just finding data—it's about manipulating and correlating it to tell a complete story of what happened in your environment. These advanced techniques are what separate a standard security analyst from an elite threat hunter.",[16,299,300],{},"Happy Hunting!",[302,303,304],"style",{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":56,"searchDepth":69,"depth":69,"links":306},[307,308,310,312,314,315,317,318],{"id":13,"depth":75,"text":14},{"id":31,"depth":75,"text":309},"1. Complex Data Transformation with alter",{"id":87,"depth":75,"text":311},"2. Advanced Aggregations with comp",{"id":131,"depth":75,"text":313},"3. Mastering the join Operation",{"id":177,"depth":75,"text":178},{"id":217,"depth":75,"text":316},"5. Using bin for Time-Series Analysis",{"id":255,"depth":75,"text":256},{"id":293,"depth":75,"text":294},"Take your XQL skills to the next level with advanced joins, data transformation, and complex aggregations.","md",{"date":322,"image":323,"alt":324,"tags":325,"published":330},"16th Apr 2026","/blogs-img/blog3.jpg","Advanced Cortex XQL",[326,327,328,329],"Cortex","XQL","AdvancedQuerying","ThreatHunting",true,"/blogs/advanced-threat-hunting-xql",{"title":6,"description":319},"blogs/11. advanced-threat-hunting-xql","dxp1wYP9uTJrMWv4eup4EoEk-43w9S5cRKJi91ERBmY",{"id":336,"title":337,"body":338,"description":946,"extension":320,"meta":947,"navigation":330,"ogImage":948,"path":953,"seo":954,"stem":955,"__hash__":956},"content/blogs/12. ultimate-xql-cheat-sheet.md","The Ultimate XQL Cheat Sheet - 25+ Essential Queries for Cortex XDR",{"type":8,"value":339,"toc":941},[340,351,354,358,367,371,400,404,419,423,438,442,471,475,493,497,519,523,542,546,565,569,583,587,606,608,612,617,621,635,639,658,662,681,685,699,703,722,726,740,744,763,767,781,785,809,813,827,831,845,849,868,872,886,890,905,909,928,930,932,939],[16,341,342,343,346,347,350],{},"Having a solid library of XQL queries is essential for any Palo Alto Cortex analyst. This cheat sheet provides 25+ queries divided into ",[20,344,345],{},"Dashboard Widget"," queries (optimized for visualization) and ",[20,348,349],{},"Investigation"," queries (optimized for threat hunting).",[352,353],"hr",{},[11,355,357],{"id":356},"part-1-widget-visualization-queries","Part 1: Widget & Visualization Queries",[16,359,360],{},[361,362,363,364,366],"em",{},"These queries use ",[25,365,91],{}," to aggregate data, making them perfect for Pie charts, Bar charts, and dashboards.",[43,368,370],{"id":369},"_1-top-10-users-with-failed-logins-bar-chart","1. Top 10 Users with Failed Logins (Bar Chart)",[51,372,374],{"className":53,"code":373,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter event_type = \"LOGIN\" and outcome = \"FAILURE\"\n| comp count(event_id) as failure_count by actor_effective_username\n| sort desc failure_count\n| limit 10\n",[25,375,376,380,385,390,395],{"__ignoreMap":56},[60,377,378],{"class":62,"line":63},[60,379,66],{},[60,381,382],{"class":62,"line":69},[60,383,384],{},"| filter event_type = \"LOGIN\" and outcome = \"FAILURE\"\n",[60,386,387],{"class":62,"line":75},[60,388,389],{},"| comp count(event_id) as failure_count by actor_effective_username\n",[60,391,392],{"class":62,"line":81},[60,393,394],{},"| sort desc failure_count\n",[60,396,397],{"class":62,"line":125},[60,398,399],{},"| limit 10\n",[43,401,403],{"id":402},"_2-incident-severity-distribution-pie-chart","2. Incident Severity Distribution (Pie Chart)",[51,405,407],{"className":53,"code":406,"language":55,"meta":56,"style":56},"dataset = incidents\n| comp count(incident_id) as total by severity\n",[25,408,409,414],{"__ignoreMap":56},[60,410,411],{"class":62,"line":63},[60,412,413],{},"dataset = incidents\n",[60,415,416],{"class":62,"line":69},[60,417,418],{},"| comp count(incident_id) as total by severity\n",[43,420,422],{"id":421},"_3-endpoint-os-distribution-donut-chart","3. Endpoint OS Distribution (Donut Chart)",[51,424,426],{"className":53,"code":425,"language":55,"meta":56,"style":56},"dataset = endpoints\n| comp count(endpoint_id) as total by os_type\n",[25,427,428,433],{"__ignoreMap":56},[60,429,430],{"class":62,"line":63},[60,431,432],{},"dataset = endpoints\n",[60,434,435],{"class":62,"line":69},[60,436,437],{},"| comp count(endpoint_id) as total by os_type\n",[43,439,441],{"id":440},"_4-top-10-malicious-domains-blocked-table-widget","4. Top 10 Malicious Domains Blocked (Table Widget)",[51,443,445],{"className":53,"code":444,"language":55,"meta":56,"style":56},"dataset = pan_traffic_raw\n| filter action = \"deny\" and category = \"malware\"\n| comp count(event_id) as blocks by destination_hostname\n| sort desc blocks\n| limit 10\n",[25,446,447,452,457,462,467],{"__ignoreMap":56},[60,448,449],{"class":62,"line":63},[60,450,451],{},"dataset = pan_traffic_raw\n",[60,453,454],{"class":62,"line":69},[60,455,456],{},"| filter action = \"deny\" and category = \"malware\"\n",[60,458,459],{"class":62,"line":75},[60,460,461],{},"| comp count(event_id) as blocks by destination_hostname\n",[60,463,464],{"class":62,"line":81},[60,465,466],{},"| sort desc blocks\n",[60,468,469],{"class":62,"line":125},[60,470,399],{},[43,472,474],{"id":473},"_5-network-traffic-volume-by-app-area-chart","5. Network Traffic Volume by App (Area Chart)",[51,476,478],{"className":53,"code":477,"language":55,"meta":56,"style":56},"dataset = pan_traffic_raw\n| alter time_bucket = bin(_time, 1h)\n| comp sum(bytes_sent + bytes_received) as total_bytes by time_bucket, app\n",[25,479,480,484,488],{"__ignoreMap":56},[60,481,482],{"class":62,"line":63},[60,483,451],{},[60,485,486],{"class":62,"line":69},[60,487,247],{},[60,489,490],{"class":62,"line":75},[60,491,492],{},"| comp sum(bytes_sent + bytes_received) as total_bytes by time_bucket, app\n",[43,494,496],{"id":495},"_6-suspicious-powershell-executions-over-time-line-chart","6. Suspicious Powershell Executions over Time (Line Chart)",[51,498,500],{"className":53,"code":499,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter actor_process_image_name == \"powershell.exe\"\n| alter time_bucket = bin(_time, 1h)\n| comp count(event_id) as executions by time_bucket\n",[25,501,502,506,510,514],{"__ignoreMap":56},[60,503,504],{"class":62,"line":63},[60,505,66],{},[60,507,508],{"class":62,"line":69},[60,509,159],{},[60,511,512],{"class":62,"line":75},[60,513,247],{},[60,515,516],{"class":62,"line":81},[60,517,518],{},"| comp count(event_id) as executions by time_bucket\n",[43,520,522],{"id":521},"_7-top-attack-sources-by-country-map-widget","7. Top Attack Sources by Country (Map Widget)",[51,524,526],{"className":53,"code":525,"language":55,"meta":56,"style":56},"dataset = pan_traffic_raw\n| filter action = \"deny\"\n| comp count(event_id) as attacks by source_country\n",[25,527,528,532,537],{"__ignoreMap":56},[60,529,530],{"class":62,"line":63},[60,531,451],{},[60,533,534],{"class":62,"line":69},[60,535,536],{},"| filter action = \"deny\"\n",[60,538,539],{"class":62,"line":75},[60,540,541],{},"| comp count(event_id) as attacks by source_country\n",[43,543,545],{"id":544},"_8-data-exfiltration-alert-threshold-widget","8. Data Exfiltration Alert (Threshold Widget)",[51,547,549],{"className":53,"code":548,"language":55,"meta":56,"style":56},"dataset = pan_traffic_raw\n| comp sum(bytes_sent) as uploads by source_ip\n| filter uploads > 1000000000 // 1GB Threshold\n",[25,550,551,555,560],{"__ignoreMap":56},[60,552,553],{"class":62,"line":63},[60,554,451],{},[60,556,557],{"class":62,"line":69},[60,558,559],{},"| comp sum(bytes_sent) as uploads by source_ip\n",[60,561,562],{"class":62,"line":75},[60,563,564],{},"| filter uploads > 1000000000 // 1GB Threshold\n",[43,566,568],{"id":567},"_9-agent-health-status-summary-widget","9. Agent Health Status (Summary Widget)",[51,570,572],{"className":53,"code":571,"language":55,"meta":56,"style":56},"dataset = endpoints\n| comp count(endpoint_id) as count by endpoint_status\n",[25,573,574,578],{"__ignoreMap":56},[60,575,576],{"class":62,"line":63},[60,577,432],{},[60,579,580],{"class":62,"line":69},[60,581,582],{},"| comp count(endpoint_id) as count by endpoint_status\n",[43,584,586],{"id":585},"_10-most-common-malware-signatures-bar-chart","10. Most Common Malware Signatures (Bar Chart)",[51,588,590],{"className":53,"code":589,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter event_type = \"MALWARE_DETECTED\"\n| comp count(event_id) as detections by threat_name\n",[25,591,592,596,601],{"__ignoreMap":56},[60,593,594],{"class":62,"line":63},[60,595,66],{},[60,597,598],{"class":62,"line":69},[60,599,600],{},"| filter event_type = \"MALWARE_DETECTED\"\n",[60,602,603],{"class":62,"line":75},[60,604,605],{},"| comp count(event_id) as detections by threat_name\n",[352,607],{},[11,609,611],{"id":610},"part-2-normal-search-investigation-queries","Part 2: Normal Search & Investigation Queries",[16,613,614],{},[361,615,616],{},"These queries return detailed rows, useful for deep-dive forensic investigations.",[43,618,620],{"id":619},"_11-find-all-executions-from-usb-drives","11. Find All Executions from USB Drives",[51,622,624],{"className":53,"code":623,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter actor_process_image_path contains \":\\RECYCLER\\\" or actor_process_image_path contains \"Removable\"\n",[25,625,626,630],{"__ignoreMap":56},[60,627,628],{"class":62,"line":63},[60,629,66],{},[60,631,632],{"class":62,"line":69},[60,633,634],{},"| filter actor_process_image_path contains \":\\RECYCLER\\\" or actor_process_image_path contains \"Removable\"\n",[43,636,638],{"id":637},"_12-locate-specific-file-hash-across-network","12. Locate Specific File Hash across Network",[51,640,642],{"className":53,"code":641,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter action_file_sha256 = \"your_hash_here\"\n| fields _time, endpoint_name, actor_process_image_name, action_file_path\n",[25,643,644,648,653],{"__ignoreMap":56},[60,645,646],{"class":62,"line":63},[60,647,66],{},[60,649,650],{"class":62,"line":69},[60,651,652],{},"| filter action_file_sha256 = \"your_hash_here\"\n",[60,654,655],{"class":62,"line":75},[60,656,657],{},"| fields _time, endpoint_name, actor_process_image_name, action_file_path\n",[43,659,661],{"id":660},"_13-trace-rdp-connections-to-internal-ips","13. Trace RDP Connections to Internal IPs",[51,663,665],{"className":53,"code":664,"language":55,"meta":56,"style":56},"dataset = pan_traffic_raw\n| filter destination_port = 3389 and destination_ip_internal = true\n| fields _time, source_ip, destination_ip, user\n",[25,666,667,671,676],{"__ignoreMap":56},[60,668,669],{"class":62,"line":63},[60,670,451],{},[60,672,673],{"class":62,"line":69},[60,674,675],{},"| filter destination_port = 3389 and destination_ip_internal = true\n",[60,677,678],{"class":62,"line":75},[60,679,680],{},"| fields _time, source_ip, destination_ip, user\n",[43,682,684],{"id":683},"_14-identify-living-off-the-land-binaries-lolbins","14. Identify \"Living off the Land\" Binaries (Lolbins)",[51,686,688],{"className":53,"code":687,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter actor_process_image_name in (\"certutil.exe\", \"bitsadmin.exe\", \"mshta.exe\")\n",[25,689,690,694],{"__ignoreMap":56},[60,691,692],{"class":62,"line":63},[60,693,66],{},[60,695,696],{"class":62,"line":69},[60,697,698],{},"| filter actor_process_image_name in (\"certutil.exe\", \"bitsadmin.exe\", \"mshta.exe\")\n",[43,700,702],{"id":701},"_15-detect-base64-commands-in-powershell","15. Detect Base64 Commands in PowerShell",[51,704,706],{"className":53,"code":705,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter actor_process_image_name == \"powershell.exe\" \n| filter actor_process_command_line contains \"-enc\" or actor_process_command_line contains \"Base64\"\n",[25,707,708,712,717],{"__ignoreMap":56},[60,709,710],{"class":62,"line":63},[60,711,66],{},[60,713,714],{"class":62,"line":69},[60,715,716],{},"| filter actor_process_image_name == \"powershell.exe\" \n",[60,718,719],{"class":62,"line":75},[60,720,721],{},"| filter actor_process_command_line contains \"-enc\" or actor_process_command_line contains \"Base64\"\n",[43,723,725],{"id":724},"_16-search-for-newly-created-local-accounts","16. Search for Newly Created Local Accounts",[51,727,729],{"className":53,"code":728,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter event_type = \"USER_MANAGEMENT\" and action_type = \"CREATE\"\n",[25,730,731,735],{"__ignoreMap":56},[60,732,733],{"class":62,"line":63},[60,734,66],{},[60,736,737],{"class":62,"line":69},[60,738,739],{},"| filter event_type = \"USER_MANAGEMENT\" and action_type = \"CREATE\"\n",[43,741,743],{"id":742},"_17-monitor-modification-of-sensitive-registry-keys","17. Monitor Modification of Sensitive Registry Keys",[51,745,747],{"className":53,"code":746,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter event_type = \"REGISTRY\" \n| filter action_registry_key_name contains \"CurrentVersion\\Run\"\n",[25,748,749,753,758],{"__ignoreMap":56},[60,750,751],{"class":62,"line":63},[60,752,66],{},[60,754,755],{"class":62,"line":69},[60,756,757],{},"| filter event_type = \"REGISTRY\" \n",[60,759,760],{"class":62,"line":75},[60,761,762],{},"| filter action_registry_key_name contains \"CurrentVersion\\Run\"\n",[43,764,766],{"id":765},"_18-find-suspicious-parent-child-process-relationships-eg-word-cmd","18. Find Suspicious Parent-Child Process Relationships (e.g. Word -> CMD)",[51,768,770],{"className":53,"code":769,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter actor_process_image_name == \"winword.exe\" and action_process_image_name == \"cmd.exe\"\n",[25,771,772,776],{"__ignoreMap":56},[60,773,774],{"class":62,"line":63},[60,775,66],{},[60,777,778],{"class":62,"line":69},[60,779,780],{},"| filter actor_process_image_name == \"winword.exe\" and action_process_image_name == \"cmd.exe\"\n",[43,782,784],{"id":783},"_19-identify-excessive-dns-queries-potential-tunneling","19. Identify Excessive DNS Queries (Potential Tunneling)",[51,786,788],{"className":53,"code":787,"language":55,"meta":56,"style":56},"dataset = pan_traffic_raw\n| filter destination_port = 53\n| comp count(event_id) as dns_queries by source_ip, destination_hostname\n| filter dns_queries > 500\n",[25,789,790,794,799,804],{"__ignoreMap":56},[60,791,792],{"class":62,"line":63},[60,793,451],{},[60,795,796],{"class":62,"line":69},[60,797,798],{},"| filter destination_port = 53\n",[60,800,801],{"class":62,"line":75},[60,802,803],{},"| comp count(event_id) as dns_queries by source_ip, destination_hostname\n",[60,805,806],{"class":62,"line":81},[60,807,808],{},"| filter dns_queries > 500\n",[43,810,812],{"id":811},"_20-list-processes-listening-on-non-standard-ports","20. List Processes listening on non-standard ports",[51,814,816],{"className":53,"code":815,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter event_type = \"NETWORK\" and action_local_port not in (80, 443, 8080)\n",[25,817,818,822],{"__ignoreMap":56},[60,819,820],{"class":62,"line":63},[60,821,66],{},[60,823,824],{"class":62,"line":69},[60,825,826],{},"| filter event_type = \"NETWORK\" and action_local_port not in (80, 443, 8080)\n",[43,828,830],{"id":829},"_21-detect-lsass-memory-dumping","21. Detect LSASS Memory Dumping",[51,832,834],{"className":53,"code":833,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter action_process_image_name == \"lsass.exe\" and action_type = \"OPEN_PROCESS\"\n",[25,835,836,840],{"__ignoreMap":56},[60,837,838],{"class":62,"line":63},[60,839,66],{},[60,841,842],{"class":62,"line":69},[60,843,844],{},"| filter action_process_image_name == \"lsass.exe\" and action_type = \"OPEN_PROCESS\"\n",[43,846,848],{"id":847},"_22-find-files-downloaded-via-browser-then-executed","22. Find Files Downloaded via Browser then Executed",[51,850,852],{"className":53,"code":851,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter actor_process_image_name in (\"chrome.exe\", \"firefox.exe\", \"msedge.exe\")\n| filter action_type = \"FILE_WRITE\"\n",[25,853,854,858,863],{"__ignoreMap":56},[60,855,856],{"class":62,"line":63},[60,857,66],{},[60,859,860],{"class":62,"line":69},[60,861,862],{},"| filter actor_process_image_name in (\"chrome.exe\", \"firefox.exe\", \"msedge.exe\")\n",[60,864,865],{"class":62,"line":75},[60,866,867],{},"| filter action_type = \"FILE_WRITE\"\n",[43,869,871],{"id":870},"_23-investigate-ssh-logins-from-external-ips","23. Investigate SSH Logins from External IPs",[51,873,875],{"className":53,"code":874,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter event_type = \"LOGIN\" and auth_method = \"ssh\" and source_ip_internal = false\n",[25,876,877,881],{"__ignoreMap":56},[60,878,879],{"class":62,"line":63},[60,880,66],{},[60,882,883],{"class":62,"line":69},[60,884,885],{},"| filter event_type = \"LOGIN\" and auth_method = \"ssh\" and source_ip_internal = false\n",[43,887,889],{"id":888},"_24-audit-admin-activity-in-the-cloud-console","24. Audit Admin Activity in the Cloud Console",[51,891,893],{"className":53,"code":892,"language":55,"meta":56,"style":56},"dataset = cloud_audit_logs\n| filter user_role = \"Admin\" and action_type != \"GET\"\n",[25,894,895,900],{"__ignoreMap":56},[60,896,897],{"class":62,"line":63},[60,898,899],{},"dataset = cloud_audit_logs\n",[60,901,902],{"class":62,"line":69},[60,903,904],{},"| filter user_role = \"Admin\" and action_type != \"GET\"\n",[43,906,908],{"id":907},"_25-spot-hidden-filesdirectories-being-accesses","25. Spot Hidden Files/Directories being Accesses",[51,910,912],{"className":53,"code":911,"language":55,"meta":56,"style":56},"dataset = xdr_data\n| filter action_file_path contains \"\\.\" // Unix style hidden\n| filter action_file_path contains \"$RECYCLE.BIN\" // Windows style\n",[25,913,914,918,923],{"__ignoreMap":56},[60,915,916],{"class":62,"line":63},[60,917,66],{},[60,919,920],{"class":62,"line":69},[60,921,922],{},"| filter action_file_path contains \"\\.\" // Unix style hidden\n",[60,924,925],{"class":62,"line":75},[60,926,927],{},"| filter action_file_path contains \"$RECYCLE.BIN\" // Windows style\n",[352,929],{},[11,931,294],{"id":293},[16,933,934,935,938],{},"Whether you are building a NOC dashboard or hunting for an advanced persistent threat (APT), these queries provide a solid foundation. Remember to always ",[20,936,937],{},"test your queries on a small time range"," before scaling up to ensure performance!",[302,940,304],{},{"title":56,"searchDepth":69,"depth":69,"links":942},[943,944,945],{"id":356,"depth":75,"text":357},{"id":610,"depth":75,"text":611},{"id":293,"depth":75,"text":294},"A comprehensive collection of XQL queries for threat hunting, investigation, and dashboard widgets.",{"date":322,"image":948,"alt":949,"tags":950,"published":330},"/blogs-img/blog4.jpg","XQL Cheat Sheet",[326,327,951,952],"CheatSheet","SecurityOps","/blogs/ultimate-xql-cheat-sheet",{"title":337,"description":946},"blogs/12. ultimate-xql-cheat-sheet","UqbAG2xiEGF4fCYSaUQopU2NoTN_8zLb1kVhwZ506Yw",{"id":958,"title":959,"body":960,"description":1408,"extension":320,"meta":1409,"navigation":330,"ogImage":1410,"path":1416,"seo":1417,"stem":1418,"__hash__":1419},"content/blogs/13. investigating-cortex-incidents-cases.md","Investigating Cortex Incidents - A Deep Dive into Cases and Alerts",{"type":8,"value":961,"toc":1399},[962,966,981,992,994,998,1002,1005,1034,1038,1041,1065,1069,1072,1101,1103,1107,1111,1118,1143,1147,1150,1173,1177,1180,1199,1201,1205,1209,1212,1231,1235,1238,1257,1261,1264,1287,1289,1293,1297,1300,1324,1326,1330,1389,1391,1394,1397],[11,963,965],{"id":964},"understanding-the-incident-lifecycle","Understanding the Incident Lifecycle",[16,967,968,969,972,973,976,977,980],{},"In Cortex XDR, visibility isn't just about logs; it's about the ",[20,970,971],{},"lifecycle of an attack",". This lifecycle is represented through ",[20,974,975],{},"Alerts"," (singular events) and ",[20,978,979],{},"Incidents"," (correlated groups of alerts).",[16,982,983,984,987,988,991],{},"To master case management, you need to be able to query the ",[25,985,986],{},"incidents"," and ",[25,989,990],{},"alerts"," datasets with precision. This guide covers detailed XQL patterns for managing and auditing your SOC's response.",[352,993],{},[11,995,997],{"id":996},"_1-incident-analysis-queries","1. Incident Analysis Queries",[43,999,1001],{"id":1000},"a-finding-high-priority-incidents-with-multiple-alerts","A. Finding High-Priority Incidents with Multiple Alerts",[16,1003,1004],{},"Incidents with many alerts often indicate a broad or successful attack.",[51,1006,1008],{"className":53,"code":1007,"language":55,"meta":56,"style":56},"dataset = incidents\n| filter severity = \"high\" or severity = \"critical\"\n| filter alert_count > 5\n| fields incident_id, description, severity, status, alert_count, creation_time\n| sort desc alert_count\n",[25,1009,1010,1014,1019,1024,1029],{"__ignoreMap":56},[60,1011,1012],{"class":62,"line":63},[60,1013,413],{},[60,1015,1016],{"class":62,"line":69},[60,1017,1018],{},"| filter severity = \"high\" or severity = \"critical\"\n",[60,1020,1021],{"class":62,"line":75},[60,1022,1023],{},"| filter alert_count > 5\n",[60,1025,1026],{"class":62,"line":81},[60,1027,1028],{},"| fields incident_id, description, severity, status, alert_count, creation_time\n",[60,1030,1031],{"class":62,"line":125},[60,1032,1033],{},"| sort desc alert_count\n",[43,1035,1037],{"id":1036},"b-tracking-mean-time-to-acknowledge-mtta","B. Tracking Mean Time to Acknowledge (MTTA)",[16,1039,1040],{},"A critical metric for SOC efficiency. This calculates how long it takes for a case to be touched by an analyst.",[51,1042,1044],{"className":53,"code":1043,"language":55,"meta":56,"style":56},"dataset = incidents\n| filter status != \"pending\"\n| alter mtta_seconds = (acknowledgement_time - creation_time) / 1000\n| comp avg(mtta_seconds) as avg_mtta_seconds by severity\n",[25,1045,1046,1050,1055,1060],{"__ignoreMap":56},[60,1047,1048],{"class":62,"line":63},[60,1049,413],{},[60,1051,1052],{"class":62,"line":69},[60,1053,1054],{},"| filter status != \"pending\"\n",[60,1056,1057],{"class":62,"line":75},[60,1058,1059],{},"| alter mtta_seconds = (acknowledgement_time - creation_time) / 1000\n",[60,1061,1062],{"class":62,"line":81},[60,1063,1064],{},"| comp avg(mtta_seconds) as avg_mtta_seconds by severity\n",[43,1066,1068],{"id":1067},"c-identifying-long-running-cases","C. Identifying \"Long-Running\" Cases",[16,1070,1071],{},"Cases that have been open for an unusual amount of time may require escalation.",[51,1073,1075],{"className":53,"code":1074,"language":55,"meta":56,"style":56},"dataset = incidents\n| filter status = \"under_investigation\"\n| alter open_duration_hours = (timestamp() - creation_time) / 3600000\n| filter open_duration_hours > 48\n| fields incident_id, assignee, open_duration_hours\n",[25,1076,1077,1081,1086,1091,1096],{"__ignoreMap":56},[60,1078,1079],{"class":62,"line":63},[60,1080,413],{},[60,1082,1083],{"class":62,"line":69},[60,1084,1085],{},"| filter status = \"under_investigation\"\n",[60,1087,1088],{"class":62,"line":75},[60,1089,1090],{},"| alter open_duration_hours = (timestamp() - creation_time) / 3600000\n",[60,1092,1093],{"class":62,"line":81},[60,1094,1095],{},"| filter open_duration_hours > 48\n",[60,1097,1098],{"class":62,"line":125},[60,1099,1100],{},"| fields incident_id, assignee, open_duration_hours\n",[352,1102],{},[11,1104,1106],{"id":1105},"_2-alert-deep-dive-queries","2. Alert Deep-Dive Queries",[43,1108,1110],{"id":1109},"d-mapping-alerts-to-specific-mitre-attck-techniques","D. Mapping Alerts to Specific MITRE ATT&CK Techniques",[16,1112,1113,1114,1117],{},"Understanding ",[361,1115,1116],{},"how"," the attack is happening is vital for containment.",[51,1119,1121],{"className":53,"code":1120,"language":55,"meta":56,"style":56},"dataset = alerts\n| filter mitre_technique_id != null\n| comp count(alert_id) as technique_count by mitre_technique_name, mitre_technique_id\n| sort desc technique_count\n",[25,1122,1123,1128,1133,1138],{"__ignoreMap":56},[60,1124,1125],{"class":62,"line":63},[60,1126,1127],{},"dataset = alerts\n",[60,1129,1130],{"class":62,"line":69},[60,1131,1132],{},"| filter mitre_technique_id != null\n",[60,1134,1135],{"class":62,"line":75},[60,1136,1137],{},"| comp count(alert_id) as technique_count by mitre_technique_name, mitre_technique_id\n",[60,1139,1140],{"class":62,"line":81},[60,1141,1142],{},"| sort desc technique_count\n",[43,1144,1146],{"id":1145},"e-finding-noisiest-alert-sources","E. Finding \"Noisiest\" Alert Sources",[16,1148,1149],{},"Identifying which endpoints or users are triggering the most alerts to reduce false positives.",[51,1151,1153],{"className":53,"code":1152,"language":55,"meta":56,"style":56},"dataset = alerts\n| comp count(alert_id) as alert_count by source_endpoint_name\n| sort desc alert_count\n| limit 20\n",[25,1154,1155,1159,1164,1168],{"__ignoreMap":56},[60,1156,1157],{"class":62,"line":63},[60,1158,1127],{},[60,1160,1161],{"class":62,"line":69},[60,1162,1163],{},"| comp count(alert_id) as alert_count by source_endpoint_name\n",[60,1165,1166],{"class":62,"line":75},[60,1167,1033],{},[60,1169,1170],{"class":62,"line":81},[60,1171,1172],{},"| limit 20\n",[43,1174,1176],{"id":1175},"f-correlating-alerts-without-incidents","F. Correlating Alerts without Incidents",[16,1178,1179],{},"Sometimes alerts fail to group into an incident correctly. Finding these \"orphaned\" alerts can surface hidden threats.",[51,1181,1183],{"className":53,"code":1182,"language":55,"meta":56,"style":56},"dataset = alerts\n| filter incident_id = null\n| fields _time, alert_name, severity, source_endpoint_name\n",[25,1184,1185,1189,1194],{"__ignoreMap":56},[60,1186,1187],{"class":62,"line":63},[60,1188,1127],{},[60,1190,1191],{"class":62,"line":69},[60,1192,1193],{},"| filter incident_id = null\n",[60,1195,1196],{"class":62,"line":75},[60,1197,1198],{},"| fields _time, alert_name, severity, source_endpoint_name\n",[352,1200],{},[11,1202,1204],{"id":1203},"_3-case-escalation-logic-issues","3. Case Escalation & Logic Issues",[43,1206,1208],{"id":1207},"g-detecting-flapping-alerts","G. Detecting Flapping Alerts",[16,1210,1211],{},"Alerts that resolve and then re-open frequently can point to misconfigured policies or recurring automated threats.",[51,1213,1215],{"className":53,"code":1214,"language":55,"meta":56,"style":56},"dataset = alerts\n| comp count(alert_id) as instance_count by alert_name, source_endpoint_name\n| filter instance_count > 50\n",[25,1216,1217,1221,1226],{"__ignoreMap":56},[60,1218,1219],{"class":62,"line":63},[60,1220,1127],{},[60,1222,1223],{"class":62,"line":69},[60,1224,1225],{},"| comp count(alert_id) as instance_count by alert_name, source_endpoint_name\n",[60,1227,1228],{"class":62,"line":75},[60,1229,1230],{},"| filter instance_count > 50\n",[43,1232,1234],{"id":1233},"h-analyzing-resolution-rationale","H. Analyzing Resolution Rationale",[16,1236,1237],{},"If you want to see why analysts are closing cases as \"False Positive,\" you can audit the resolution comments.",[51,1239,1241],{"className":53,"code":1240,"language":55,"meta":56,"style":56},"dataset = incidents\n| filter status = \"resolved\" and resolution_status = \"false_positive\"\n| fields incident_id, resolution_comment, resolved_by\n",[25,1242,1243,1247,1252],{"__ignoreMap":56},[60,1244,1245],{"class":62,"line":63},[60,1246,413],{},[60,1248,1249],{"class":62,"line":69},[60,1250,1251],{},"| filter status = \"resolved\" and resolution_status = \"false_positive\"\n",[60,1253,1254],{"class":62,"line":75},[60,1255,1256],{},"| fields incident_id, resolution_comment, resolved_by\n",[43,1258,1260],{"id":1259},"i-identifying-overloaded-analysts","I. Identifying Overloaded Analysts",[16,1262,1263],{},"Check the workload distribution across your SOC team.",[51,1265,1267],{"className":53,"code":1266,"language":55,"meta":56,"style":56},"dataset = incidents\n| filter status = \"under_investigation\"\n| comp count(incident_id) as assigned_cases by assignee\n| sort desc assigned_cases\n",[25,1268,1269,1273,1277,1282],{"__ignoreMap":56},[60,1270,1271],{"class":62,"line":63},[60,1272,413],{},[60,1274,1275],{"class":62,"line":69},[60,1276,1085],{},[60,1278,1279],{"class":62,"line":75},[60,1280,1281],{},"| comp count(incident_id) as assigned_cases by assignee\n",[60,1283,1284],{"class":62,"line":81},[60,1285,1286],{},"| sort desc assigned_cases\n",[352,1288],{},[11,1290,1292],{"id":1291},"_4-advanced-case-correlating","4. Advanced Case Correlating",[43,1294,1296],{"id":1295},"j-the-full-story-query","J. The \"Full Story\" Query",[16,1298,1299],{},"Combine incident metadata with the actual process details that started the mess.",[51,1301,1303],{"className":53,"code":1302,"language":55,"meta":56,"style":56},"dataset = incidents\n| join (dataset = alerts) as a on a.incident_id = incidents.incident_id\n| fields incidents.incident_id, incidents.description, a.alert_name, a.actor_process_command_line\n| limit 50\n",[25,1304,1305,1309,1314,1319],{"__ignoreMap":56},[60,1306,1307],{"class":62,"line":63},[60,1308,413],{},[60,1310,1311],{"class":62,"line":69},[60,1312,1313],{},"| join (dataset = alerts) as a on a.incident_id = incidents.incident_id\n",[60,1315,1316],{"class":62,"line":75},[60,1317,1318],{},"| fields incidents.incident_id, incidents.description, a.alert_name, a.actor_process_command_line\n",[60,1320,1321],{"class":62,"line":81},[60,1322,1323],{},"| limit 50\n",[352,1325],{},[11,1327,1329],{"id":1328},"summary-table-key-datasets-for-cases","Summary Table: Key Datasets for Cases",[1331,1332,1333,1347],"table",{},[1334,1335,1336],"thead",{},[1337,1338,1339,1344],"tr",{},[1340,1341,1343],"th",{"align":1342},"left","Dataset",[1340,1345,1346],{"align":1342},"Primary Use",[1348,1349,1350,1360,1369,1379],"tbody",{},[1337,1351,1352,1357],{},[1353,1354,1355],"td",{"align":1342},[25,1356,986],{},[1353,1358,1359],{"align":1342},"High-level case tracking, status, and ownership.",[1337,1361,1362,1366],{},[1353,1363,1364],{"align":1342},[25,1365,990],{},[1353,1367,1368],{"align":1342},"Technical details of the security event.",[1337,1370,1371,1376],{},[1353,1372,1373],{"align":1342},[25,1374,1375],{},"alert_rules",[1353,1377,1378],{"align":1342},"Auditing which policies are triggering detections.",[1337,1380,1381,1386],{},[1353,1382,1383],{"align":1342},[25,1384,1385],{},"action_history",[1353,1387,1388],{"align":1342},"Tracking what remediation actions (e.g., Isolate) were taken.",[11,1390,294],{"id":293},[16,1392,1393],{},"Effective case management in Cortex XDR requires shifting from \"viewing screens\" to \"querying data.\" By using these XQL patterns, you can identify bottlenecks in your SOC, find orphaned alerts that missed correlation, and ensure that critical threats are acknowledged in minutes, not days.",[16,1395,1396],{},"Stay vigilant!",[302,1398,304],{},{"title":56,"searchDepth":69,"depth":69,"links":1400},[1401,1402,1403,1404,1405,1406,1407],{"id":964,"depth":75,"text":965},{"id":996,"depth":75,"text":997},{"id":1105,"depth":75,"text":1106},{"id":1203,"depth":75,"text":1204},{"id":1291,"depth":75,"text":1292},{"id":1328,"depth":75,"text":1329},{"id":293,"depth":75,"text":294},"Learn how to use XQL to manage, analyze, and resolve security incidents and alerts in Cortex XDR with detailed precision.",{"date":322,"image":1410,"alt":1411,"tags":1412,"published":330},"/blogs-img/blog5.jpg","Cortex Incidents and Cases",[1413,979,1414,1415],"CortexXDR","CaseManagement","SecurityInvestigation","/blogs/investigating-cortex-incidents-cases",{"title":959,"description":1408},"blogs/13. investigating-cortex-incidents-cases","B_U1O4TtzRPedUjJ148vzmjY-5DGsR_Z4b5TPxsVKo0",[1421,1500,1710],{"id":1422,"title":1423,"body":1424,"description":1489,"extension":320,"meta":1490,"navigation":330,"ogImage":1492,"path":1496,"seo":1497,"stem":1498,"__hash__":1499},"content/blogs/1. connect-namecheap-to-vercel.md","How To Connect You Namecheap Domain With Vercel Deployed App",{"type":8,"value":1425,"toc":1481},[1426,1430,1433,1437,1440,1444,1447,1450,1454,1457,1460,1463,1466,1470,1473,1476,1478],[11,1427,1429],{"id":1428},"introduction","Introduction",[16,1431,1432],{},"If you've purchased a domain from Namecheap and you want to connect it to your Vercel app, there are a few steps you need to follow. In this blog, we'll guide you through the process of connecting your Namecheap domain with your Vercel app.",[11,1434,1436],{"id":1435},"step-1-add-a-custom-domain-to-your-vercel-app","Step 1: Add a custom domain to your Vercel app",[16,1438,1439],{},"The first step is to add your custom domain to your Vercel app. To do this, log in to your Vercel account and go to your app dashboard. Click on \"Settings\" and then \"Domains\". Click on \"Add Domain\" and enter your custom domain name. Then click on \"Add\".",[11,1441,1443],{"id":1442},"step-2-get-the-dns-records-from-vercel","Step 2: Get the DNS records from Vercel",[16,1445,1446],{},"Once you've added your custom domain to your Vercel app, you'll need to get the DNS records from Vercel. To do this, go back to the \"Domains\" section and click on the custom domain you just added. Then click on \"DNS Records\".",[16,1448,1449],{},"You'll see a list of DNS records that you need to add to your Namecheap account. These include the A record, the CNAME record, and the TXT record.",[11,1451,1453],{"id":1452},"step-3-add-dns-records-to-namecheap","Step 3: Add DNS records to Namecheap",[16,1455,1456],{},"Now that you have the DNS records from Vercel, you need to add them to your Namecheap account. To do this, log in to your Namecheap account and go to your domain dashboard. Click on \"Advanced DNS\" and then \"Add New Record\".",[16,1458,1459],{},"Add the A record first. In the \"Type\" dropdown menu, select \"A (Address)\". In the \"Host\" field, enter \"@\" (without the quotes). In the \"Value\" field, enter the IP address from the Vercel DNS records.",[16,1461,1462],{},"Next, add the CNAME record. In the \"Type\" dropdown menu, select \"CNAME (Alias)\". In the \"Host\" field, enter \"www\" (without the quotes). In the \"Value\" field, enter the value from the Vercel DNS records.",[16,1464,1465],{},"Finally, add the TXT record. In the \"Type\" dropdown menu, select \"TXT (Text)\". In the \"Host\" field, enter \"@\" (without the quotes). In the \"Value\" field, enter the value from the Vercel DNS records.",[11,1467,1469],{"id":1468},"step-4-verify-dns-records","Step 4: Verify DNS records",[16,1471,1472],{},"Once you've added the DNS records to your Namecheap account, you need to verify that they're correct. To do this, go back to your Vercel app dashboard and click on the custom domain. Then click on \"Verify DNS Configuration\". Vercel will check if the DNS records have been set up correctly.",[16,1474,1475],{},"It may take some time for the DNS records to propagate, so be patient. Once the DNS records have propagated, Vercel will verify them and your custom domain will be connected to your Vercel app.",[11,1477,294],{"id":293},[16,1479,1480],{},"Connecting your Namecheap domain to your Vercel app is a relatively simple process. By following the steps outlined in this blog, you'll be able to connect your custom domain in no time. Remember to be patient as it may take some time for the DNS records to propagate. If you run into any issues, don't hesitate to reach out to Vercel support for assistance.",{"title":56,"searchDepth":69,"depth":69,"links":1482},[1483,1484,1485,1486,1487,1488],{"id":1428,"depth":75,"text":1429},{"id":1435,"depth":75,"text":1436},{"id":1442,"depth":75,"text":1443},{"id":1452,"depth":75,"text":1453},{"id":1468,"depth":75,"text":1469},{"id":293,"depth":75,"text":294},"Here you will lean how to connect your namecheap domain to vercel deployed app.",{"date":1491,"image":1492,"alt":1423,"tags":1493,"published":330},"1st Mar 2023","/blogs-img/blog1.jpg",[1494,1495],"namecheap","vercel","/blogs/connect-namecheap-to-vercel",{"title":1423,"description":1489},"blogs/1. connect-namecheap-to-vercel","6bP1Z3akUdkPDUNMFvzPGAroM_E6rx4Ix4BL2YTQTa4",{"id":5,"title":6,"body":1501,"description":319,"extension":320,"meta":1707,"navigation":330,"ogImage":323,"path":331,"seo":1709,"stem":333,"__hash__":334},{"type":8,"value":1502,"toc":1697},[1503,1505,1511,1515,1519,1521,1523,1543,1547,1549,1551,1575,1579,1581,1583,1585,1609,1611,1613,1615,1639,1643,1647,1667,1669,1689,1691,1693,1695],[11,1504,14],{"id":13},[16,1506,18,1507,23,1509,28],{},[20,1508,22],{},[25,1510,27],{},[11,1512,32,1513],{"id":31},[25,1514,35],{},[16,1516,38,1517,41],{},[25,1518,35],{},[43,1520,46],{"id":45},[16,1522,49],{},[51,1524,1525],{"className":53,"code":54,"language":55,"meta":56,"style":56},[25,1526,1527,1531,1535,1539],{"__ignoreMap":56},[60,1528,1529],{"class":62,"line":63},[60,1530,66],{},[60,1532,1533],{"class":62,"line":69},[60,1534,72],{},[60,1536,1537],{"class":62,"line":75},[60,1538,78],{},[60,1540,1541],{"class":62,"line":81},[60,1542,84],{},[11,1544,88,1545],{"id":87},[25,1546,91],{},[16,1548,94],{},[43,1550,98],{"id":97},[51,1552,1553],{"className":53,"code":101,"language":55,"meta":56,"style":56},[25,1554,1555,1559,1563,1567,1571],{"__ignoreMap":56},[60,1556,1557],{"class":62,"line":63},[60,1558,66],{},[60,1560,1561],{"class":62,"line":69},[60,1562,112],{},[60,1564,1565],{"class":62,"line":75},[60,1566,117],{},[60,1568,1569],{"class":62,"line":81},[60,1570,122],{},[60,1572,1573],{"class":62,"line":125},[60,1574,128],{},[11,1576,132,1577,135],{"id":131},[25,1578,27],{},[16,1580,138],{},[43,1582,142],{"id":141},[16,1584,145],{},[51,1586,1587],{"className":53,"code":148,"language":55,"meta":56,"style":56},[25,1588,1589,1593,1597,1601,1605],{"__ignoreMap":56},[60,1590,1591],{"class":62,"line":63},[60,1592,66],{},[60,1594,1595],{"class":62,"line":69},[60,1596,159],{},[60,1598,1599],{"class":62,"line":75},[60,1600,164],{},[60,1602,1603],{"class":62,"line":81},[60,1604,169],{},[60,1606,1607],{"class":62,"line":125},[60,1608,174],{},[11,1610,178],{"id":177},[16,1612,181],{},[43,1614,185],{"id":184},[51,1616,1617],{"className":53,"code":188,"language":55,"meta":56,"style":56},[25,1618,1619,1623,1627,1631,1635],{"__ignoreMap":56},[60,1620,1621],{"class":62,"line":63},[60,1622,66],{},[60,1624,1625],{"class":62,"line":69},[60,1626,199],{},[60,1628,1629],{"class":62,"line":75},[60,1630,204],{},[60,1632,1633],{"class":62,"line":81},[60,1634,209],{},[60,1636,1637],{"class":62,"line":125},[60,1638,214],{},[11,1640,218,1641,222],{"id":217},[25,1642,221],{},[16,1644,225,1645,228],{},[25,1646,221],{},[51,1648,1649],{"className":53,"code":231,"language":55,"meta":56,"style":56},[25,1650,1651,1655,1659,1663],{"__ignoreMap":56},[60,1652,1653],{"class":62,"line":63},[60,1654,66],{},[60,1656,1657],{"class":62,"line":69},[60,1658,242],{},[60,1660,1661],{"class":62,"line":75},[60,1662,247],{},[60,1664,1665],{"class":62,"line":81},[60,1666,252],{},[11,1668,256],{"id":255},[258,1670,1671,1679,1685],{},[261,1672,1673,266,1675,270,1677,274],{},[20,1674,265],{},[25,1676,269],{},[25,1678,273],{},[261,1680,1681,280,1683,284],{},[20,1682,279],{},[25,1684,283],{},[261,1686,1687,290],{},[20,1688,289],{},[11,1690,294],{"id":293},[16,1692,297],{},[16,1694,300],{},[302,1696,304],{},{"title":56,"searchDepth":69,"depth":69,"links":1698},[1699,1700,1701,1702,1703,1704,1705,1706],{"id":13,"depth":75,"text":14},{"id":31,"depth":75,"text":309},{"id":87,"depth":75,"text":311},{"id":131,"depth":75,"text":313},{"id":177,"depth":75,"text":178},{"id":217,"depth":75,"text":316},{"id":255,"depth":75,"text":256},{"id":293,"depth":75,"text":294},{"date":322,"image":323,"alt":324,"tags":1708,"published":330},[326,327,328,329],{"title":6,"description":319},{"id":336,"title":337,"body":1711,"description":946,"extension":320,"meta":2182,"navigation":330,"ogImage":948,"path":953,"seo":2184,"stem":955,"__hash__":956},{"type":8,"value":1712,"toc":2177},[1713,1719,1721,1723,1729,1731,1755,1757,1769,1771,1783,1785,1809,1811,1827,1829,1849,1851,1867,1869,1885,1887,1899,1901,1917,1919,1921,1925,1927,1939,1941,1957,1959,1975,1977,1989,1991,2007,2009,2021,2023,2039,2041,2053,2055,2075,2077,2089,2091,2103,2105,2121,2123,2135,2137,2149,2151,2167,2169,2171,2175],[16,1714,342,1715,346,1717,350],{},[20,1716,345],{},[20,1718,349],{},[352,1720],{},[11,1722,357],{"id":356},[16,1724,1725],{},[361,1726,363,1727,366],{},[25,1728,91],{},[43,1730,370],{"id":369},[51,1732,1733],{"className":53,"code":373,"language":55,"meta":56,"style":56},[25,1734,1735,1739,1743,1747,1751],{"__ignoreMap":56},[60,1736,1737],{"class":62,"line":63},[60,1738,66],{},[60,1740,1741],{"class":62,"line":69},[60,1742,384],{},[60,1744,1745],{"class":62,"line":75},[60,1746,389],{},[60,1748,1749],{"class":62,"line":81},[60,1750,394],{},[60,1752,1753],{"class":62,"line":125},[60,1754,399],{},[43,1756,403],{"id":402},[51,1758,1759],{"className":53,"code":406,"language":55,"meta":56,"style":56},[25,1760,1761,1765],{"__ignoreMap":56},[60,1762,1763],{"class":62,"line":63},[60,1764,413],{},[60,1766,1767],{"class":62,"line":69},[60,1768,418],{},[43,1770,422],{"id":421},[51,1772,1773],{"className":53,"code":425,"language":55,"meta":56,"style":56},[25,1774,1775,1779],{"__ignoreMap":56},[60,1776,1777],{"class":62,"line":63},[60,1778,432],{},[60,1780,1781],{"class":62,"line":69},[60,1782,437],{},[43,1784,441],{"id":440},[51,1786,1787],{"className":53,"code":444,"language":55,"meta":56,"style":56},[25,1788,1789,1793,1797,1801,1805],{"__ignoreMap":56},[60,1790,1791],{"class":62,"line":63},[60,1792,451],{},[60,1794,1795],{"class":62,"line":69},[60,1796,456],{},[60,1798,1799],{"class":62,"line":75},[60,1800,461],{},[60,1802,1803],{"class":62,"line":81},[60,1804,466],{},[60,1806,1807],{"class":62,"line":125},[60,1808,399],{},[43,1810,474],{"id":473},[51,1812,1813],{"className":53,"code":477,"language":55,"meta":56,"style":56},[25,1814,1815,1819,1823],{"__ignoreMap":56},[60,1816,1817],{"class":62,"line":63},[60,1818,451],{},[60,1820,1821],{"class":62,"line":69},[60,1822,247],{},[60,1824,1825],{"class":62,"line":75},[60,1826,492],{},[43,1828,496],{"id":495},[51,1830,1831],{"className":53,"code":499,"language":55,"meta":56,"style":56},[25,1832,1833,1837,1841,1845],{"__ignoreMap":56},[60,1834,1835],{"class":62,"line":63},[60,1836,66],{},[60,1838,1839],{"class":62,"line":69},[60,1840,159],{},[60,1842,1843],{"class":62,"line":75},[60,1844,247],{},[60,1846,1847],{"class":62,"line":81},[60,1848,518],{},[43,1850,522],{"id":521},[51,1852,1853],{"className":53,"code":525,"language":55,"meta":56,"style":56},[25,1854,1855,1859,1863],{"__ignoreMap":56},[60,1856,1857],{"class":62,"line":63},[60,1858,451],{},[60,1860,1861],{"class":62,"line":69},[60,1862,536],{},[60,1864,1865],{"class":62,"line":75},[60,1866,541],{},[43,1868,545],{"id":544},[51,1870,1871],{"className":53,"code":548,"language":55,"meta":56,"style":56},[25,1872,1873,1877,1881],{"__ignoreMap":56},[60,1874,1875],{"class":62,"line":63},[60,1876,451],{},[60,1878,1879],{"class":62,"line":69},[60,1880,559],{},[60,1882,1883],{"class":62,"line":75},[60,1884,564],{},[43,1886,568],{"id":567},[51,1888,1889],{"className":53,"code":571,"language":55,"meta":56,"style":56},[25,1890,1891,1895],{"__ignoreMap":56},[60,1892,1893],{"class":62,"line":63},[60,1894,432],{},[60,1896,1897],{"class":62,"line":69},[60,1898,582],{},[43,1900,586],{"id":585},[51,1902,1903],{"className":53,"code":589,"language":55,"meta":56,"style":56},[25,1904,1905,1909,1913],{"__ignoreMap":56},[60,1906,1907],{"class":62,"line":63},[60,1908,66],{},[60,1910,1911],{"class":62,"line":69},[60,1912,600],{},[60,1914,1915],{"class":62,"line":75},[60,1916,605],{},[352,1918],{},[11,1920,611],{"id":610},[16,1922,1923],{},[361,1924,616],{},[43,1926,620],{"id":619},[51,1928,1929],{"className":53,"code":623,"language":55,"meta":56,"style":56},[25,1930,1931,1935],{"__ignoreMap":56},[60,1932,1933],{"class":62,"line":63},[60,1934,66],{},[60,1936,1937],{"class":62,"line":69},[60,1938,634],{},[43,1940,638],{"id":637},[51,1942,1943],{"className":53,"code":641,"language":55,"meta":56,"style":56},[25,1944,1945,1949,1953],{"__ignoreMap":56},[60,1946,1947],{"class":62,"line":63},[60,1948,66],{},[60,1950,1951],{"class":62,"line":69},[60,1952,652],{},[60,1954,1955],{"class":62,"line":75},[60,1956,657],{},[43,1958,661],{"id":660},[51,1960,1961],{"className":53,"code":664,"language":55,"meta":56,"style":56},[25,1962,1963,1967,1971],{"__ignoreMap":56},[60,1964,1965],{"class":62,"line":63},[60,1966,451],{},[60,1968,1969],{"class":62,"line":69},[60,1970,675],{},[60,1972,1973],{"class":62,"line":75},[60,1974,680],{},[43,1976,684],{"id":683},[51,1978,1979],{"className":53,"code":687,"language":55,"meta":56,"style":56},[25,1980,1981,1985],{"__ignoreMap":56},[60,1982,1983],{"class":62,"line":63},[60,1984,66],{},[60,1986,1987],{"class":62,"line":69},[60,1988,698],{},[43,1990,702],{"id":701},[51,1992,1993],{"className":53,"code":705,"language":55,"meta":56,"style":56},[25,1994,1995,1999,2003],{"__ignoreMap":56},[60,1996,1997],{"class":62,"line":63},[60,1998,66],{},[60,2000,2001],{"class":62,"line":69},[60,2002,716],{},[60,2004,2005],{"class":62,"line":75},[60,2006,721],{},[43,2008,725],{"id":724},[51,2010,2011],{"className":53,"code":728,"language":55,"meta":56,"style":56},[25,2012,2013,2017],{"__ignoreMap":56},[60,2014,2015],{"class":62,"line":63},[60,2016,66],{},[60,2018,2019],{"class":62,"line":69},[60,2020,739],{},[43,2022,743],{"id":742},[51,2024,2025],{"className":53,"code":746,"language":55,"meta":56,"style":56},[25,2026,2027,2031,2035],{"__ignoreMap":56},[60,2028,2029],{"class":62,"line":63},[60,2030,66],{},[60,2032,2033],{"class":62,"line":69},[60,2034,757],{},[60,2036,2037],{"class":62,"line":75},[60,2038,762],{},[43,2040,766],{"id":765},[51,2042,2043],{"className":53,"code":769,"language":55,"meta":56,"style":56},[25,2044,2045,2049],{"__ignoreMap":56},[60,2046,2047],{"class":62,"line":63},[60,2048,66],{},[60,2050,2051],{"class":62,"line":69},[60,2052,780],{},[43,2054,784],{"id":783},[51,2056,2057],{"className":53,"code":787,"language":55,"meta":56,"style":56},[25,2058,2059,2063,2067,2071],{"__ignoreMap":56},[60,2060,2061],{"class":62,"line":63},[60,2062,451],{},[60,2064,2065],{"class":62,"line":69},[60,2066,798],{},[60,2068,2069],{"class":62,"line":75},[60,2070,803],{},[60,2072,2073],{"class":62,"line":81},[60,2074,808],{},[43,2076,812],{"id":811},[51,2078,2079],{"className":53,"code":815,"language":55,"meta":56,"style":56},[25,2080,2081,2085],{"__ignoreMap":56},[60,2082,2083],{"class":62,"line":63},[60,2084,66],{},[60,2086,2087],{"class":62,"line":69},[60,2088,826],{},[43,2090,830],{"id":829},[51,2092,2093],{"className":53,"code":833,"language":55,"meta":56,"style":56},[25,2094,2095,2099],{"__ignoreMap":56},[60,2096,2097],{"class":62,"line":63},[60,2098,66],{},[60,2100,2101],{"class":62,"line":69},[60,2102,844],{},[43,2104,848],{"id":847},[51,2106,2107],{"className":53,"code":851,"language":55,"meta":56,"style":56},[25,2108,2109,2113,2117],{"__ignoreMap":56},[60,2110,2111],{"class":62,"line":63},[60,2112,66],{},[60,2114,2115],{"class":62,"line":69},[60,2116,862],{},[60,2118,2119],{"class":62,"line":75},[60,2120,867],{},[43,2122,871],{"id":870},[51,2124,2125],{"className":53,"code":874,"language":55,"meta":56,"style":56},[25,2126,2127,2131],{"__ignoreMap":56},[60,2128,2129],{"class":62,"line":63},[60,2130,66],{},[60,2132,2133],{"class":62,"line":69},[60,2134,885],{},[43,2136,889],{"id":888},[51,2138,2139],{"className":53,"code":892,"language":55,"meta":56,"style":56},[25,2140,2141,2145],{"__ignoreMap":56},[60,2142,2143],{"class":62,"line":63},[60,2144,899],{},[60,2146,2147],{"class":62,"line":69},[60,2148,904],{},[43,2150,908],{"id":907},[51,2152,2153],{"className":53,"code":911,"language":55,"meta":56,"style":56},[25,2154,2155,2159,2163],{"__ignoreMap":56},[60,2156,2157],{"class":62,"line":63},[60,2158,66],{},[60,2160,2161],{"class":62,"line":69},[60,2162,922],{},[60,2164,2165],{"class":62,"line":75},[60,2166,927],{},[352,2168],{},[11,2170,294],{"id":293},[16,2172,934,2173,938],{},[20,2174,937],{},[302,2176,304],{},{"title":56,"searchDepth":69,"depth":69,"links":2178},[2179,2180,2181],{"id":356,"depth":75,"text":357},{"id":610,"depth":75,"text":611},{"id":293,"depth":75,"text":294},{"date":322,"image":948,"alt":949,"tags":2183,"published":330},[326,327,951,952],{"title":337,"description":946},1776339753431]