[{"data":1,"prerenderedAt":3768},["ShallowReactive",2],{"blog-post-/blogs/advanced-threat-hunting-xql":3,"all-blogs-for-navigation":334},{"id":4,"title":5,"body":6,"description":318,"extension":319,"meta":320,"navigation":329,"ogImage":322,"path":330,"seo":331,"stem":332,"__hash__":333},"content/blogs/11. advanced-threat-hunting-xql.md","Advanced Threat Hunting with Cortex XQL",{"type":7,"value":8,"toc":304},"minimark",[9,14,28,35,41,46,49,84,91,94,98,128,135,138,142,145,174,178,181,185,214,222,228,252,256,290,294,297,300],[10,11,13],"h3",{"id":12},"taking-xql-further","Taking XQL Further",[15,16,17,18,22,23,27],"p",{},"In our previous guide, we covered the basics of ",[19,20,21],"strong",{},"Cortex XQL",". Now, it's time to dive into the advanced features that turn a simple search into a powerful threat-hunting tool. We'll focus on data transformation, advanced filtering, and the elusive ",[24,25,26],"code",{},"join"," operation.",[10,29,31,32],{"id":30},"_1-complex-data-transformation-with-alter","1. Complex Data Transformation with ",[24,33,34],{},"alter",[15,36,37,38,40],{},"Sometimes the data in your logs isn't in the format you need. The ",[24,39,34],{}," stage allows you to create new fields on the fly.",[42,43,45],"h4",{"id":44},"extracting-substrings","Extracting Substrings",[15,47,48],{},"If you have a file path and you only want the file name:",[50,51,56],"pre",{"className":52,"code":53,"language":54,"meta":55,"style":55},"language-xql shiki shiki-themes dracula","dataset = xdr_data\n| filter action_file_path != null\n| alter file_name = arraylast(split(action_file_path, \"\\\"))\n| fields file_name, action_file_path\n","xql","",[24,57,58,66,72,78],{"__ignoreMap":55},[59,60,63],"span",{"class":61,"line":62},"line",1,[59,64,65],{},"dataset = xdr_data\n",[59,67,69],{"class":61,"line":68},2,[59,70,71],{},"| filter action_file_path != null\n",[59,73,75],{"class":61,"line":74},3,[59,76,77],{},"| alter file_name = arraylast(split(action_file_path, \"\\\"))\n",[59,79,81],{"class":61,"line":80},4,[59,82,83],{},"| fields file_name, action_file_path\n",[10,85,87,88],{"id":86},"_2-advanced-aggregations-with-comp","2. Advanced Aggregations with ",[24,89,90],{},"comp",[15,92,93],{},"Aggregations are vital for identifying anomalies (e.g., a single user logging into 50 different machines).",[42,95,97],{"id":96},"detecting-horizontal-movement","Detecting Horizontal Movement",[50,99,101],{"className":52,"code":100,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter event_type = \"LOGIN\"\n| comp count(endpoint_name) as distinct_login_count by actor_effective_username\n| filter distinct_login_count > 10\n| sort desc distinct_login_count\n",[24,102,103,107,112,117,122],{"__ignoreMap":55},[59,104,105],{"class":61,"line":62},[59,106,65],{},[59,108,109],{"class":61,"line":68},[59,110,111],{},"| filter event_type = \"LOGIN\"\n",[59,113,114],{"class":61,"line":74},[59,115,116],{},"| comp count(endpoint_name) as distinct_login_count by actor_effective_username\n",[59,118,119],{"class":61,"line":80},[59,120,121],{},"| filter distinct_login_count > 10\n",[59,123,125],{"class":61,"line":124},5,[59,126,127],{},"| sort desc distinct_login_count\n",[10,129,131,132,134],{"id":130},"_3-mastering-the-join-operation","3. Mastering the ",[24,133,26],{}," Operation",[15,136,137],{},"Joins allow you to correlate data across different datasets. This is where XQL truly shines.",[42,139,141],{"id":140},"correlating-process-activity-with-network-traffic","Correlating Process Activity with Network Traffic",[15,143,144],{},"Suppose you find a suspicious process and want to see if it communicated externally:",[50,146,148],{"className":52,"code":147,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter actor_process_image_name == \"powershell.exe\"\n| join (dataset = pan_traffic_raw) as traffic on traffic.source_ip = xdr_data.endpoint_ip\n| filter traffic.destination_port == 443\n| fields xdr_data.endpoint_name, xdr_data.actor_process_command_line, traffic.destination_ip\n",[24,149,150,154,159,164,169],{"__ignoreMap":55},[59,151,152],{"class":61,"line":62},[59,153,65],{},[59,155,156],{"class":61,"line":68},[59,157,158],{},"| filter actor_process_image_name == \"powershell.exe\"\n",[59,160,161],{"class":61,"line":74},[59,162,163],{},"| join (dataset = pan_traffic_raw) as traffic on traffic.source_ip = xdr_data.endpoint_ip\n",[59,165,166],{"class":61,"line":80},[59,167,168],{},"| filter traffic.destination_port == 443\n",[59,170,171],{"class":61,"line":124},[59,172,173],{},"| fields xdr_data.endpoint_name, xdr_data.actor_process_command_line, traffic.destination_ip\n",[10,175,177],{"id":176},"_4-advanced-window-functions","4. Advanced Window Functions",[15,179,180],{},"Window functions allow you to perform calculations across a set of rows related to the current row.",[42,182,184],{"id":183},"calculating-time-deltas-between-events","Calculating Time Deltas between Events",[50,186,188],{"className":52,"code":187,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter actor_effective_username = \"admin\"\n| sort asc _time\n| alter time_diff = _time - prev(_time)\n| filter time_diff \u003C 5000 // events occurring within 5 seconds of each other\n",[24,189,190,194,199,204,209],{"__ignoreMap":55},[59,191,192],{"class":61,"line":62},[59,193,65],{},[59,195,196],{"class":61,"line":68},[59,197,198],{},"| filter actor_effective_username = \"admin\"\n",[59,200,201],{"class":61,"line":74},[59,202,203],{},"| sort asc _time\n",[59,205,206],{"class":61,"line":80},[59,207,208],{},"| alter time_diff = _time - prev(_time)\n",[59,210,211],{"class":61,"line":124},[59,212,213],{},"| filter time_diff \u003C 5000 // events occurring within 5 seconds of each other\n",[10,215,217,218,221],{"id":216},"_5-using-bin-for-time-series-analysis","5. Using ",[24,219,220],{},"bin"," for Time-Series Analysis",[15,223,224,225,227],{},"If you want to visualize data over time, use ",[24,226,220],{}," to group timestamps.",[50,229,231],{"className":52,"code":230,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter event_type = \"FILE\"\n| alter time_bucket = bin(_time, 1h)\n| comp count(event_id) as file_ops_per_hour by time_bucket\n",[24,232,233,237,242,247],{"__ignoreMap":55},[59,234,235],{"class":61,"line":62},[59,236,65],{},[59,238,239],{"class":61,"line":68},[59,240,241],{},"| filter event_type = \"FILE\"\n",[59,243,244],{"class":61,"line":74},[59,245,246],{},"| alter time_bucket = bin(_time, 1h)\n",[59,248,249],{"class":61,"line":80},[59,250,251],{},"| comp count(event_id) as file_ops_per_hour by time_bucket\n",[10,253,255],{"id":254},"best-practices-for-performance","Best Practices for Performance",[257,258,259,274,284],"ol",{},[260,261,262,265,266,269,270,273],"li",{},[19,263,264],{},"Filter Early",": Use ",[24,267,268],{},"filter"," as close to the ",[24,271,272],{},"dataset"," line as possible to reduce the amount of data processed.",[260,275,276,279,280,283],{},[19,277,278],{},"Be Specific",": Avoid ",[24,281,282],{},"dataset = *"," if you know exactly which log source you need.",[260,285,286,289],{},[19,287,288],{},"Limit Fields",": Only use the fields you actually need to see in the final output.",[10,291,293],{"id":292},"conclusion","Conclusion",[15,295,296],{},"Advanced XQL is about more than just finding data—it's about manipulating and correlating it to tell a complete story of what happened in your environment. These advanced techniques are what separate a standard security analyst from an elite threat hunter.",[15,298,299],{},"Happy Hunting!",[301,302,303],"style",{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":55,"searchDepth":68,"depth":68,"links":305},[306,307,309,311,313,314,316,317],{"id":12,"depth":74,"text":13},{"id":30,"depth":74,"text":308},"1. Complex Data Transformation with alter",{"id":86,"depth":74,"text":310},"2. Advanced Aggregations with comp",{"id":130,"depth":74,"text":312},"3. Mastering the join Operation",{"id":176,"depth":74,"text":177},{"id":216,"depth":74,"text":315},"5. Using bin for Time-Series Analysis",{"id":254,"depth":74,"text":255},{"id":292,"depth":74,"text":293},"Take your XQL skills to the next level with advanced joins, data transformation, and complex aggregations.","md",{"date":321,"image":322,"alt":323,"tags":324,"published":329},"16th Apr 2026","/blogs-img/blog3.jpg","Advanced Cortex XQL",[325,326,327,328],"Cortex","XQL","AdvancedQuerying","ThreatHunting",true,"/blogs/advanced-threat-hunting-xql",{"title":5,"description":318},"blogs/11. advanced-threat-hunting-xql","dxp1wYP9uTJrMWv4eup4EoEk-43w9S5cRKJi91ERBmY",[335,414,624,1246,1709,1906,1967,2368,2495,2634,3061,3538],{"id":336,"title":337,"body":338,"description":403,"extension":319,"meta":404,"navigation":329,"ogImage":406,"path":410,"seo":411,"stem":412,"__hash__":413},"content/blogs/1. connect-namecheap-to-vercel.md","How To Connect You Namecheap Domain With Vercel Deployed App",{"type":7,"value":339,"toc":395},[340,344,347,351,354,358,361,364,368,371,374,377,380,384,387,390,392],[10,341,343],{"id":342},"introduction","Introduction",[15,345,346],{},"If you've purchased a domain from Namecheap and you want to connect it to your Vercel app, there are a few steps you need to follow. In this blog, we'll guide you through the process of connecting your Namecheap domain with your Vercel app.",[10,348,350],{"id":349},"step-1-add-a-custom-domain-to-your-vercel-app","Step 1: Add a custom domain to your Vercel app",[15,352,353],{},"The first step is to add your custom domain to your Vercel app. To do this, log in to your Vercel account and go to your app dashboard. Click on \"Settings\" and then \"Domains\". Click on \"Add Domain\" and enter your custom domain name. Then click on \"Add\".",[10,355,357],{"id":356},"step-2-get-the-dns-records-from-vercel","Step 2: Get the DNS records from Vercel",[15,359,360],{},"Once you've added your custom domain to your Vercel app, you'll need to get the DNS records from Vercel. To do this, go back to the \"Domains\" section and click on the custom domain you just added. Then click on \"DNS Records\".",[15,362,363],{},"You'll see a list of DNS records that you need to add to your Namecheap account. These include the A record, the CNAME record, and the TXT record.",[10,365,367],{"id":366},"step-3-add-dns-records-to-namecheap","Step 3: Add DNS records to Namecheap",[15,369,370],{},"Now that you have the DNS records from Vercel, you need to add them to your Namecheap account. To do this, log in to your Namecheap account and go to your domain dashboard. Click on \"Advanced DNS\" and then \"Add New Record\".",[15,372,373],{},"Add the A record first. In the \"Type\" dropdown menu, select \"A (Address)\". In the \"Host\" field, enter \"@\" (without the quotes). In the \"Value\" field, enter the IP address from the Vercel DNS records.",[15,375,376],{},"Next, add the CNAME record. In the \"Type\" dropdown menu, select \"CNAME (Alias)\". In the \"Host\" field, enter \"www\" (without the quotes). In the \"Value\" field, enter the value from the Vercel DNS records.",[15,378,379],{},"Finally, add the TXT record. In the \"Type\" dropdown menu, select \"TXT (Text)\". In the \"Host\" field, enter \"@\" (without the quotes). In the \"Value\" field, enter the value from the Vercel DNS records.",[10,381,383],{"id":382},"step-4-verify-dns-records","Step 4: Verify DNS records",[15,385,386],{},"Once you've added the DNS records to your Namecheap account, you need to verify that they're correct. To do this, go back to your Vercel app dashboard and click on the custom domain. Then click on \"Verify DNS Configuration\". Vercel will check if the DNS records have been set up correctly.",[15,388,389],{},"It may take some time for the DNS records to propagate, so be patient. Once the DNS records have propagated, Vercel will verify them and your custom domain will be connected to your Vercel app.",[10,391,293],{"id":292},[15,393,394],{},"Connecting your Namecheap domain to your Vercel app is a relatively simple process. By following the steps outlined in this blog, you'll be able to connect your custom domain in no time. Remember to be patient as it may take some time for the DNS records to propagate. If you run into any issues, don't hesitate to reach out to Vercel support for assistance.",{"title":55,"searchDepth":68,"depth":68,"links":396},[397,398,399,400,401,402],{"id":342,"depth":74,"text":343},{"id":349,"depth":74,"text":350},{"id":356,"depth":74,"text":357},{"id":366,"depth":74,"text":367},{"id":382,"depth":74,"text":383},{"id":292,"depth":74,"text":293},"Here you will lean how to connect your namecheap domain to vercel deployed app.",{"date":405,"image":406,"alt":337,"tags":407,"published":329},"1st Mar 2023","/blogs-img/blog1.jpg",[408,409],"namecheap","vercel","/blogs/connect-namecheap-to-vercel",{"title":337,"description":403},"blogs/1. connect-namecheap-to-vercel","6bP1Z3akUdkPDUNMFvzPGAroM_E6rx4Ix4BL2YTQTa4",{"id":4,"title":5,"body":415,"description":318,"extension":319,"meta":621,"navigation":329,"ogImage":322,"path":330,"seo":623,"stem":332,"__hash__":333},{"type":7,"value":416,"toc":611},[417,419,425,429,433,435,437,457,461,463,465,489,493,495,497,499,523,525,527,529,553,557,561,581,583,603,605,607,609],[10,418,13],{"id":12},[15,420,17,421,22,423,27],{},[19,422,21],{},[24,424,26],{},[10,426,31,427],{"id":30},[24,428,34],{},[15,430,37,431,40],{},[24,432,34],{},[42,434,45],{"id":44},[15,436,48],{},[50,438,439],{"className":52,"code":53,"language":54,"meta":55,"style":55},[24,440,441,445,449,453],{"__ignoreMap":55},[59,442,443],{"class":61,"line":62},[59,444,65],{},[59,446,447],{"class":61,"line":68},[59,448,71],{},[59,450,451],{"class":61,"line":74},[59,452,77],{},[59,454,455],{"class":61,"line":80},[59,456,83],{},[10,458,87,459],{"id":86},[24,460,90],{},[15,462,93],{},[42,464,97],{"id":96},[50,466,467],{"className":52,"code":100,"language":54,"meta":55,"style":55},[24,468,469,473,477,481,485],{"__ignoreMap":55},[59,470,471],{"class":61,"line":62},[59,472,65],{},[59,474,475],{"class":61,"line":68},[59,476,111],{},[59,478,479],{"class":61,"line":74},[59,480,116],{},[59,482,483],{"class":61,"line":80},[59,484,121],{},[59,486,487],{"class":61,"line":124},[59,488,127],{},[10,490,131,491,134],{"id":130},[24,492,26],{},[15,494,137],{},[42,496,141],{"id":140},[15,498,144],{},[50,500,501],{"className":52,"code":147,"language":54,"meta":55,"style":55},[24,502,503,507,511,515,519],{"__ignoreMap":55},[59,504,505],{"class":61,"line":62},[59,506,65],{},[59,508,509],{"class":61,"line":68},[59,510,158],{},[59,512,513],{"class":61,"line":74},[59,514,163],{},[59,516,517],{"class":61,"line":80},[59,518,168],{},[59,520,521],{"class":61,"line":124},[59,522,173],{},[10,524,177],{"id":176},[15,526,180],{},[42,528,184],{"id":183},[50,530,531],{"className":52,"code":187,"language":54,"meta":55,"style":55},[24,532,533,537,541,545,549],{"__ignoreMap":55},[59,534,535],{"class":61,"line":62},[59,536,65],{},[59,538,539],{"class":61,"line":68},[59,540,198],{},[59,542,543],{"class":61,"line":74},[59,544,203],{},[59,546,547],{"class":61,"line":80},[59,548,208],{},[59,550,551],{"class":61,"line":124},[59,552,213],{},[10,554,217,555,221],{"id":216},[24,556,220],{},[15,558,224,559,227],{},[24,560,220],{},[50,562,563],{"className":52,"code":230,"language":54,"meta":55,"style":55},[24,564,565,569,573,577],{"__ignoreMap":55},[59,566,567],{"class":61,"line":62},[59,568,65],{},[59,570,571],{"class":61,"line":68},[59,572,241],{},[59,574,575],{"class":61,"line":74},[59,576,246],{},[59,578,579],{"class":61,"line":80},[59,580,251],{},[10,582,255],{"id":254},[257,584,585,593,599],{},[260,586,587,265,589,269,591,273],{},[19,588,264],{},[24,590,268],{},[24,592,272],{},[260,594,595,279,597,283],{},[19,596,278],{},[24,598,282],{},[260,600,601,289],{},[19,602,288],{},[10,604,293],{"id":292},[15,606,296],{},[15,608,299],{},[301,610,303],{},{"title":55,"searchDepth":68,"depth":68,"links":612},[613,614,615,616,617,618,619,620],{"id":12,"depth":74,"text":13},{"id":30,"depth":74,"text":308},{"id":86,"depth":74,"text":310},{"id":130,"depth":74,"text":312},{"id":176,"depth":74,"text":177},{"id":216,"depth":74,"text":315},{"id":254,"depth":74,"text":255},{"id":292,"depth":74,"text":293},{"date":321,"image":322,"alt":323,"tags":622,"published":329},[325,326,327,328],{"title":5,"description":318},{"id":625,"title":626,"body":627,"description":1235,"extension":319,"meta":1236,"navigation":329,"ogImage":1237,"path":1242,"seo":1243,"stem":1244,"__hash__":1245},"content/blogs/12. ultimate-xql-cheat-sheet.md","The Ultimate XQL Cheat Sheet - 25+ Essential Queries for Cortex XDR",{"type":7,"value":628,"toc":1230},[629,640,643,647,656,660,689,693,708,712,727,731,760,764,782,786,808,812,831,835,854,858,872,876,895,897,901,906,910,924,928,947,951,970,974,988,992,1011,1015,1029,1033,1052,1056,1070,1074,1098,1102,1116,1120,1134,1138,1157,1161,1175,1179,1194,1198,1217,1219,1221,1228],[15,630,631,632,635,636,639],{},"Having a solid library of XQL queries is essential for any Palo Alto Cortex analyst. This cheat sheet provides 25+ queries divided into ",[19,633,634],{},"Dashboard Widget"," queries (optimized for visualization) and ",[19,637,638],{},"Investigation"," queries (optimized for threat hunting).",[641,642],"hr",{},[10,644,646],{"id":645},"part-1-widget-visualization-queries","Part 1: Widget & Visualization Queries",[15,648,649],{},[650,651,652,653,655],"em",{},"These queries use ",[24,654,90],{}," to aggregate data, making them perfect for Pie charts, Bar charts, and dashboards.",[42,657,659],{"id":658},"_1-top-10-users-with-failed-logins-bar-chart","1. Top 10 Users with Failed Logins (Bar Chart)",[50,661,663],{"className":52,"code":662,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter event_type = \"LOGIN\" and outcome = \"FAILURE\"\n| comp count(event_id) as failure_count by actor_effective_username\n| sort desc failure_count\n| limit 10\n",[24,664,665,669,674,679,684],{"__ignoreMap":55},[59,666,667],{"class":61,"line":62},[59,668,65],{},[59,670,671],{"class":61,"line":68},[59,672,673],{},"| filter event_type = \"LOGIN\" and outcome = \"FAILURE\"\n",[59,675,676],{"class":61,"line":74},[59,677,678],{},"| comp count(event_id) as failure_count by actor_effective_username\n",[59,680,681],{"class":61,"line":80},[59,682,683],{},"| sort desc failure_count\n",[59,685,686],{"class":61,"line":124},[59,687,688],{},"| limit 10\n",[42,690,692],{"id":691},"_2-incident-severity-distribution-pie-chart","2. Incident Severity Distribution (Pie Chart)",[50,694,696],{"className":52,"code":695,"language":54,"meta":55,"style":55},"dataset = incidents\n| comp count(incident_id) as total by severity\n",[24,697,698,703],{"__ignoreMap":55},[59,699,700],{"class":61,"line":62},[59,701,702],{},"dataset = incidents\n",[59,704,705],{"class":61,"line":68},[59,706,707],{},"| comp count(incident_id) as total by severity\n",[42,709,711],{"id":710},"_3-endpoint-os-distribution-donut-chart","3. Endpoint OS Distribution (Donut Chart)",[50,713,715],{"className":52,"code":714,"language":54,"meta":55,"style":55},"dataset = endpoints\n| comp count(endpoint_id) as total by os_type\n",[24,716,717,722],{"__ignoreMap":55},[59,718,719],{"class":61,"line":62},[59,720,721],{},"dataset = endpoints\n",[59,723,724],{"class":61,"line":68},[59,725,726],{},"| comp count(endpoint_id) as total by os_type\n",[42,728,730],{"id":729},"_4-top-10-malicious-domains-blocked-table-widget","4. Top 10 Malicious Domains Blocked (Table Widget)",[50,732,734],{"className":52,"code":733,"language":54,"meta":55,"style":55},"dataset = pan_traffic_raw\n| filter action = \"deny\" and category = \"malware\"\n| comp count(event_id) as blocks by destination_hostname\n| sort desc blocks\n| limit 10\n",[24,735,736,741,746,751,756],{"__ignoreMap":55},[59,737,738],{"class":61,"line":62},[59,739,740],{},"dataset = pan_traffic_raw\n",[59,742,743],{"class":61,"line":68},[59,744,745],{},"| filter action = \"deny\" and category = \"malware\"\n",[59,747,748],{"class":61,"line":74},[59,749,750],{},"| comp count(event_id) as blocks by destination_hostname\n",[59,752,753],{"class":61,"line":80},[59,754,755],{},"| sort desc blocks\n",[59,757,758],{"class":61,"line":124},[59,759,688],{},[42,761,763],{"id":762},"_5-network-traffic-volume-by-app-area-chart","5. Network Traffic Volume by App (Area Chart)",[50,765,767],{"className":52,"code":766,"language":54,"meta":55,"style":55},"dataset = pan_traffic_raw\n| alter time_bucket = bin(_time, 1h)\n| comp sum(bytes_sent + bytes_received) as total_bytes by time_bucket, app\n",[24,768,769,773,777],{"__ignoreMap":55},[59,770,771],{"class":61,"line":62},[59,772,740],{},[59,774,775],{"class":61,"line":68},[59,776,246],{},[59,778,779],{"class":61,"line":74},[59,780,781],{},"| comp sum(bytes_sent + bytes_received) as total_bytes by time_bucket, app\n",[42,783,785],{"id":784},"_6-suspicious-powershell-executions-over-time-line-chart","6. Suspicious Powershell Executions over Time (Line Chart)",[50,787,789],{"className":52,"code":788,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter actor_process_image_name == \"powershell.exe\"\n| alter time_bucket = bin(_time, 1h)\n| comp count(event_id) as executions by time_bucket\n",[24,790,791,795,799,803],{"__ignoreMap":55},[59,792,793],{"class":61,"line":62},[59,794,65],{},[59,796,797],{"class":61,"line":68},[59,798,158],{},[59,800,801],{"class":61,"line":74},[59,802,246],{},[59,804,805],{"class":61,"line":80},[59,806,807],{},"| comp count(event_id) as executions by time_bucket\n",[42,809,811],{"id":810},"_7-top-attack-sources-by-country-map-widget","7. Top Attack Sources by Country (Map Widget)",[50,813,815],{"className":52,"code":814,"language":54,"meta":55,"style":55},"dataset = pan_traffic_raw\n| filter action = \"deny\"\n| comp count(event_id) as attacks by source_country\n",[24,816,817,821,826],{"__ignoreMap":55},[59,818,819],{"class":61,"line":62},[59,820,740],{},[59,822,823],{"class":61,"line":68},[59,824,825],{},"| filter action = \"deny\"\n",[59,827,828],{"class":61,"line":74},[59,829,830],{},"| comp count(event_id) as attacks by source_country\n",[42,832,834],{"id":833},"_8-data-exfiltration-alert-threshold-widget","8. Data Exfiltration Alert (Threshold Widget)",[50,836,838],{"className":52,"code":837,"language":54,"meta":55,"style":55},"dataset = pan_traffic_raw\n| comp sum(bytes_sent) as uploads by source_ip\n| filter uploads > 1000000000 // 1GB Threshold\n",[24,839,840,844,849],{"__ignoreMap":55},[59,841,842],{"class":61,"line":62},[59,843,740],{},[59,845,846],{"class":61,"line":68},[59,847,848],{},"| comp sum(bytes_sent) as uploads by source_ip\n",[59,850,851],{"class":61,"line":74},[59,852,853],{},"| filter uploads > 1000000000 // 1GB Threshold\n",[42,855,857],{"id":856},"_9-agent-health-status-summary-widget","9. Agent Health Status (Summary Widget)",[50,859,861],{"className":52,"code":860,"language":54,"meta":55,"style":55},"dataset = endpoints\n| comp count(endpoint_id) as count by endpoint_status\n",[24,862,863,867],{"__ignoreMap":55},[59,864,865],{"class":61,"line":62},[59,866,721],{},[59,868,869],{"class":61,"line":68},[59,870,871],{},"| comp count(endpoint_id) as count by endpoint_status\n",[42,873,875],{"id":874},"_10-most-common-malware-signatures-bar-chart","10. Most Common Malware Signatures (Bar Chart)",[50,877,879],{"className":52,"code":878,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter event_type = \"MALWARE_DETECTED\"\n| comp count(event_id) as detections by threat_name\n",[24,880,881,885,890],{"__ignoreMap":55},[59,882,883],{"class":61,"line":62},[59,884,65],{},[59,886,887],{"class":61,"line":68},[59,888,889],{},"| filter event_type = \"MALWARE_DETECTED\"\n",[59,891,892],{"class":61,"line":74},[59,893,894],{},"| comp count(event_id) as detections by threat_name\n",[641,896],{},[10,898,900],{"id":899},"part-2-normal-search-investigation-queries","Part 2: Normal Search & Investigation Queries",[15,902,903],{},[650,904,905],{},"These queries return detailed rows, useful for deep-dive forensic investigations.",[42,907,909],{"id":908},"_11-find-all-executions-from-usb-drives","11. Find All Executions from USB Drives",[50,911,913],{"className":52,"code":912,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter actor_process_image_path contains \":\\RECYCLER\\\" or actor_process_image_path contains \"Removable\"\n",[24,914,915,919],{"__ignoreMap":55},[59,916,917],{"class":61,"line":62},[59,918,65],{},[59,920,921],{"class":61,"line":68},[59,922,923],{},"| filter actor_process_image_path contains \":\\RECYCLER\\\" or actor_process_image_path contains \"Removable\"\n",[42,925,927],{"id":926},"_12-locate-specific-file-hash-across-network","12. Locate Specific File Hash across Network",[50,929,931],{"className":52,"code":930,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter action_file_sha256 = \"your_hash_here\"\n| fields _time, endpoint_name, actor_process_image_name, action_file_path\n",[24,932,933,937,942],{"__ignoreMap":55},[59,934,935],{"class":61,"line":62},[59,936,65],{},[59,938,939],{"class":61,"line":68},[59,940,941],{},"| filter action_file_sha256 = \"your_hash_here\"\n",[59,943,944],{"class":61,"line":74},[59,945,946],{},"| fields _time, endpoint_name, actor_process_image_name, action_file_path\n",[42,948,950],{"id":949},"_13-trace-rdp-connections-to-internal-ips","13. Trace RDP Connections to Internal IPs",[50,952,954],{"className":52,"code":953,"language":54,"meta":55,"style":55},"dataset = pan_traffic_raw\n| filter destination_port = 3389 and destination_ip_internal = true\n| fields _time, source_ip, destination_ip, user\n",[24,955,956,960,965],{"__ignoreMap":55},[59,957,958],{"class":61,"line":62},[59,959,740],{},[59,961,962],{"class":61,"line":68},[59,963,964],{},"| filter destination_port = 3389 and destination_ip_internal = true\n",[59,966,967],{"class":61,"line":74},[59,968,969],{},"| fields _time, source_ip, destination_ip, user\n",[42,971,973],{"id":972},"_14-identify-living-off-the-land-binaries-lolbins","14. Identify \"Living off the Land\" Binaries (Lolbins)",[50,975,977],{"className":52,"code":976,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter actor_process_image_name in (\"certutil.exe\", \"bitsadmin.exe\", \"mshta.exe\")\n",[24,978,979,983],{"__ignoreMap":55},[59,980,981],{"class":61,"line":62},[59,982,65],{},[59,984,985],{"class":61,"line":68},[59,986,987],{},"| filter actor_process_image_name in (\"certutil.exe\", \"bitsadmin.exe\", \"mshta.exe\")\n",[42,989,991],{"id":990},"_15-detect-base64-commands-in-powershell","15. Detect Base64 Commands in PowerShell",[50,993,995],{"className":52,"code":994,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter actor_process_image_name == \"powershell.exe\" \n| filter actor_process_command_line contains \"-enc\" or actor_process_command_line contains \"Base64\"\n",[24,996,997,1001,1006],{"__ignoreMap":55},[59,998,999],{"class":61,"line":62},[59,1000,65],{},[59,1002,1003],{"class":61,"line":68},[59,1004,1005],{},"| filter actor_process_image_name == \"powershell.exe\" \n",[59,1007,1008],{"class":61,"line":74},[59,1009,1010],{},"| filter actor_process_command_line contains \"-enc\" or actor_process_command_line contains \"Base64\"\n",[42,1012,1014],{"id":1013},"_16-search-for-newly-created-local-accounts","16. Search for Newly Created Local Accounts",[50,1016,1018],{"className":52,"code":1017,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter event_type = \"USER_MANAGEMENT\" and action_type = \"CREATE\"\n",[24,1019,1020,1024],{"__ignoreMap":55},[59,1021,1022],{"class":61,"line":62},[59,1023,65],{},[59,1025,1026],{"class":61,"line":68},[59,1027,1028],{},"| filter event_type = \"USER_MANAGEMENT\" and action_type = \"CREATE\"\n",[42,1030,1032],{"id":1031},"_17-monitor-modification-of-sensitive-registry-keys","17. Monitor Modification of Sensitive Registry Keys",[50,1034,1036],{"className":52,"code":1035,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter event_type = \"REGISTRY\" \n| filter action_registry_key_name contains \"CurrentVersion\\Run\"\n",[24,1037,1038,1042,1047],{"__ignoreMap":55},[59,1039,1040],{"class":61,"line":62},[59,1041,65],{},[59,1043,1044],{"class":61,"line":68},[59,1045,1046],{},"| filter event_type = \"REGISTRY\" \n",[59,1048,1049],{"class":61,"line":74},[59,1050,1051],{},"| filter action_registry_key_name contains \"CurrentVersion\\Run\"\n",[42,1053,1055],{"id":1054},"_18-find-suspicious-parent-child-process-relationships-eg-word-cmd","18. Find Suspicious Parent-Child Process Relationships (e.g. Word -> CMD)",[50,1057,1059],{"className":52,"code":1058,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter actor_process_image_name == \"winword.exe\" and action_process_image_name == \"cmd.exe\"\n",[24,1060,1061,1065],{"__ignoreMap":55},[59,1062,1063],{"class":61,"line":62},[59,1064,65],{},[59,1066,1067],{"class":61,"line":68},[59,1068,1069],{},"| filter actor_process_image_name == \"winword.exe\" and action_process_image_name == \"cmd.exe\"\n",[42,1071,1073],{"id":1072},"_19-identify-excessive-dns-queries-potential-tunneling","19. Identify Excessive DNS Queries (Potential Tunneling)",[50,1075,1077],{"className":52,"code":1076,"language":54,"meta":55,"style":55},"dataset = pan_traffic_raw\n| filter destination_port = 53\n| comp count(event_id) as dns_queries by source_ip, destination_hostname\n| filter dns_queries > 500\n",[24,1078,1079,1083,1088,1093],{"__ignoreMap":55},[59,1080,1081],{"class":61,"line":62},[59,1082,740],{},[59,1084,1085],{"class":61,"line":68},[59,1086,1087],{},"| filter destination_port = 53\n",[59,1089,1090],{"class":61,"line":74},[59,1091,1092],{},"| comp count(event_id) as dns_queries by source_ip, destination_hostname\n",[59,1094,1095],{"class":61,"line":80},[59,1096,1097],{},"| filter dns_queries > 500\n",[42,1099,1101],{"id":1100},"_20-list-processes-listening-on-non-standard-ports","20. List Processes listening on non-standard ports",[50,1103,1105],{"className":52,"code":1104,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter event_type = \"NETWORK\" and action_local_port not in (80, 443, 8080)\n",[24,1106,1107,1111],{"__ignoreMap":55},[59,1108,1109],{"class":61,"line":62},[59,1110,65],{},[59,1112,1113],{"class":61,"line":68},[59,1114,1115],{},"| filter event_type = \"NETWORK\" and action_local_port not in (80, 443, 8080)\n",[42,1117,1119],{"id":1118},"_21-detect-lsass-memory-dumping","21. Detect LSASS Memory Dumping",[50,1121,1123],{"className":52,"code":1122,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter action_process_image_name == \"lsass.exe\" and action_type = \"OPEN_PROCESS\"\n",[24,1124,1125,1129],{"__ignoreMap":55},[59,1126,1127],{"class":61,"line":62},[59,1128,65],{},[59,1130,1131],{"class":61,"line":68},[59,1132,1133],{},"| filter action_process_image_name == \"lsass.exe\" and action_type = \"OPEN_PROCESS\"\n",[42,1135,1137],{"id":1136},"_22-find-files-downloaded-via-browser-then-executed","22. Find Files Downloaded via Browser then Executed",[50,1139,1141],{"className":52,"code":1140,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter actor_process_image_name in (\"chrome.exe\", \"firefox.exe\", \"msedge.exe\")\n| filter action_type = \"FILE_WRITE\"\n",[24,1142,1143,1147,1152],{"__ignoreMap":55},[59,1144,1145],{"class":61,"line":62},[59,1146,65],{},[59,1148,1149],{"class":61,"line":68},[59,1150,1151],{},"| filter actor_process_image_name in (\"chrome.exe\", \"firefox.exe\", \"msedge.exe\")\n",[59,1153,1154],{"class":61,"line":74},[59,1155,1156],{},"| filter action_type = \"FILE_WRITE\"\n",[42,1158,1160],{"id":1159},"_23-investigate-ssh-logins-from-external-ips","23. Investigate SSH Logins from External IPs",[50,1162,1164],{"className":52,"code":1163,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter event_type = \"LOGIN\" and auth_method = \"ssh\" and source_ip_internal = false\n",[24,1165,1166,1170],{"__ignoreMap":55},[59,1167,1168],{"class":61,"line":62},[59,1169,65],{},[59,1171,1172],{"class":61,"line":68},[59,1173,1174],{},"| filter event_type = \"LOGIN\" and auth_method = \"ssh\" and source_ip_internal = false\n",[42,1176,1178],{"id":1177},"_24-audit-admin-activity-in-the-cloud-console","24. Audit Admin Activity in the Cloud Console",[50,1180,1182],{"className":52,"code":1181,"language":54,"meta":55,"style":55},"dataset = cloud_audit_logs\n| filter user_role = \"Admin\" and action_type != \"GET\"\n",[24,1183,1184,1189],{"__ignoreMap":55},[59,1185,1186],{"class":61,"line":62},[59,1187,1188],{},"dataset = cloud_audit_logs\n",[59,1190,1191],{"class":61,"line":68},[59,1192,1193],{},"| filter user_role = \"Admin\" and action_type != \"GET\"\n",[42,1195,1197],{"id":1196},"_25-spot-hidden-filesdirectories-being-accesses","25. Spot Hidden Files/Directories being Accesses",[50,1199,1201],{"className":52,"code":1200,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter action_file_path contains \"\\.\" // Unix style hidden\n| filter action_file_path contains \"$RECYCLE.BIN\" // Windows style\n",[24,1202,1203,1207,1212],{"__ignoreMap":55},[59,1204,1205],{"class":61,"line":62},[59,1206,65],{},[59,1208,1209],{"class":61,"line":68},[59,1210,1211],{},"| filter action_file_path contains \"\\.\" // Unix style hidden\n",[59,1213,1214],{"class":61,"line":74},[59,1215,1216],{},"| filter action_file_path contains \"$RECYCLE.BIN\" // Windows style\n",[641,1218],{},[10,1220,293],{"id":292},[15,1222,1223,1224,1227],{},"Whether you are building a NOC dashboard or hunting for an advanced persistent threat (APT), these queries provide a solid foundation. Remember to always ",[19,1225,1226],{},"test your queries on a small time range"," before scaling up to ensure performance!",[301,1229,303],{},{"title":55,"searchDepth":68,"depth":68,"links":1231},[1232,1233,1234],{"id":645,"depth":74,"text":646},{"id":899,"depth":74,"text":900},{"id":292,"depth":74,"text":293},"A comprehensive collection of XQL queries for threat hunting, investigation, and dashboard widgets.",{"date":321,"image":1237,"alt":1238,"tags":1239,"published":329},"/blogs-img/blog4.jpg","XQL Cheat Sheet",[325,326,1240,1241],"CheatSheet","SecurityOps","/blogs/ultimate-xql-cheat-sheet",{"title":626,"description":1235},"blogs/12. ultimate-xql-cheat-sheet","UqbAG2xiEGF4fCYSaUQopU2NoTN_8zLb1kVhwZ506Yw",{"id":1247,"title":1248,"body":1249,"description":1697,"extension":319,"meta":1698,"navigation":329,"ogImage":1699,"path":1705,"seo":1706,"stem":1707,"__hash__":1708},"content/blogs/13. investigating-cortex-incidents-cases.md","Investigating Cortex Incidents - A Deep Dive into Cases and Alerts",{"type":7,"value":1250,"toc":1688},[1251,1255,1270,1281,1283,1287,1291,1294,1323,1327,1330,1354,1358,1361,1390,1392,1396,1400,1407,1432,1436,1439,1462,1466,1469,1488,1490,1494,1498,1501,1520,1524,1527,1546,1550,1553,1576,1578,1582,1586,1589,1613,1615,1619,1678,1680,1683,1686],[10,1252,1254],{"id":1253},"understanding-the-incident-lifecycle","Understanding the Incident Lifecycle",[15,1256,1257,1258,1261,1262,1265,1266,1269],{},"In Cortex XDR, visibility isn't just about logs; it's about the ",[19,1259,1260],{},"lifecycle of an attack",". This lifecycle is represented through ",[19,1263,1264],{},"Alerts"," (singular events) and ",[19,1267,1268],{},"Incidents"," (correlated groups of alerts).",[15,1271,1272,1273,1276,1277,1280],{},"To master case management, you need to be able to query the ",[24,1274,1275],{},"incidents"," and ",[24,1278,1279],{},"alerts"," datasets with precision. This guide covers detailed XQL patterns for managing and auditing your SOC's response.",[641,1282],{},[10,1284,1286],{"id":1285},"_1-incident-analysis-queries","1. Incident Analysis Queries",[42,1288,1290],{"id":1289},"a-finding-high-priority-incidents-with-multiple-alerts","A. Finding High-Priority Incidents with Multiple Alerts",[15,1292,1293],{},"Incidents with many alerts often indicate a broad or successful attack.",[50,1295,1297],{"className":52,"code":1296,"language":54,"meta":55,"style":55},"dataset = incidents\n| filter severity = \"high\" or severity = \"critical\"\n| filter alert_count > 5\n| fields incident_id, description, severity, status, alert_count, creation_time\n| sort desc alert_count\n",[24,1298,1299,1303,1308,1313,1318],{"__ignoreMap":55},[59,1300,1301],{"class":61,"line":62},[59,1302,702],{},[59,1304,1305],{"class":61,"line":68},[59,1306,1307],{},"| filter severity = \"high\" or severity = \"critical\"\n",[59,1309,1310],{"class":61,"line":74},[59,1311,1312],{},"| filter alert_count > 5\n",[59,1314,1315],{"class":61,"line":80},[59,1316,1317],{},"| fields incident_id, description, severity, status, alert_count, creation_time\n",[59,1319,1320],{"class":61,"line":124},[59,1321,1322],{},"| sort desc alert_count\n",[42,1324,1326],{"id":1325},"b-tracking-mean-time-to-acknowledge-mtta","B. Tracking Mean Time to Acknowledge (MTTA)",[15,1328,1329],{},"A critical metric for SOC efficiency. This calculates how long it takes for a case to be touched by an analyst.",[50,1331,1333],{"className":52,"code":1332,"language":54,"meta":55,"style":55},"dataset = incidents\n| filter status != \"pending\"\n| alter mtta_seconds = (acknowledgement_time - creation_time) / 1000\n| comp avg(mtta_seconds) as avg_mtta_seconds by severity\n",[24,1334,1335,1339,1344,1349],{"__ignoreMap":55},[59,1336,1337],{"class":61,"line":62},[59,1338,702],{},[59,1340,1341],{"class":61,"line":68},[59,1342,1343],{},"| filter status != \"pending\"\n",[59,1345,1346],{"class":61,"line":74},[59,1347,1348],{},"| alter mtta_seconds = (acknowledgement_time - creation_time) / 1000\n",[59,1350,1351],{"class":61,"line":80},[59,1352,1353],{},"| comp avg(mtta_seconds) as avg_mtta_seconds by severity\n",[42,1355,1357],{"id":1356},"c-identifying-long-running-cases","C. Identifying \"Long-Running\" Cases",[15,1359,1360],{},"Cases that have been open for an unusual amount of time may require escalation.",[50,1362,1364],{"className":52,"code":1363,"language":54,"meta":55,"style":55},"dataset = incidents\n| filter status = \"under_investigation\"\n| alter open_duration_hours = (timestamp() - creation_time) / 3600000\n| filter open_duration_hours > 48\n| fields incident_id, assignee, open_duration_hours\n",[24,1365,1366,1370,1375,1380,1385],{"__ignoreMap":55},[59,1367,1368],{"class":61,"line":62},[59,1369,702],{},[59,1371,1372],{"class":61,"line":68},[59,1373,1374],{},"| filter status = \"under_investigation\"\n",[59,1376,1377],{"class":61,"line":74},[59,1378,1379],{},"| alter open_duration_hours = (timestamp() - creation_time) / 3600000\n",[59,1381,1382],{"class":61,"line":80},[59,1383,1384],{},"| filter open_duration_hours > 48\n",[59,1386,1387],{"class":61,"line":124},[59,1388,1389],{},"| fields incident_id, assignee, open_duration_hours\n",[641,1391],{},[10,1393,1395],{"id":1394},"_2-alert-deep-dive-queries","2. Alert Deep-Dive Queries",[42,1397,1399],{"id":1398},"d-mapping-alerts-to-specific-mitre-attck-techniques","D. Mapping Alerts to Specific MITRE ATT&CK Techniques",[15,1401,1402,1403,1406],{},"Understanding ",[650,1404,1405],{},"how"," the attack is happening is vital for containment.",[50,1408,1410],{"className":52,"code":1409,"language":54,"meta":55,"style":55},"dataset = alerts\n| filter mitre_technique_id != null\n| comp count(alert_id) as technique_count by mitre_technique_name, mitre_technique_id\n| sort desc technique_count\n",[24,1411,1412,1417,1422,1427],{"__ignoreMap":55},[59,1413,1414],{"class":61,"line":62},[59,1415,1416],{},"dataset = alerts\n",[59,1418,1419],{"class":61,"line":68},[59,1420,1421],{},"| filter mitre_technique_id != null\n",[59,1423,1424],{"class":61,"line":74},[59,1425,1426],{},"| comp count(alert_id) as technique_count by mitre_technique_name, mitre_technique_id\n",[59,1428,1429],{"class":61,"line":80},[59,1430,1431],{},"| sort desc technique_count\n",[42,1433,1435],{"id":1434},"e-finding-noisiest-alert-sources","E. Finding \"Noisiest\" Alert Sources",[15,1437,1438],{},"Identifying which endpoints or users are triggering the most alerts to reduce false positives.",[50,1440,1442],{"className":52,"code":1441,"language":54,"meta":55,"style":55},"dataset = alerts\n| comp count(alert_id) as alert_count by source_endpoint_name\n| sort desc alert_count\n| limit 20\n",[24,1443,1444,1448,1453,1457],{"__ignoreMap":55},[59,1445,1446],{"class":61,"line":62},[59,1447,1416],{},[59,1449,1450],{"class":61,"line":68},[59,1451,1452],{},"| comp count(alert_id) as alert_count by source_endpoint_name\n",[59,1454,1455],{"class":61,"line":74},[59,1456,1322],{},[59,1458,1459],{"class":61,"line":80},[59,1460,1461],{},"| limit 20\n",[42,1463,1465],{"id":1464},"f-correlating-alerts-without-incidents","F. Correlating Alerts without Incidents",[15,1467,1468],{},"Sometimes alerts fail to group into an incident correctly. Finding these \"orphaned\" alerts can surface hidden threats.",[50,1470,1472],{"className":52,"code":1471,"language":54,"meta":55,"style":55},"dataset = alerts\n| filter incident_id = null\n| fields _time, alert_name, severity, source_endpoint_name\n",[24,1473,1474,1478,1483],{"__ignoreMap":55},[59,1475,1476],{"class":61,"line":62},[59,1477,1416],{},[59,1479,1480],{"class":61,"line":68},[59,1481,1482],{},"| filter incident_id = null\n",[59,1484,1485],{"class":61,"line":74},[59,1486,1487],{},"| fields _time, alert_name, severity, source_endpoint_name\n",[641,1489],{},[10,1491,1493],{"id":1492},"_3-case-escalation-logic-issues","3. Case Escalation & Logic Issues",[42,1495,1497],{"id":1496},"g-detecting-flapping-alerts","G. Detecting Flapping Alerts",[15,1499,1500],{},"Alerts that resolve and then re-open frequently can point to misconfigured policies or recurring automated threats.",[50,1502,1504],{"className":52,"code":1503,"language":54,"meta":55,"style":55},"dataset = alerts\n| comp count(alert_id) as instance_count by alert_name, source_endpoint_name\n| filter instance_count > 50\n",[24,1505,1506,1510,1515],{"__ignoreMap":55},[59,1507,1508],{"class":61,"line":62},[59,1509,1416],{},[59,1511,1512],{"class":61,"line":68},[59,1513,1514],{},"| comp count(alert_id) as instance_count by alert_name, source_endpoint_name\n",[59,1516,1517],{"class":61,"line":74},[59,1518,1519],{},"| filter instance_count > 50\n",[42,1521,1523],{"id":1522},"h-analyzing-resolution-rationale","H. Analyzing Resolution Rationale",[15,1525,1526],{},"If you want to see why analysts are closing cases as \"False Positive,\" you can audit the resolution comments.",[50,1528,1530],{"className":52,"code":1529,"language":54,"meta":55,"style":55},"dataset = incidents\n| filter status = \"resolved\" and resolution_status = \"false_positive\"\n| fields incident_id, resolution_comment, resolved_by\n",[24,1531,1532,1536,1541],{"__ignoreMap":55},[59,1533,1534],{"class":61,"line":62},[59,1535,702],{},[59,1537,1538],{"class":61,"line":68},[59,1539,1540],{},"| filter status = \"resolved\" and resolution_status = \"false_positive\"\n",[59,1542,1543],{"class":61,"line":74},[59,1544,1545],{},"| fields incident_id, resolution_comment, resolved_by\n",[42,1547,1549],{"id":1548},"i-identifying-overloaded-analysts","I. Identifying Overloaded Analysts",[15,1551,1552],{},"Check the workload distribution across your SOC team.",[50,1554,1556],{"className":52,"code":1555,"language":54,"meta":55,"style":55},"dataset = incidents\n| filter status = \"under_investigation\"\n| comp count(incident_id) as assigned_cases by assignee\n| sort desc assigned_cases\n",[24,1557,1558,1562,1566,1571],{"__ignoreMap":55},[59,1559,1560],{"class":61,"line":62},[59,1561,702],{},[59,1563,1564],{"class":61,"line":68},[59,1565,1374],{},[59,1567,1568],{"class":61,"line":74},[59,1569,1570],{},"| comp count(incident_id) as assigned_cases by assignee\n",[59,1572,1573],{"class":61,"line":80},[59,1574,1575],{},"| sort desc assigned_cases\n",[641,1577],{},[10,1579,1581],{"id":1580},"_4-advanced-case-correlating","4. Advanced Case Correlating",[42,1583,1585],{"id":1584},"j-the-full-story-query","J. The \"Full Story\" Query",[15,1587,1588],{},"Combine incident metadata with the actual process details that started the mess.",[50,1590,1592],{"className":52,"code":1591,"language":54,"meta":55,"style":55},"dataset = incidents\n| join (dataset = alerts) as a on a.incident_id = incidents.incident_id\n| fields incidents.incident_id, incidents.description, a.alert_name, a.actor_process_command_line\n| limit 50\n",[24,1593,1594,1598,1603,1608],{"__ignoreMap":55},[59,1595,1596],{"class":61,"line":62},[59,1597,702],{},[59,1599,1600],{"class":61,"line":68},[59,1601,1602],{},"| join (dataset = alerts) as a on a.incident_id = incidents.incident_id\n",[59,1604,1605],{"class":61,"line":74},[59,1606,1607],{},"| fields incidents.incident_id, incidents.description, a.alert_name, a.actor_process_command_line\n",[59,1609,1610],{"class":61,"line":80},[59,1611,1612],{},"| limit 50\n",[641,1614],{},[10,1616,1618],{"id":1617},"summary-table-key-datasets-for-cases","Summary Table: Key Datasets for Cases",[1620,1621,1622,1636],"table",{},[1623,1624,1625],"thead",{},[1626,1627,1628,1633],"tr",{},[1629,1630,1632],"th",{"align":1631},"left","Dataset",[1629,1634,1635],{"align":1631},"Primary Use",[1637,1638,1639,1649,1658,1668],"tbody",{},[1626,1640,1641,1646],{},[1642,1643,1644],"td",{"align":1631},[24,1645,1275],{},[1642,1647,1648],{"align":1631},"High-level case tracking, status, and ownership.",[1626,1650,1651,1655],{},[1642,1652,1653],{"align":1631},[24,1654,1279],{},[1642,1656,1657],{"align":1631},"Technical details of the security event.",[1626,1659,1660,1665],{},[1642,1661,1662],{"align":1631},[24,1663,1664],{},"alert_rules",[1642,1666,1667],{"align":1631},"Auditing which policies are triggering detections.",[1626,1669,1670,1675],{},[1642,1671,1672],{"align":1631},[24,1673,1674],{},"action_history",[1642,1676,1677],{"align":1631},"Tracking what remediation actions (e.g., Isolate) were taken.",[10,1679,293],{"id":292},[15,1681,1682],{},"Effective case management in Cortex XDR requires shifting from \"viewing screens\" to \"querying data.\" By using these XQL patterns, you can identify bottlenecks in your SOC, find orphaned alerts that missed correlation, and ensure that critical threats are acknowledged in minutes, not days.",[15,1684,1685],{},"Stay vigilant!",[301,1687,303],{},{"title":55,"searchDepth":68,"depth":68,"links":1689},[1690,1691,1692,1693,1694,1695,1696],{"id":1253,"depth":74,"text":1254},{"id":1285,"depth":74,"text":1286},{"id":1394,"depth":74,"text":1395},{"id":1492,"depth":74,"text":1493},{"id":1580,"depth":74,"text":1581},{"id":1617,"depth":74,"text":1618},{"id":292,"depth":74,"text":293},"Learn how to use XQL to manage, analyze, and resolve security incidents and alerts in Cortex XDR with detailed precision.",{"date":321,"image":1699,"alt":1700,"tags":1701,"published":329},"/blogs-img/blog5.jpg","Cortex Incidents and Cases",[1702,1268,1703,1704],"CortexXDR","CaseManagement","SecurityInvestigation","/blogs/investigating-cortex-incidents-cases",{"title":1248,"description":1697},"blogs/13. investigating-cortex-incidents-cases","B_U1O4TtzRPedUjJ148vzmjY-5DGsR_Z4b5TPxsVKo0",{"id":1710,"title":1711,"body":1712,"description":1894,"extension":319,"meta":1895,"navigation":329,"ogImage":1897,"path":1902,"seo":1903,"stem":1904,"__hash__":1905},"content/blogs/2. fix-tailwindcss-intellisense-in-nuxt3.md","How To Fix TailwindCSS Intellisense In Nuxt3 Project",{"type":7,"value":1713,"toc":1889},[1714,1718,1729,1733,1751,1755,1764,1790,1883,1886],[10,1715,1717],{"id":1716},"problems","Problems",[15,1719,1720,1721,1728],{},"I had a Nuxt3 and TailwindCSS project. which was opened in VsCode. But the problem was, in my project the tailwind intellisense didn't working properly. I tried to reinstall the vscode tailwind extension but the problem didn't solve properly. Later after doing some research I found a ",[1722,1723,1727],"a",{"href":1724,"rel":1725},"https://github.com/tailwindlabs/tailwindcss-intellisense/issues/663#issuecomment-1316788128",[1726],"nofollow","workaround",", That I am sharing here today.",[10,1730,1732],{"id":1731},"why-its-not-working","Why It's Not working",[15,1734,1735,1736,1739,1740,1743,1744,1747,1748,1750],{},"In our nuxt project we have a ",[24,1737,1738],{},".nuxt"," directory. Nuxt uses the ",[24,1741,1742],{},".nuxt/"," directory in development to generate your Vue application. And if we try to look properly there is also a file called ",[24,1745,1746],{},".nuxt/tailwind.config.cjs",", So tailwind find to config file in the same project, one is in your root directory and another one is in you ",[24,1749,1738],{}," directory.",[10,1752,1754],{"id":1753},"possible-workaround","Possible Workaround",[15,1756,1757,1758,1760,1761,1763],{},"One possible solution is, In your project we call tell the extension to exclude the ",[24,1759,1738],{}," directory. To exclude the ",[24,1762,1738],{}," directory in your workspace,",[1765,1766,1767,1774,1785],"ul",{},[260,1768,1769,1770,1773],{},"Create a ",[24,1771,1772],{},"/.vscode"," folder in your project's root level.",[260,1775,1776,1777,1780,1781,1784],{},"Inside ",[24,1778,1779],{},".vscode"," folder add a ",[24,1782,1783],{},"settings.json"," file",[260,1786,1787,1788,1784],{},"Copy the below code to ",[24,1789,1783],{},[50,1791,1795],{"className":1792,"code":1793,"language":1794,"meta":55,"style":55},"language-json shiki shiki-themes dracula","// /.vscode/settings.json\n{\n \"tailwindCSS.files.exclude\": [\"**/.git/**\", \"**/node_modules/**\", \"**/.hg/**\", \"**/.svn/**\", \"**/.nuxt/**\"]\n}\n","json",[24,1796,1797,1803,1809,1878],{"__ignoreMap":55},[59,1798,1799],{"class":61,"line":62},[59,1800,1802],{"class":1801},"shSDL","// /.vscode/settings.json\n",[59,1804,1805],{"class":61,"line":68},[59,1806,1808],{"class":1807},"sCdxs","{\n",[59,1810,1811,1815,1819,1822,1826,1829,1832,1836,1838,1841,1843,1846,1848,1850,1852,1855,1857,1859,1861,1864,1866,1868,1870,1873,1875],{"class":61,"line":74},[59,1812,1814],{"class":1813},"sY8FZ"," \"",[59,1816,1818],{"class":1817},"sLL85","tailwindCSS.files.exclude",[59,1820,1821],{"class":1813},"\"",[59,1823,1825],{"class":1824},"s0Tla",":",[59,1827,1828],{"class":1807}," [",[59,1830,1821],{"class":1831},"seVfx",[59,1833,1835],{"class":1834},"s-mGx","**/.git/**",[59,1837,1821],{"class":1831},[59,1839,1840],{"class":1807},", ",[59,1842,1821],{"class":1831},[59,1844,1845],{"class":1834},"**/node_modules/**",[59,1847,1821],{"class":1831},[59,1849,1840],{"class":1807},[59,1851,1821],{"class":1831},[59,1853,1854],{"class":1834},"**/.hg/**",[59,1856,1821],{"class":1831},[59,1858,1840],{"class":1807},[59,1860,1821],{"class":1831},[59,1862,1863],{"class":1834},"**/.svn/**",[59,1865,1821],{"class":1831},[59,1867,1840],{"class":1807},[59,1869,1821],{"class":1831},[59,1871,1872],{"class":1834},"**/.nuxt/**",[59,1874,1821],{"class":1831},[59,1876,1877],{"class":1807},"]\n",[59,1879,1880],{"class":61,"line":80},[59,1881,1882],{"class":1807},"}\n",[15,1884,1885],{},"Hopefully now tailwind intellisense start working properly.",[301,1887,1888],{},"html pre.shiki code .shSDL, html code.shiki .shSDL{--shiki-default:#6272A4}html pre.shiki code .sCdxs, html code.shiki .sCdxs{--shiki-default:#F8F8F2}html pre.shiki code .sY8FZ, html code.shiki .sY8FZ{--shiki-default:#8BE9FE}html pre.shiki code .sLL85, html code.shiki .sLL85{--shiki-default:#8BE9FD}html pre.shiki code .s0Tla, html code.shiki .s0Tla{--shiki-default:#FF79C6}html pre.shiki code .seVfx, html code.shiki .seVfx{--shiki-default:#E9F284}html pre.shiki code .s-mGx, html code.shiki .s-mGx{--shiki-default:#F1FA8C}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":55,"searchDepth":68,"depth":68,"links":1890},[1891,1892,1893],{"id":1716,"depth":74,"text":1717},{"id":1731,"depth":74,"text":1732},{"id":1753,"depth":74,"text":1754},"In Nuxt3 project tailwind css intellisense doesn't seems to work properly. In this blog I will share a workaround to fix this issue.",{"date":1896,"image":1897,"alt":1898,"tags":1899,"published":329},"26th Jan 2023","/blogs-img/blog2.jpg","Hwo to fix tailwind intellisense in nuxt3 project",[1900,1901],"nuxt","tailwindcss","/blogs/fix-tailwindcss-intellisense-in-nuxt3",{"title":1711,"description":1894},"blogs/2. fix-tailwindcss-intellisense-in-nuxt3","7ZGcJhWiVqLVOv2RrI7i56paOO-EQuvfqBkBlJrh6uE",{"id":1907,"title":1908,"body":1909,"description":1960,"extension":319,"meta":1961,"navigation":329,"ogImage":322,"path":1963,"seo":1964,"stem":1965,"__hash__":1966},"content/blogs/3. create-namespace-subdomain-connect-to-vercel.md","How To Create Namespace Subdomain & Connect To Vercel App",{"type":7,"value":1910,"toc":1952},[1911,1913,1916,1920,1923,1926,1930,1933,1937,1940,1944,1947,1949],[10,1912,343],{"id":342},[15,1914,1915],{},"Creating a subdomain on Namecheap and connecting it with a Vercel deployed app is a straightforward process. In this blog, we will guide you through the steps required to create a subdomain on Namecheap and connect it to your Vercel deployed app.",[10,1917,1919],{"id":1918},"step-1-create-a-subdomain-on-namecheap","Step 1: Create a subdomain on Namecheap",[15,1921,1922],{},"The first step is to create a subdomain on Namecheap. To do this, log in to your Namecheap account and go to your domain dashboard. Click on the \"Advanced DNS\" tab and then click on \"Add New Record\".",[15,1924,1925],{},"Select \"CNAME (Alias)\" from the \"Type\" dropdown menu. In the \"Host\" field, enter the name of your subdomain (for example, \"app\" if you want your subdomain to be \"app.yourdomain.com\"). In the \"Value\" field, enter the URL of your Vercel deployed app (for example, \"yourapp.vercel.app\").",[10,1927,1929],{"id":1928},"step-2-verify-the-subdomain","Step 2: Verify the subdomain",[15,1931,1932],{},"After creating the subdomain, you need to verify that it has been set up correctly. To do this, go to your Vercel deployed app dashboard and click on the \"Domains\" tab. Click on \"Add Domain\" and enter the name of your subdomain. Vercel will verify the subdomain and confirm that it has been set up correctly.",[10,1934,1936],{"id":1935},"step-3-add-the-subdomain-to-your-vercel-deployed-app","Step 3: Add the subdomain to your Vercel deployed app",[15,1938,1939],{},"Now that your subdomain has been verified, you need to add it to your Vercel deployed app. To do this, go to your app dashboard and click on \"Settings\". Click on \"Domains\" and then click on \"Add Domain\". Enter the name of your subdomain and click on \"Add\".",[10,1941,1943],{"id":1942},"step-4-verify-the-subdomain-in-vercel","Step 4: Verify the subdomain in Vercel",[15,1945,1946],{},"After adding the subdomain to your Vercel deployed app, you need to verify that it has been set up correctly. To do this, click on the subdomain in your Vercel deployed app dashboard. Click on \"Verify DNS Configuration\". Vercel will check that the subdomain has been set up correctly and confirm that it is connected to your Vercel deployed app.",[10,1948,293],{"id":292},[15,1950,1951],{},"Connecting a subdomain on Namecheap to your Vercel deployed app is a simple process that can be done in a few steps. By following the steps outlined in this blog, you can easily create a subdomain on Namecheap and connect it to your Vercel deployed app. Remember to verify your subdomain in both Namecheap and Vercel to ensure that it has been set up correctly. If you encounter any issues, reach out to Vercel support for assistance.",{"title":55,"searchDepth":68,"depth":68,"links":1953},[1954,1955,1956,1957,1958,1959],{"id":342,"depth":74,"text":343},{"id":1918,"depth":74,"text":1919},{"id":1928,"depth":74,"text":1929},{"id":1935,"depth":74,"text":1936},{"id":1942,"depth":74,"text":1943},{"id":292,"depth":74,"text":293},"Here we will learn, How To Create Namespace Subdomain & Connect To Vercel App",{"date":405,"image":322,"alt":1908,"tags":1962,"published":329},[1900,409,408],"/blogs/create-namespace-subdomain-connect-to-vercel",{"title":1908,"description":1960},"blogs/3. create-namespace-subdomain-connect-to-vercel","KlwXEABuKr1OOvtC55Cv8maXXicSrq8jiU1W1Mdh3dU",{"id":1968,"title":1969,"body":1970,"description":2360,"extension":319,"meta":2361,"navigation":329,"ogImage":1237,"path":2364,"seo":2365,"stem":2366,"__hash__":2367},"content/blogs/4. fetch-content-data-render-pages.md","How To Properly Fetch Nuxt Content Data and Render It in Nuxt Pages",{"type":7,"value":1971,"toc":2353},[1972,1974,1977,1981,1984,2011,2015,2018,2065,2068,2072,2078,2120,2123,2127,2130,2350],[10,1973,343],{"id":342},[15,1975,1976],{},"Nuxt.js is a popular open-source framework for building Vue.js applications. With the release of Nuxt 3, developers have access to new features and improvements to streamline the development process. One of these features is Nuxt Content v2, which allows you to create and manage content in a simple and efficient way. In this blog post, we will guide you through the steps to connect Nuxt Content v2 with Nuxt 3.",[10,1978,1980],{"id":1979},"step-1-install-the-necessary-dependencies","Step 1: Install the necessary dependencies",[15,1982,1983],{},"The first step is to install the necessary dependencies for Nuxt Content v2. To do this, run the following command:",[50,1985,1989],{"className":1986,"code":1987,"language":1988,"meta":55,"style":55},"language-js shiki shiki-themes dracula","npm install @nuxt/content@next\n\n","js",[24,1990,1991],{"__ignoreMap":55},[59,1992,1993,1996,1999,2002,2005,2008],{"class":61,"line":62},[59,1994,1995],{"class":1807},"npm install @",[59,1997,1900],{"class":1998},"sY_PY",[59,2000,2001],{"class":1824},"/",[59,2003,2004],{"class":1998},"content",[59,2006,2007],{"class":1807},"@",[59,2009,2010],{"class":1998},"next\n",[10,2012,2014],{"id":2013},"step-2-configure-nuxt-content-v2","Step 2: Configure Nuxt Content v2",[15,2016,2017],{},"Once the dependencies are installed, you need to configure Nuxt Content v2 in your Nuxt 3 project. To do this, create a new file named nuxt.config.js in the root directory of your project and add the following code:",[50,2019,2021],{"className":1986,"code":2020,"language":1988,"meta":55,"style":55},"export default {\n // Enable Nuxt Content module\n modules: [\n '@nuxt/content'\n ],\n\n",[24,2022,2023,2034,2039,2049,2060],{"__ignoreMap":55},[59,2024,2025,2028,2031],{"class":61,"line":62},[59,2026,2027],{"class":1824},"export",[59,2029,2030],{"class":1824}," default",[59,2032,2033],{"class":1807}," {\n",[59,2035,2036],{"class":61,"line":68},[59,2037,2038],{"class":1801}," // Enable Nuxt Content module\n",[59,2040,2041,2044,2046],{"class":61,"line":74},[59,2042,2043],{"class":1807}," modules",[59,2045,1825],{"class":1824},[59,2047,2048],{"class":1807}," [\n",[59,2050,2051,2054,2057],{"class":61,"line":80},[59,2052,2053],{"class":1831}," '",[59,2055,2056],{"class":1834},"@nuxt/content",[59,2058,2059],{"class":1831},"'\n",[59,2061,2062],{"class":61,"line":124},[59,2063,2064],{"class":1807}," ],\n",[15,2066,2067],{},"In the above code, we have enabled the Nuxt Content module and set the directory where your content will be stored.",[10,2069,2071],{"id":2070},"step-3-create-content-files","Step 3: Create content files",[15,2073,2074,2075,2077],{},"Once Nuxt Content v2 is configured, you can create content files in the specified directory. By default, Nuxt Content v2 supports Markdown and YAML file formats. You can create a new file in the ",[24,2076,2004],{}," directory with the following structure:",[50,2079,2082],{"className":2080,"code":2081,"language":319,"meta":55,"style":55},"language-md shiki shiki-themes dracula","---\ntitle: 'Hello, world!'\n---\n\n# Welcome to Nuxt Content v2\n\nThis is an example of a Markdown file created using Nuxt Content v2.\n",[24,2083,2084,2089,2094,2099,2104,2109,2114],{"__ignoreMap":55},[59,2085,2086],{"class":61,"line":62},[59,2087,2088],{"class":1801},"---\n",[59,2090,2091],{"class":61,"line":68},[59,2092,2093],{"class":1807},"title: 'Hello, world!'\n",[59,2095,2096],{"class":61,"line":74},[59,2097,2088],{"class":2098},"sMMmS",[59,2100,2101],{"class":61,"line":80},[59,2102,2103],{"emptyLinePlaceholder":329},"\n",[59,2105,2106],{"class":61,"line":124},[59,2107,2108],{"class":2098},"# Welcome to Nuxt Content v2\n",[59,2110,2112],{"class":61,"line":2111},6,[59,2113,2103],{"emptyLinePlaceholder":329},[59,2115,2117],{"class":61,"line":2116},7,[59,2118,2119],{"class":1807},"This is an example of a Markdown file created using Nuxt Content v2.\n",[15,2121,2122],{},"In the above code, we have created a Markdown file with a title and a sample content.",[10,2124,2126],{"id":2125},"step-4-display-content-on-a-page","Step 4: Display content on a page",[15,2128,2129],{},"Now that we have created content files, we can display the content on a page. To do this, create a new Vue component in the components directory with the following code:",[50,2131,2135],{"className":2132,"code":2133,"language":2134,"meta":55,"style":55},"language-vue shiki shiki-themes dracula","\u003Cscript setup lang=\"ts\">\nconst { path } = useRoute()\nconst articles = await queryContent(path).findOne()\n\u003C/script>\n\n\u003Ctemplate>\n \u003Cmain>\n \u003Cdiv>\n \u003CContentRenderer :value=\"articles\">\n \u003Ctemplate #empty>\n \u003Cp>No content found.\u003C/p>\n \u003C/template>\n \u003C/ContentRenderer>\n \u003C/div>\n \u003C/main>\n\u003C/template>\n","vue",[24,2136,2137,2164,2181,2204,2213,2217,2226,2236,2247,2270,2286,2301,2311,2321,2331,2341],{"__ignoreMap":55},[59,2138,2139,2142,2145,2148,2151,2154,2156,2159,2161],{"class":61,"line":62},[59,2140,2141],{"class":1807},"\u003C",[59,2143,2144],{"class":1824},"script",[59,2146,2147],{"class":1998}," setup",[59,2149,2150],{"class":1998}," lang",[59,2152,2153],{"class":1824},"=",[59,2155,1821],{"class":1831},[59,2157,2158],{"class":1834},"ts",[59,2160,1821],{"class":1831},[59,2162,2163],{"class":1807},">\n",[59,2165,2166,2169,2172,2174,2178],{"class":61,"line":68},[59,2167,2168],{"class":1824},"const",[59,2170,2171],{"class":1807}," { path } ",[59,2173,2153],{"class":1824},[59,2175,2177],{"class":2176},"sAOxA"," useRoute",[59,2179,2180],{"class":1807},"()\n",[59,2182,2183,2185,2188,2190,2193,2196,2199,2202],{"class":61,"line":74},[59,2184,2168],{"class":1824},[59,2186,2187],{"class":1807}," articles ",[59,2189,2153],{"class":1824},[59,2191,2192],{"class":1824}," await",[59,2194,2195],{"class":2176}," queryContent",[59,2197,2198],{"class":1807},"(path).",[59,2200,2201],{"class":2176},"findOne",[59,2203,2180],{"class":1807},[59,2205,2206,2209,2211],{"class":61,"line":80},[59,2207,2208],{"class":1807},"\u003C/",[59,2210,2144],{"class":1824},[59,2212,2163],{"class":1807},[59,2214,2215],{"class":61,"line":124},[59,2216,2103],{"emptyLinePlaceholder":329},[59,2218,2219,2221,2224],{"class":61,"line":2111},[59,2220,2141],{"class":1807},[59,2222,2223],{"class":1824},"template",[59,2225,2163],{"class":1807},[59,2227,2228,2231,2234],{"class":61,"line":2116},[59,2229,2230],{"class":1807}," \u003C",[59,2232,2233],{"class":1824},"main",[59,2235,2163],{"class":1807},[59,2237,2239,2242,2245],{"class":61,"line":2238},8,[59,2240,2241],{"class":1807}," \u003C",[59,2243,2244],{"class":1824},"div",[59,2246,2163],{"class":1807},[59,2248,2250,2253,2256,2259,2261,2263,2266,2268],{"class":61,"line":2249},9,[59,2251,2252],{"class":1807}," \u003C",[59,2254,2255],{"class":1824},"ContentRenderer",[59,2257,2258],{"class":1998}," :value",[59,2260,2153],{"class":1824},[59,2262,1821],{"class":1831},[59,2264,2265],{"class":1834},"articles",[59,2267,1821],{"class":1831},[59,2269,2163],{"class":1807},[59,2271,2273,2276,2278,2281,2284],{"class":61,"line":2272},10,[59,2274,2275],{"class":1807}," \u003C",[59,2277,2223],{"class":1824},[59,2279,2280],{"class":1807}," #",[59,2282,2283],{"class":1998},"empty",[59,2285,2163],{"class":1807},[59,2287,2289,2292,2294,2297,2299],{"class":61,"line":2288},11,[59,2290,2291],{"class":1807}," \u003C",[59,2293,15],{"class":1824},[59,2295,2296],{"class":1807},">No content found.\u003C/",[59,2298,15],{"class":1824},[59,2300,2163],{"class":1807},[59,2302,2304,2307,2309],{"class":61,"line":2303},12,[59,2305,2306],{"class":1807}," \u003C/",[59,2308,2223],{"class":1824},[59,2310,2163],{"class":1807},[59,2312,2314,2317,2319],{"class":61,"line":2313},13,[59,2315,2316],{"class":1807}," \u003C/",[59,2318,2255],{"class":1824},[59,2320,2163],{"class":1807},[59,2322,2324,2327,2329],{"class":61,"line":2323},14,[59,2325,2326],{"class":1807}," \u003C/",[59,2328,2244],{"class":1824},[59,2330,2163],{"class":1807},[59,2332,2334,2337,2339],{"class":61,"line":2333},15,[59,2335,2336],{"class":1807}," \u003C/",[59,2338,2233],{"class":1824},[59,2340,2163],{"class":1807},[59,2342,2344,2346,2348],{"class":61,"line":2343},16,[59,2345,2208],{"class":1807},[59,2347,2223],{"class":1824},[59,2349,2163],{"class":1807},[301,2351,2352],{},"html pre.shiki code .sCdxs, html code.shiki .sCdxs{--shiki-default:#F8F8F2}html pre.shiki code .sY_PY, html code.shiki .sY_PY{--shiki-default:#50FA7B;--shiki-default-font-style:italic}html pre.shiki code .s0Tla, html code.shiki .s0Tla{--shiki-default:#FF79C6}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .shSDL, html code.shiki .shSDL{--shiki-default:#6272A4}html pre.shiki code .seVfx, html code.shiki .seVfx{--shiki-default:#E9F284}html pre.shiki code .s-mGx, html code.shiki .s-mGx{--shiki-default:#F1FA8C}html pre.shiki code .sMMmS, html code.shiki .sMMmS{--shiki-default:#BD93F9;--shiki-default-font-weight:bold}html pre.shiki code .sAOxA, html code.shiki .sAOxA{--shiki-default:#50FA7B}",{"title":55,"searchDepth":68,"depth":68,"links":2354},[2355,2356,2357,2358,2359],{"id":342,"depth":74,"text":343},{"id":1979,"depth":74,"text":1980},{"id":2013,"depth":74,"text":2014},{"id":2070,"depth":74,"text":2071},{"id":2125,"depth":74,"text":2126},"Here we will learn How To Properly Fetch Nuxt Content Data and Render It in Nuxt Pages",{"date":405,"image":1237,"alt":1969,"tags":2362,"published":329},[1900,2363],"nuxt-content","/blogs/fetch-content-data-render-pages",{"title":1969,"description":2360},"blogs/4. fetch-content-data-render-pages","FZUR4FWpcPh10Y5pZ-zDdemFmAyR9lYAEE-591z8f10",{"id":2369,"title":2370,"body":2371,"description":2486,"extension":319,"meta":2487,"navigation":329,"ogImage":1699,"path":2491,"seo":2492,"stem":2493,"__hash__":2494},"content/blogs/5. vue3-awesome-library.md","Some Awesome Libraries For Vue3",{"type":7,"value":2372,"toc":2479},[2373,2375,2378,2382,2385,2417,2421,2424,2444,2448,2474,2476],[10,2374,343],{"id":342},[15,2376,2377],{},"Vue.js is a popular JavaScript framework for building web applications. It offers a lot of flexibility and ease of use, making it a go-to choice for many developers. One of the advantages of Vue.js is its rich library ecosystem. In this blog post, we will introduce you to some of the awesome libraries for Vue.js in different categories.",[10,2379,2381],{"id":2380},"essential","Essential",[15,2383,2384],{},"Some libraries are must have when you are start working with new project, here are my list",[1765,2386,2387,2393,2399,2405,2411],{},[260,2388,2389,2392],{},[19,2390,2391],{},"Vue Router",": Vue Router is the official router for Vue.js. It deeply integrates with Vue.js core to make building Single Page Applications with Vue.js a breeze",[260,2394,2395,2398],{},[19,2396,2397],{},"Pinia",": Pinia started as an experiment to redesign what a Store for Vue could look like with the Composition API around November 2019.",[260,2400,2401,2404],{},[19,2402,2403],{},"VueUse",": VueUse is a collection of utility functions based on Composition API. We assume you are already familiar with the basic ideas of Composition API before you continue.",[260,2406,2407,2410],{},[19,2408,2409],{},"Vitest",": Vitest is a blazing fast unit test framework powered by Vite.",[260,2412,2413,2416],{},[19,2414,2415],{},"Vue Macro",": Vue Macros is a library that implements proposals or ideas that have not been officially implemented by Vue. That means it will explore and extend more features and syntax sugar to Vue.",[10,2418,2420],{"id":2419},"ui-libraries","UI Libraries",[15,2422,2423],{},"UI libraries provide pre-built components and styles for building user interfaces. Here are some popular UI libraries for Vue.js:",[1765,2425,2426,2432,2438],{},[260,2427,2428,2431],{},[19,2429,2430],{},"Naive UI",": A Vue 3 Component Library Fairly Complete, Theme Customizable, Uses TypeScript, Fast Kinda Interesting",[260,2433,2434,2437],{},[19,2435,2436],{},"Vuetify",": Vue Component Framework Vuetify is a no design skills required UI Library with beautifully handcrafted Vue Components.",[260,2439,2440,2443],{},[19,2441,2442],{},"Vuestic",": You can create a new project or integrate Vuestic UI into an existing application. There are three ways to create new Vuestic App. All of them mostly the same and provides the same features.",[10,2445,2447],{"id":2446},"others","Others",[1765,2449,2450,2456,2462,2468],{},[260,2451,2452,2455],{},[19,2453,2454],{},"VueFire",": VueFire Official Firebase bindings for Vue.js",[260,2457,2458,2461],{},[19,2459,2460],{},"Vue I118",": Vue I18n Internationalization plugin for Vue.js",[260,2463,2464,2467],{},[19,2465,2466],{},"Vue Auto Animate",": Add motion to your apps with a single line of code.",[260,2469,2470,2473],{},[19,2471,2472],{},"Vuelidate",": Vuelidate is considered model-based because the validation rules are defined next to your data, and the validation tree structure matches the data model structure.",[10,2475,293],{"id":292},[15,2477,2478],{},"In this blog post, we have introduced you to some of the awesome libraries for Vue.js in different categories. These libraries can help you build better and more engaging web applications with Vue.js. Remember to choose the right library based on your project requirements and always refer to the documentation for usage and integration instructions. If you encounter any issues, reach out to the Vue.js community for assistance.",{"title":55,"searchDepth":68,"depth":68,"links":2480},[2481,2482,2483,2484,2485],{"id":342,"depth":74,"text":343},{"id":2380,"depth":74,"text":2381},{"id":2419,"depth":74,"text":2420},{"id":2446,"depth":74,"text":2447},{"id":292,"depth":74,"text":293},"Vue.js is a popular JavaScript framework for building web applications. In this blog post, we will introduce you to some of the awesome libraries for Vue.js in different categories.",{"date":2488,"image":1699,"alt":2370,"tags":2489,"published":329},"1st Jan 2023",[2134,2490],"javascript","/blogs/vue3-awesome-library",{"title":2370,"description":2486},"blogs/5. vue3-awesome-library","I1rTbZJWAHUzepKnWecEoo8WqgR_czbzazQQWfNXnhM",{"id":2496,"title":2497,"body":2498,"description":2625,"extension":319,"meta":2626,"navigation":329,"ogImage":2628,"path":2630,"seo":2631,"stem":2632,"__hash__":2633},"content/blogs/6. how-to-fix-vuex-type-issue.md","How to fix vuex type issue",{"type":7,"value":2499,"toc":2621},[2500,2502,2505,2509,2520,2613,2618],[10,2501,343],{"id":342},[15,2503,2504],{},"In recent version of our vue project, when we try to add vuex we see type error and vuex type not found. We can easily fix that issue.",[10,2506,2508],{"id":2507},"how-to-fix-that-issue","How to fix that issue",[257,2510,2511,2517],{},[260,2512,1769,2513,2516],{},[24,2514,2515],{},"vuex.d.ts"," file inside of your route project.",[260,2518,2519],{},"Pase this code in that file",[50,2521,2524],{"className":2522,"code":2523,"language":2158,"meta":55,"style":55},"language-ts shiki shiki-themes dracula","declare module 'vuex' {\n export * from 'vuex/types/index.d.ts'\n export * from 'vuex/types/helpers.d.ts'\n export * from 'vuex/types/logger.d.ts'\n export * from 'vuex/types/vue.d.ts'\n}\n",[24,2525,2526,2545,2564,2579,2594,2609],{"__ignoreMap":55},[59,2527,2528,2531,2534,2537,2540,2543],{"class":61,"line":62},[59,2529,2530],{"class":1824},"declare",[59,2532,2533],{"class":1824}," module",[59,2535,2536],{"class":1831}," '",[59,2538,2539],{"class":1834},"vuex",[59,2541,2542],{"class":1831},"'",[59,2544,2033],{"class":1807},[59,2546,2547,2550,2554,2557,2559,2562],{"class":61,"line":68},[59,2548,2549],{"class":1824}," export",[59,2551,2553],{"class":2552},"sIQBb"," *",[59,2555,2556],{"class":1824}," from",[59,2558,2536],{"class":1831},[59,2560,2561],{"class":1834},"vuex/types/index.d.ts",[59,2563,2059],{"class":1831},[59,2565,2566,2568,2570,2572,2574,2577],{"class":61,"line":74},[59,2567,2549],{"class":1824},[59,2569,2553],{"class":2552},[59,2571,2556],{"class":1824},[59,2573,2536],{"class":1831},[59,2575,2576],{"class":1834},"vuex/types/helpers.d.ts",[59,2578,2059],{"class":1831},[59,2580,2581,2583,2585,2587,2589,2592],{"class":61,"line":80},[59,2582,2549],{"class":1824},[59,2584,2553],{"class":2552},[59,2586,2556],{"class":1824},[59,2588,2536],{"class":1831},[59,2590,2591],{"class":1834},"vuex/types/logger.d.ts",[59,2593,2059],{"class":1831},[59,2595,2596,2598,2600,2602,2604,2607],{"class":61,"line":124},[59,2597,2549],{"class":1824},[59,2599,2553],{"class":2552},[59,2601,2556],{"class":1824},[59,2603,2536],{"class":1831},[59,2605,2606],{"class":1834},"vuex/types/vue.d.ts",[59,2608,2059],{"class":1831},[59,2610,2611],{"class":61,"line":2111},[59,2612,1882],{"class":1807},[257,2614,2615],{"start":74},[260,2616,2617],{},"That's it. Your are ok to go.",[301,2619,2620],{},"html pre.shiki code .s0Tla, html code.shiki .s0Tla{--shiki-default:#FF79C6}html pre.shiki code .seVfx, html code.shiki .seVfx{--shiki-default:#E9F284}html pre.shiki code .s-mGx, html code.shiki .s-mGx{--shiki-default:#F1FA8C}html pre.shiki code .sCdxs, html code.shiki .sCdxs{--shiki-default:#F8F8F2}html pre.shiki code .sIQBb, html code.shiki .sIQBb{--shiki-default:#BD93F9}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":55,"searchDepth":68,"depth":68,"links":2622},[2623,2624],{"id":342,"depth":74,"text":343},{"id":2507,"depth":74,"text":2508},"In recent vue project we see that vuex type not working properly. We will fix that type issue and make vuex type workable",{"date":2627,"image":2628,"alt":2497,"tags":2629,"published":329},"9th June 2024","/blogs-img/blog6.jpg",[2134,2539],"/blogs/how-to-fix-vuex-type-issue",{"title":2497,"description":2625},"blogs/6. how-to-fix-vuex-type-issue","X0Ij6GDbKFFucQ9hZ41uxQ1S9n6IE8lVWZqUoj2o2nw",{"id":2635,"title":2636,"body":2637,"description":3050,"extension":319,"meta":3051,"navigation":329,"ogImage":3053,"path":3057,"seo":3058,"stem":3059,"__hash__":3060},"content/blogs/7. redis-ttl-jitter-and-how-i-almost-crashed-a-server.md","Redis TTL, Jitter, and How I Almost Crashed a Server 🚀",{"type":7,"value":2638,"toc":3041},[2639,2643,2648,2650,2654,2661,2676,2683,2687,2690,2696,2699,2743,2746,2749,2753,2764,2767,2772,2775,2783,2789,2793,2799,2810,2946,2960,2964,2967,2976,2979,2993,3000,3004,3007,3018,3024,3027,3038],[10,2640,2642],{"id":2641},"recently-i-ran-into-an-interesting-redis-case-that-taught-me-a-big-lesson","Recently, I ran into an interesting Redis case that taught me a big lesson:",[15,2644,2645],{},[19,2646,2647],{},"Infinite cache TTLs are like hoarding—things pile up until it’s a problem.",[641,2649],{},[10,2651,2653],{"id":2652},"the-setup-infinite-cache","The Setup: Infinite Cache",[15,2655,2656,2657,2660],{},"Once upon a time (okay, just a few months ago), we were saving some data in Redis with ",[19,2658,2659],{},"no expiration",". The idea was simple:",[1765,2662,2663,2670,2673],{},[260,2664,2665,2666,2669],{},"Data comes from another system (the ",[650,2667,2668],{},"real"," source of truth).",[260,2671,2672],{},"We cache it in Redis for fast access.",[260,2674,2675],{},"Done. Easy. ✅",[15,2677,2678,2679,2682],{},"But here’s the problem: when you never expire cache, it ",[19,2680,2681],{},"keeps growing",". And growing. And growing. Like that drawer in your house where you throw every cable you’ve ever owned.",[10,2684,2686],{"id":2685},"the-task-add-a-ttl","The Task: Add a TTL",[15,2688,2689],{},"One day, I got the task:",[2691,2692,2693],"blockquote",{},[15,2694,2695],{},"“Please set a TTL of two weeks for this cache.”",[15,2697,2698],{},"Sounds easy, right? Just add:",[50,2700,2702],{"className":1986,"code":2701,"language":1988,"meta":55,"style":55},"redis.set('mykey', value, 'EX', 1209600) // 2 weeks in seconds\n",[24,2703,2704],{"__ignoreMap":55},[59,2705,2706,2709,2712,2715,2717,2720,2722,2725,2727,2730,2732,2734,2737,2740],{"class":61,"line":62},[59,2707,2708],{"class":1807},"redis.",[59,2710,2711],{"class":2176},"set",[59,2713,2714],{"class":1807},"(",[59,2716,2542],{"class":1831},[59,2718,2719],{"class":1834},"mykey",[59,2721,2542],{"class":1831},[59,2723,2724],{"class":1807},", value, ",[59,2726,2542],{"class":1831},[59,2728,2729],{"class":1834},"EX",[59,2731,2542],{"class":1831},[59,2733,1840],{"class":1807},[59,2735,2736],{"class":2552},"1209600",[59,2738,2739],{"class":1807},") ",[59,2741,2742],{"class":1801},"// 2 weeks in seconds\n",[15,2744,2745],{},"Boom. Done. Task finished. Go get coffee. ☕",[15,2747,2748],{},"Except… not really.",[10,2750,2752],{"id":2751},"the-problem-cache-avalanche","The Problem: Cache Avalanche",[15,2754,2755,2756,2759,2760,2763],{},"Think about what happens ",[19,2757,2758],{},"two weeks later",".\nEvery single cached key expires ",[19,2761,2762],{},"at the same time",".",[15,2765,2766],{},"Suddenly, Redis says:",[2691,2768,2769],{},[15,2770,2771],{},"“Sorry boss, no cache here!”",[15,2773,2774],{},"And then our poor backend server (the real source of truth) gets flooded with requests, like:",[50,2776,2781],{"className":2777,"code":2779,"language":2780},[2778],"language-text","HELP! SEND DATA! SEND DATA! SEND DATA!\n","text",[24,2782,2779],{"__ignoreMap":55},[15,2784,2785,2786,2763],{},"The server could literally crash under the unexpected load. This is called a ",[19,2787,2788],{},"cache avalanche",[10,2790,2792],{"id":2791},"the-solution-add-jitter","The Solution: Add Jitter",[15,2794,2795,2796],{},"The trick is simple but powerful: ",[19,2797,2798],{},"don’t let all keys expire at once.",[15,2800,2801,2802,2805,2806,2809],{},"Instead of setting ",[19,2803,2804],{},"exactly 2 weeks",", we add a little randomness (aka ",[650,2807,2808],{},"jitter","). For example:",[50,2811,2813],{"className":1986,"code":2812,"language":1988,"meta":55,"style":55},"// Expire between 14 and 16 days\nconst baseTTL = 14 * 24 * 60 * 60 // 14 days\nconst jitter = Math.floor(Math.random() * (2 * 24 * 60 * 60)) // up to 2 days\nconst ttl = baseTTL + jitter\n\nredis.set('mykey', value, 'EX', ttl)\n",[24,2814,2815,2820,2849,2900,2917,2921],{"__ignoreMap":55},[59,2816,2817],{"class":61,"line":62},[59,2818,2819],{"class":1801},"// Expire between 14 and 16 days\n",[59,2821,2822,2824,2827,2829,2832,2834,2837,2839,2842,2844,2846],{"class":61,"line":68},[59,2823,2168],{"class":1824},[59,2825,2826],{"class":1807}," baseTTL ",[59,2828,2153],{"class":1824},[59,2830,2831],{"class":2552}," 14",[59,2833,2553],{"class":1824},[59,2835,2836],{"class":2552}," 24",[59,2838,2553],{"class":1824},[59,2840,2841],{"class":2552}," 60",[59,2843,2553],{"class":1824},[59,2845,2841],{"class":2552},[59,2847,2848],{"class":1801}," // 14 days\n",[59,2850,2851,2853,2856,2858,2861,2864,2867,2870,2873,2876,2879,2882,2884,2886,2888,2890,2892,2894,2897],{"class":61,"line":74},[59,2852,2168],{"class":1824},[59,2854,2855],{"class":1807}," jitter ",[59,2857,2153],{"class":1824},[59,2859,2860],{"class":1807}," Math.",[59,2862,2863],{"class":2176},"floor",[59,2865,2866],{"class":1807},"(Math.",[59,2868,2869],{"class":2176},"random",[59,2871,2872],{"class":1807},"() ",[59,2874,2875],{"class":1824},"*",[59,2877,2878],{"class":1807}," (",[59,2880,2881],{"class":2552},"2",[59,2883,2553],{"class":1824},[59,2885,2836],{"class":2552},[59,2887,2553],{"class":1824},[59,2889,2841],{"class":2552},[59,2891,2553],{"class":1824},[59,2893,2841],{"class":2552},[59,2895,2896],{"class":1807},")) ",[59,2898,2899],{"class":1801},"// up to 2 days\n",[59,2901,2902,2904,2907,2909,2911,2914],{"class":61,"line":80},[59,2903,2168],{"class":1824},[59,2905,2906],{"class":1807}," ttl ",[59,2908,2153],{"class":1824},[59,2910,2826],{"class":1807},[59,2912,2913],{"class":1824},"+",[59,2915,2916],{"class":1807}," jitter\n",[59,2918,2919],{"class":61,"line":124},[59,2920,2103],{"emptyLinePlaceholder":329},[59,2922,2923,2925,2927,2929,2931,2933,2935,2937,2939,2941,2943],{"class":61,"line":2111},[59,2924,2708],{"class":1807},[59,2926,2711],{"class":2176},[59,2928,2714],{"class":1807},[59,2930,2542],{"class":1831},[59,2932,2719],{"class":1834},[59,2934,2542],{"class":1831},[59,2936,2724],{"class":1807},[59,2938,2542],{"class":1831},[59,2940,2729],{"class":1834},[59,2942,2542],{"class":1831},[59,2944,2945],{"class":1807},", ttl)\n",[15,2947,2948,2949,2952,2953,2952,2956,2959],{},"Now some keys expire in ",[19,2950,2951],{},"14 days",", some in ",[19,2954,2955],{},"15",[19,2957,2958],{},"16",".\nWhich means requests trickle back to the server instead of hitting it like a tsunami. 🌊",[10,2961,2963],{"id":2962},"why-it-matters","Why It Matters",[15,2965,2966],{},"Without jitter:",[1765,2968,2969],{},[260,2970,2971,2972,2975],{},"Day 14 → server gets ",[19,2973,2974],{},"millions of requests at once",". Boom. 🔥",[15,2977,2978],{},"With jitter:",[1765,2980,2981,2984,2987,2990],{},[260,2982,2983],{},"Day 14 → some requests",[260,2985,2986],{},"Day 15 → some more",[260,2988,2989],{},"Day 16 → a few more",[260,2991,2992],{},"Server is chill. 😎",[15,2994,2995,2996,2999],{},"This small change can ",[19,2997,2998],{},"save your entire system"," from crashing.",[10,3001,3003],{"id":3002},"final-thoughts","Final Thoughts",[15,3005,3006],{},"Caching is powerful, but it comes with hidden gotchas.",[1765,3008,3009,3012,3015],{},[260,3010,3011],{},"Infinite TTL? Your cache becomes a junkyard.",[260,3013,3014],{},"Fixed TTL? Your server might collapse in 14 days like a time bomb.",[260,3016,3017],{},"TTL with jitter? Balanced, safe, and production-ready.",[15,3019,3020,3021],{},"So the next time you set a cache TTL, remember:\n👉 ",[650,3022,3023],{},"Always sprinkle some randomness in your Redis life.",[15,3025,3026],{},"Your future self (and your backend servers) will thank you. 🙏",[15,3028,3029,3030,3033,3034,3037],{},"Do you want me to also add a ",[19,3031,3032],{},"diagram (ASCII or image idea)"," showing the difference between ",[650,3035,3036],{},"no jitter vs jitter"," so it’s more visually clear for the blog?",[301,3039,3040],{},"html pre.shiki code .sCdxs, html code.shiki .sCdxs{--shiki-default:#F8F8F2}html pre.shiki code .sAOxA, html code.shiki .sAOxA{--shiki-default:#50FA7B}html pre.shiki code .seVfx, html code.shiki .seVfx{--shiki-default:#E9F284}html pre.shiki code .s-mGx, html code.shiki .s-mGx{--shiki-default:#F1FA8C}html pre.shiki code .sIQBb, html code.shiki .sIQBb{--shiki-default:#BD93F9}html pre.shiki code .shSDL, html code.shiki .shSDL{--shiki-default:#6272A4}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .s0Tla, html code.shiki .s0Tla{--shiki-default:#FF79C6}",{"title":55,"searchDepth":68,"depth":68,"links":3042},[3043,3044,3045,3046,3047,3048,3049],{"id":2641,"depth":74,"text":2642},{"id":2652,"depth":74,"text":2653},{"id":2685,"depth":74,"text":2686},{"id":2751,"depth":74,"text":2752},{"id":2791,"depth":74,"text":2792},{"id":2962,"depth":74,"text":2963},{"id":3002,"depth":74,"text":3003},"Recently, I ran into an interesting Redis case that taught me a big lesson Infinite cache TTLs are like hoarding—things pile up until it’s a problem.",{"date":3052,"image":3053,"alt":2636,"tags":3054,"published":329},"18th Sep 2025","/blogs-img/blog7.png",[3055,3056,2808],"redis","ttl","/blogs/redis-ttl-jitter-and-how-i-almost-crashed-a-server",{"title":2636,"description":3050},"blogs/7. redis-ttl-jitter-and-how-i-almost-crashed-a-server","JbcEvgf3w-iEDJUcwtcUwf69SX0KVJFwDCBrjw7iIl4",{"id":3062,"title":3063,"body":3064,"description":3526,"extension":319,"meta":3527,"navigation":329,"ogImage":3529,"path":3534,"seo":3535,"stem":3536,"__hash__":3537},"content/blogs/8. float-make-my-dollar-float-away.md","FLOAT Made My Dollars Float Away - FLOAT vs DECIMAL in MySQL 💸",{"type":7,"value":3065,"toc":3515},[3066,3070,3084,3094,3101,3108,3112,3121,3128,3141,3144,3148,3193,3196,3225,3235,3239,3242,3255,3258,3286,3289,3304,3310,3317,3321,3327,3344,3385,3387,3411,3414,3418,3421,3430,3433,3445,3448,3452,3458,3462,3493,3497,3507,3513],[10,3067,3069],{"id":3068},"recently-i-got-a-task","Recently I got a task:",[2691,3071,3072],{},[15,3073,3074],{},[19,3075,3076,3077,3080,3081],{},"Alter a table column from ",[24,3078,3079],{},"FLOAT"," to ",[24,3082,3083],{},"DECIMAL(10,2)",[15,3085,3086,3087],{},"I thought:\n",[650,3088,3089,3090,3093],{},"\"Pff, easy task. Just run an ",[24,3091,3092],{},"ALTER TABLE"," and done. Why is this even a ticket?\"",[15,3095,3096,3097,3100],{},"But then I read the description.\nTurns out, ",[19,3098,3099],{},"FLOAT was causing data loss",", and I needed to convert it without losing data.",[15,3102,3103,3104,3107],{},"That’s when I realized: this isn’t just about one query. It’s about how ",[19,3105,3106],{},"FLOAT silently eats your money"," in MySQL.",[10,3109,3111],{"id":3110},"why-float-is-a-problem","Why FLOAT is a Problem",[15,3113,3114,3116,3117,3120],{},[24,3115,3079],{}," in MySQL is a ",[19,3118,3119],{},"binary floating-point type",".\nIt doesn’t store exact values — only approximations.",[15,3122,3123,3124,3127],{},"That’s fine for rocket science 🚀 or graphics rendering 🎮, but for ",[19,3125,3126],{},"money"," where every cent matters? Disaster.",[15,3129,3130,3131,3133,3134,3137,3138,2763],{},"Think of ",[24,3132,3079],{}," as a leaky bucket. You pour in ",[24,3135,3136],{},"$1,000,000.25","… and it gives you back ",[24,3139,3140],{},"$999,999.94",[15,3142,3143],{},"Not funny when it’s your salary.",[10,3145,3147],{"id":3146},"example-of-data-loss","Example of Data Loss",[50,3149,3153],{"className":3150,"code":3151,"language":3152,"meta":55,"style":55},"language-sql shiki shiki-themes dracula","CREATE TABLE money_float (\n id INT AUTO_INCREMENT PRIMARY KEY,\n amount FLOAT\n);\n\nINSERT INTO money_float (amount) VALUES (1000000.25), (123456789.99);\n\nSELECT * FROM money_float;\n","sql",[24,3154,3155,3160,3165,3170,3175,3179,3184,3188],{"__ignoreMap":55},[59,3156,3157],{"class":61,"line":62},[59,3158,3159],{},"CREATE TABLE money_float (\n",[59,3161,3162],{"class":61,"line":68},[59,3163,3164],{}," id INT AUTO_INCREMENT PRIMARY KEY,\n",[59,3166,3167],{"class":61,"line":74},[59,3168,3169],{}," amount FLOAT\n",[59,3171,3172],{"class":61,"line":80},[59,3173,3174],{},");\n",[59,3176,3177],{"class":61,"line":124},[59,3178,2103],{"emptyLinePlaceholder":329},[59,3180,3181],{"class":61,"line":2111},[59,3182,3183],{},"INSERT INTO money_float (amount) VALUES (1000000.25), (123456789.99);\n",[59,3185,3186],{"class":61,"line":2116},[59,3187,2103],{"emptyLinePlaceholder":329},[59,3189,3190],{"class":61,"line":2238},[59,3191,3192],{},"SELECT * FROM money_float;\n",[15,3194,3195],{},"Result:",[1620,3197,3198,3208],{},[1623,3199,3200],{},[1626,3201,3202,3205],{},[1629,3203,3204],{},"id",[1629,3206,3207],{},"amount",[1637,3209,3210,3218],{},[1626,3211,3212,3215],{},[1642,3213,3214],{},"1",[1642,3216,3217],{},"1000000.25",[1626,3219,3220,3222],{},[1642,3221,2881],{},[1642,3223,3224],{},"123456792.00",[15,3226,3227,3228,3231,3232,3234],{},"We inserted ",[24,3229,3230],{},"123456789.99",", but got back ",[24,3233,3224],{},".\nThe bigger the number, the worse the corruption.",[10,3236,3238],{"id":3237},"but-why-does-float-lose-data","But Why Does FLOAT Lose Data?",[15,3240,3241],{},"Here’s the fun part. Let’s make it simple.",[1765,3243,3244,3252],{},[260,3245,3246,3248,3249,2763],{},[24,3247,3079],{}," stores numbers in ",[19,3250,3251],{},"binary (base 2)",[260,3253,3254],{},"But not every decimal number can be written exactly in binary.",[15,3256,3257],{},"Example:",[1765,3259,3260,3267,3280],{},[260,3261,3262,3263,3266],{},"In decimal, ",[24,3264,3265],{},"0.1"," is simple.",[260,3268,3269,3270,3272,3273,3276,3277],{},"In binary, ",[24,3271,3265],{}," is ",[19,3274,3275],{},"infinite repeating",": ",[24,3278,3279],{},"0.0001100110011…",[260,3281,3282,3283,3285],{},"So ",[24,3284,3079],{}," cuts it off at some point and stores an approximation.",[15,3287,3288],{},"That’s why when you do:",[50,3290,3292],{"className":3150,"code":3291,"language":3152,"meta":55,"style":55},"INSERT INTO money_float (amount) VALUES (0.1);\nSELECT amount FROM money_float;\n",[24,3293,3294,3299],{"__ignoreMap":55},[59,3295,3296],{"class":61,"line":62},[59,3297,3298],{},"INSERT INTO money_float (amount) VALUES (0.1);\n",[59,3300,3301],{"class":61,"line":68},[59,3302,3303],{},"SELECT amount FROM money_float;\n",[15,3305,3306,3307,2763],{},"You might see something like ",[24,3308,3309],{},"0.10000000149",[15,3311,3312,3313,3316],{},"Now imagine this tiny error repeated in ",[19,3314,3315],{},"millions of dollars",".\nErrors pile up, and suddenly your 9-digit amount looks… off.",[10,3318,3320],{"id":3319},"decimal-to-the-rescue","DECIMAL to the Rescue",[15,3322,3323,3326],{},[24,3324,3325],{},"DECIMAL"," stores numbers differently:",[1765,3328,3329,3336],{},[260,3330,3331,3332,3335],{},"Instead of binary approximation, it stores ",[19,3333,3334],{},"exact digits as strings"," internally.",[260,3337,3338,3339,3341,3342,2763],{},"That means ",[24,3340,3230],{}," is stored as exactly ",[24,3343,3230],{},[50,3345,3347],{"className":3150,"code":3346,"language":3152,"meta":55,"style":55},"CREATE TABLE money_decimal (\n id INT AUTO_INCREMENT PRIMARY KEY,\n amount DECIMAL(15,2)\n);\n\nINSERT INTO money_decimal (amount) VALUES (1000000.25), (123456789.99);\n\nSELECT * FROM money_decimal;\n",[24,3348,3349,3354,3358,3363,3367,3371,3376,3380],{"__ignoreMap":55},[59,3350,3351],{"class":61,"line":62},[59,3352,3353],{},"CREATE TABLE money_decimal (\n",[59,3355,3356],{"class":61,"line":68},[59,3357,3164],{},[59,3359,3360],{"class":61,"line":74},[59,3361,3362],{}," amount DECIMAL(15,2)\n",[59,3364,3365],{"class":61,"line":80},[59,3366,3174],{},[59,3368,3369],{"class":61,"line":124},[59,3370,2103],{"emptyLinePlaceholder":329},[59,3372,3373],{"class":61,"line":2111},[59,3374,3375],{},"INSERT INTO money_decimal (amount) VALUES (1000000.25), (123456789.99);\n",[59,3377,3378],{"class":61,"line":2116},[59,3379,2103],{"emptyLinePlaceholder":329},[59,3381,3382],{"class":61,"line":2238},[59,3383,3384],{},"SELECT * FROM money_decimal;\n",[15,3386,3195],{},[1620,3388,3389,3397],{},[1623,3390,3391],{},[1626,3392,3393,3395],{},[1629,3394,3204],{},[1629,3396,3207],{},[1637,3398,3399,3405],{},[1626,3400,3401,3403],{},[1642,3402,3214],{},[1642,3404,3217],{},[1626,3406,3407,3409],{},[1642,3408,2881],{},[1642,3410,3230],{},[15,3412,3413],{},"Perfect. ✅ No rounding surprises.",[10,3415,3417],{"id":3416},"why-alter-wont-save-you","Why ALTER Won’t Save You",[15,3419,3420],{},"Here’s the trap I fell into:",[50,3422,3424],{"className":3150,"code":3423,"language":3152,"meta":55,"style":55},"ALTER TABLE money_float MODIFY amount DECIMAL(15,2);\n",[24,3425,3426],{"__ignoreMap":55},[59,3427,3428],{"class":61,"line":62},[59,3429,3423],{},[15,3431,3432],{},"You’d think this fixes it, right?\nNope. ❌",[15,3434,3435,3436,3438,3439,3442,3443,2763],{},"The data was already corrupted when it was first inserted as ",[24,3437,3079],{},".\n",[24,3440,3441],{},"ALTER"," just moves the already-broken value into ",[24,3444,3325],{},[15,3446,3447],{},"Garbage in → garbage out.",[10,3449,3451],{"id":3450},"visual-float-vs-decimal","Visual: FLOAT vs DECIMAL",[50,3453,3456],{"className":3454,"code":3455,"language":2780},[2778],"FLOAT (approximation in binary):\n123456789.99 ---> 123456792.00 💀\n\nDECIMAL (exact digits):\n123456789.99 ---> 123456789.99 ✅\n",[24,3457,3455],{"__ignoreMap":55},[10,3459,3461],{"id":3460},"lessons-learned","Lessons Learned",[1765,3463,3464,3473,3484],{},[260,3465,3466,3467,2001,3469,3472],{},"Never use ",[24,3468,3079],{},[24,3470,3471],{},"DOUBLE"," for money.",[260,3474,3475,3476,3479,3480,3483],{},"Always use ",[24,3477,3478],{},"DECIMAL(precision, scale)"," (e.g., ",[24,3481,3482],{},"DECIMAL(15,2)",").",[260,3485,3486,3487,3489,3490,3492],{},"If your table already has money in ",[24,3488,3079],{},", you cannot fix the lost precision with ",[24,3491,3441],{},". You’ll need to re-import or clean it at the source.",[10,3494,3496],{"id":3495},"final-thought","Final Thought",[15,3498,3499,3500,3502,3503,3506],{},"Using ",[24,3501,3079],{}," for money is like paying your salary in ",[19,3504,3505],{},"Monopoly money",". 🎲💵\nIt looks okay until you try to spend it — then you realize it’s worthless.",[15,3508,3509,3510,3512],{},"Stick with ",[24,3511,3325],{},", and your dollars will stay safe. ✅",[301,3514,303],{},{"title":55,"searchDepth":68,"depth":68,"links":3516},[3517,3518,3519,3520,3521,3522,3523,3524,3525],{"id":3068,"depth":74,"text":3069},{"id":3110,"depth":74,"text":3111},{"id":3146,"depth":74,"text":3147},{"id":3237,"depth":74,"text":3238},{"id":3319,"depth":74,"text":3320},{"id":3416,"depth":74,"text":3417},{"id":3450,"depth":74,"text":3451},{"id":3460,"depth":74,"text":3461},{"id":3495,"depth":74,"text":3496},"Recently I got a task Alter a table column from `FLOAT` to `DECIMAL(10,2)",{"date":3528,"image":3529,"alt":3063,"tags":3530,"published":329},"19th Sep 2025","/blogs-img/blog8.png",[3531,3532,3533],"mysql","float","decimal","/blogs/float-make-my-dollar-float-away",{"title":3063,"description":3526},"blogs/8. float-make-my-dollar-float-away","LLMtdDXEF2PNMbVJsdAFzOmMKY39dzRGJa9XONZHDaI",{"id":3539,"title":3540,"body":3541,"description":3757,"extension":319,"meta":3758,"navigation":329,"ogImage":3759,"path":3764,"seo":3765,"stem":3766,"__hash__":3767},"content/blogs/9. mastering-cortex-cloud-xql.md","Mastering Cortex Cloud XQL - A Beginner's Guide to Security Querying",{"type":7,"value":3542,"toc":3749},[3543,3547,3553,3556,3560,3563,3589,3593,3596,3621,3625,3628,3651,3655,3709,3713,3716,3739,3741,3744,3747],[10,3544,3546],{"id":3545},"what-is-xql","What is XQL?",[15,3548,3549,3552],{},[19,3550,3551],{},"XQL (XDR Query Language)"," is a specialized language developed by Palo Alto Networks for their Cortex XDR and Cortex Data Lake platforms. It allows security analysts to perform powerful searches across massive datasets of logs and security events.",[15,3554,3555],{},"If you are familiar with SQL or Splunk's SPL, you'll find XQL intuitive but with its own unique \"cloud-native\" flavor.",[10,3557,3559],{"id":3558},"why-do-we-need-it","Why do we need it?",[15,3561,3562],{},"In a modern security operations center (SOC), logs are coming from everywhere—endpoints, firewalls, and cloud environments. XQL provides a unified way to:",[1765,3564,3565,3571,3577,3583],{},[260,3566,3567,3570],{},[19,3568,3569],{},"Search",": Quickly find specific events.",[260,3572,3573,3576],{},[19,3574,3575],{},"Filter",": Narrow down noise to find the \"needle in the haystack.\"",[260,3578,3579,3582],{},[19,3580,3581],{},"Aggregate",": Count and group data to find patterns.",[260,3584,3585,3588],{},[19,3586,3587],{},"Transform",": Modify how data looks for better reporting.",[10,3590,3592],{"id":3591},"basic-syntax-structure","Basic Syntax Structure",[15,3594,3595],{},"A typical XQL query follow this flow:",[50,3597,3599],{"className":52,"code":3598,"language":54,"meta":55,"style":55},"dataset = \u003Cdataset_name> \n| filter \u003Ccondition>\n| fields \u003Cfield1>, \u003Cfield2>\n| limit \u003Cnumber>\n",[24,3600,3601,3606,3611,3616],{"__ignoreMap":55},[59,3602,3603],{"class":61,"line":62},[59,3604,3605],{},"dataset = \u003Cdataset_name> \n",[59,3607,3608],{"class":61,"line":68},[59,3609,3610],{},"| filter \u003Ccondition>\n",[59,3612,3613],{"class":61,"line":74},[59,3614,3615],{},"| fields \u003Cfield1>, \u003Cfield2>\n",[59,3617,3618],{"class":61,"line":80},[59,3619,3620],{},"| limit \u003Cnumber>\n",[42,3622,3624],{"id":3623},"example-1-finding-failed-logins","Example 1: Finding Failed Logins",[15,3626,3627],{},"Let's say we want to see all failed login attempts in our cloud environment over the last 24 hours.",[50,3629,3631],{"className":52,"code":3630,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter event_type = \"LOGIN\" and outcome = \"FAILURE\"\n| fields _time, actor_process_image_path, action_external_hostname\n| limit 100\n",[24,3632,3633,3637,3641,3646],{"__ignoreMap":55},[59,3634,3635],{"class":61,"line":62},[59,3636,65],{},[59,3638,3639],{"class":61,"line":68},[59,3640,673],{},[59,3642,3643],{"class":61,"line":74},[59,3644,3645],{},"| fields _time, actor_process_image_path, action_external_hostname\n",[59,3647,3648],{"class":61,"line":80},[59,3649,3650],{},"| limit 100\n",[10,3652,3654],{"id":3653},"key-operators-to-know","Key Operators to Know",[257,3656,3657,3668,3684,3690,3704],{},[260,3658,3659,3661,3662,1840,3665,3483],{},[19,3660,272],{},": Always the first line. It tells Cortex which \"bucket\" of data to look into (e.g., ",[24,3663,3664],{},"xdr_data",[24,3666,3667],{},"pan_traffic_raw",[260,3669,3670,3672,3673,1840,3676,1840,3679,1840,3682,2763],{},[19,3671,268],{},": Used to include or exclude data. Supports standard operators like ",[24,3674,3675],{},"==",[24,3677,3678],{},"!=",[24,3680,3681],{},">",[24,3683,2141],{},[260,3685,3686,3689],{},[19,3687,3688],{},"fields",": Selects specific columns to display.",[260,3691,3692,3694,3695,1840,3698,1840,3701,2763],{},[19,3693,90],{},": (short for compress/compute) Used for aggregations like ",[24,3696,3697],{},"count",[24,3699,3700],{},"sum",[24,3702,3703],{},"avg",[260,3705,3706,3708],{},[19,3707,34],{},": Used to create new fields or rename existing ones.",[10,3710,3712],{"id":3711},"advanced-threat-hunting","Advanced Threat Hunting",[15,3714,3715],{},"One of the most powerful features of XQL is its ability to join disparate datasets. You can take data from an endpoint log and join it with firewall traffic logs to trace the entire path of a potential attack.",[50,3717,3719],{"className":52,"code":3718,"language":54,"meta":55,"style":55},"dataset = xdr_data\n| filter actor_process_image_name == \"cmd.exe\"\n| join (dataset = pan_traffic_raw) as traffic on traffic.source_ip = xdr_data.endpoint_ip\n| fields xdr_data.endpoint_name, traffic.destination_port\n",[24,3720,3721,3725,3730,3734],{"__ignoreMap":55},[59,3722,3723],{"class":61,"line":62},[59,3724,65],{},[59,3726,3727],{"class":61,"line":68},[59,3728,3729],{},"| filter actor_process_image_name == \"cmd.exe\"\n",[59,3731,3732],{"class":61,"line":74},[59,3733,163],{},[59,3735,3736],{"class":61,"line":80},[59,3737,3738],{},"| fields xdr_data.endpoint_name, traffic.destination_port\n",[10,3740,293],{"id":292},[15,3742,3743],{},"Mastering Cortex Cloud XQL is a game-changer for anyone working in cloud security. It transforms the way you view logs from static text to a dynamic, searchable intelligence source. Start small with simple filters and gradually explore the complex aggregation functions!",[15,3745,3746],{},"Happy hunting!",[301,3748,303],{},{"title":55,"searchDepth":68,"depth":68,"links":3750},[3751,3752,3753,3754,3755,3756],{"id":3545,"depth":74,"text":3546},{"id":3558,"depth":74,"text":3559},{"id":3591,"depth":74,"text":3592},{"id":3653,"depth":74,"text":3654},{"id":3711,"depth":74,"text":3712},{"id":292,"depth":74,"text":293},"Dive deep into Palo Alto's Cortex XQL (XDR Query Language) and learn how to hunt for threats in the cloud.",{"date":321,"image":3759,"alt":3760,"tags":3761,"published":329},"/blogs-img/blog.jpg","Mastering Cortex Cloud XQL",[325,326,3762,3763],"Security Analytics","Threat Hunting","/blogs/mastering-cortex-cloud-xql",{"title":3540,"description":3757},"blogs/9. mastering-cortex-cloud-xql","NsW97AMwZ00I3CkMoqrj0VeUdMz5uwYstNc_N8IEgZ4",1776339754477]