[{"data":1,"prerenderedAt":2925},["ShallowReactive",2],{"blog-post-/blogs/mastering-json-manipulation-in-xql":3,"all-blogs-for-navigation":985},{"id":4,"title":5,"body":6,"description":968,"extension":969,"meta":970,"navigation":980,"ogImage":972,"path":981,"seo":982,"stem":983,"__hash__":984},"content/blogs/3. mastering-json-manipulation-in-xql.md","Mastering JSON Manipulation in Cortex XQL - Beyond the Basics",{"type":7,"value":8,"toc":957},"minimark",[9,22,33,36,41,48,427,429,436,442,447,453,457,484,488,530,532,539,544,548,551,554,579,582,617,619,623,626,630,636,639,664,667,701,703,707,713,717,728,731,750,754,757,778,783,797,799,803,806,810,820,823,848,902,904,908,947,950,953],[10,11,12,13,17,18,21],"p",{},"In modern security operations, data is rarely flat. In Cortex XDR, the most valuable insights—like asset ownership, vulnerability details, and cloud metadata—are often stored as JSON strings within fields like ",[14,15,16],"code",{},"xdm.issue.extended_fields"," or ",[14,19,20],{},"raw_log",".",[10,23,24,25,29,30,21],{},"To be a master threat hunter, you must know how to peel back these layers. This guide provides a deep dive into JSON manipulation with ",[26,27,28],"strong",{},"realistic data samples"," and ",[26,31,32],{},"detailed XQL queries",[34,35],"hr",{},[37,38,40],"h3",{"id":39},"the-sample-dataset","The Sample Dataset",[10,42,43,44,47],{},"Throughout this guide, we will refer to a hypothetical ",[14,45,46],{},"extended_fields"," JSON object that follows the standard Cortex CSM (Cloud Security Management) structure:",[49,50,55],"pre",{"className":51,"code":52,"language":53,"meta":54,"style":54},"language-json shiki shiki-themes dracula","{\n  \"cve_id\": \"CVE-2024-1234\",\n  \"xdm_assets\": [\n    {\n      \"xdm__asset__name\": \"SEC-SVR-01\",\n      \"xdm__asset__realm\": \"Cloud-Prod-West\",\n      \"xdm__asset__type\": \"Virtual Machine\",\n      \"owner\": {\n        \"owner_name\": \"DevSecOps Team\",\n        \"email\": \"security@example.com\"\n      }\n    }\n  ],\n  \"user_context\": {\n    \"department\": \"Finance\",\n    \"login_geo\": \"US\"\n  },\n  \"metrics\": {\n    \"sent_bytes\": \"15728640\",\n    \"usage_pct\": \"87.5\"\n  },\n  \"indicators\": [\"192.168.1.100\", \"8.8.8.8\", \"malicious-site.com\"]\n}\n","json","",[14,56,57,66,97,112,118,140,161,182,197,219,239,245,251,257,271,293,312,318,332,353,372,377,421],{"__ignoreMap":54},[58,59,62],"span",{"class":60,"line":61},"line",1,[58,63,65],{"class":64},"sCdxs","{\n",[58,67,69,73,77,80,84,88,92,94],{"class":60,"line":68},2,[58,70,72],{"class":71},"sY8FZ","  \"",[58,74,76],{"class":75},"sLL85","cve_id",[58,78,79],{"class":71},"\"",[58,81,83],{"class":82},"s0Tla",":",[58,85,87],{"class":86},"seVfx"," \"",[58,89,91],{"class":90},"s-mGx","CVE-2024-1234",[58,93,79],{"class":86},[58,95,96],{"class":64},",\n",[58,98,100,102,105,107,109],{"class":60,"line":99},3,[58,101,72],{"class":71},[58,103,104],{"class":75},"xdm_assets",[58,106,79],{"class":71},[58,108,83],{"class":82},[58,110,111],{"class":64}," [\n",[58,113,115],{"class":60,"line":114},4,[58,116,117],{"class":64},"    {\n",[58,119,121,124,127,129,131,133,136,138],{"class":60,"line":120},5,[58,122,123],{"class":71},"      \"",[58,125,126],{"class":75},"xdm__asset__name",[58,128,79],{"class":71},[58,130,83],{"class":82},[58,132,87],{"class":86},[58,134,135],{"class":90},"SEC-SVR-01",[58,137,79],{"class":86},[58,139,96],{"class":64},[58,141,143,145,148,150,152,154,157,159],{"class":60,"line":142},6,[58,144,123],{"class":71},[58,146,147],{"class":75},"xdm__asset__realm",[58,149,79],{"class":71},[58,151,83],{"class":82},[58,153,87],{"class":86},[58,155,156],{"class":90},"Cloud-Prod-West",[58,158,79],{"class":86},[58,160,96],{"class":64},[58,162,164,166,169,171,173,175,178,180],{"class":60,"line":163},7,[58,165,123],{"class":71},[58,167,168],{"class":75},"xdm__asset__type",[58,170,79],{"class":71},[58,172,83],{"class":82},[58,174,87],{"class":86},[58,176,177],{"class":90},"Virtual Machine",[58,179,79],{"class":86},[58,181,96],{"class":64},[58,183,185,187,190,192,194],{"class":60,"line":184},8,[58,186,123],{"class":71},[58,188,189],{"class":75},"owner",[58,191,79],{"class":71},[58,193,83],{"class":82},[58,195,196],{"class":64}," {\n",[58,198,200,203,206,208,210,212,215,217],{"class":60,"line":199},9,[58,201,202],{"class":71},"        \"",[58,204,205],{"class":75},"owner_name",[58,207,79],{"class":71},[58,209,83],{"class":82},[58,211,87],{"class":86},[58,213,214],{"class":90},"DevSecOps Team",[58,216,79],{"class":86},[58,218,96],{"class":64},[58,220,222,224,227,229,231,233,236],{"class":60,"line":221},10,[58,223,202],{"class":71},[58,225,226],{"class":75},"email",[58,228,79],{"class":71},[58,230,83],{"class":82},[58,232,87],{"class":86},[58,234,235],{"class":90},"security@example.com",[58,237,238],{"class":86},"\"\n",[58,240,242],{"class":60,"line":241},11,[58,243,244],{"class":64},"      }\n",[58,246,248],{"class":60,"line":247},12,[58,249,250],{"class":64},"    }\n",[58,252,254],{"class":60,"line":253},13,[58,255,256],{"class":64},"  ],\n",[58,258,260,262,265,267,269],{"class":60,"line":259},14,[58,261,72],{"class":71},[58,263,264],{"class":75},"user_context",[58,266,79],{"class":71},[58,268,83],{"class":82},[58,270,196],{"class":64},[58,272,274,277,280,282,284,286,289,291],{"class":60,"line":273},15,[58,275,276],{"class":71},"    \"",[58,278,279],{"class":75},"department",[58,281,79],{"class":71},[58,283,83],{"class":82},[58,285,87],{"class":86},[58,287,288],{"class":90},"Finance",[58,290,79],{"class":86},[58,292,96],{"class":64},[58,294,296,298,301,303,305,307,310],{"class":60,"line":295},16,[58,297,276],{"class":71},[58,299,300],{"class":75},"login_geo",[58,302,79],{"class":71},[58,304,83],{"class":82},[58,306,87],{"class":86},[58,308,309],{"class":90},"US",[58,311,238],{"class":86},[58,313,315],{"class":60,"line":314},17,[58,316,317],{"class":64},"  },\n",[58,319,321,323,326,328,330],{"class":60,"line":320},18,[58,322,72],{"class":71},[58,324,325],{"class":75},"metrics",[58,327,79],{"class":71},[58,329,83],{"class":82},[58,331,196],{"class":64},[58,333,335,337,340,342,344,346,349,351],{"class":60,"line":334},19,[58,336,276],{"class":71},[58,338,339],{"class":75},"sent_bytes",[58,341,79],{"class":71},[58,343,83],{"class":82},[58,345,87],{"class":86},[58,347,348],{"class":90},"15728640",[58,350,79],{"class":86},[58,352,96],{"class":64},[58,354,356,358,361,363,365,367,370],{"class":60,"line":355},20,[58,357,276],{"class":71},[58,359,360],{"class":75},"usage_pct",[58,362,79],{"class":71},[58,364,83],{"class":82},[58,366,87],{"class":86},[58,368,369],{"class":90},"87.5",[58,371,238],{"class":86},[58,373,375],{"class":60,"line":374},21,[58,376,317],{"class":64},[58,378,380,382,385,387,389,392,394,397,399,402,404,407,409,411,413,416,418],{"class":60,"line":379},22,[58,381,72],{"class":71},[58,383,384],{"class":75},"indicators",[58,386,79],{"class":71},[58,388,83],{"class":82},[58,390,391],{"class":64}," [",[58,393,79],{"class":86},[58,395,396],{"class":90},"192.168.1.100",[58,398,79],{"class":86},[58,400,401],{"class":64},", ",[58,403,79],{"class":86},[58,405,406],{"class":90},"8.8.8.8",[58,408,79],{"class":86},[58,410,401],{"class":64},[58,412,79],{"class":86},[58,414,415],{"class":90},"malicious-site.com",[58,417,79],{"class":86},[58,419,420],{"class":64},"]\n",[58,422,424],{"class":60,"line":423},23,[58,425,426],{"class":64},"}\n",[34,428],{},[37,430,432,433],{"id":431},"_1-the-workhorse-json_extract_scalar","1. The Workhorse: ",[14,434,435],{},"json_extract_scalar",[10,437,438,439,21],{},"This function is designed to pull a single value (string, number, or boolean) and return it as a ",[26,440,441],{},"XQL-native string",[443,444,446],"h4",{"id":445},"the-goal-identify-the-department","The Goal: Identify the Department",[10,448,449,450,452],{},"We want to extract the department from the ",[14,451,264],{}," object to audit finance-related activity.",[443,454,456],{"id":455},"the-query","The Query:",[49,458,462],{"className":459,"code":460,"language":461,"meta":54,"style":54},"language-xql shiki shiki-themes dracula","dataset = xdr_data \n| alter dept = json_extract_scalar(additional_data, \"$.user_context.department\")\n| filter dept == \"Finance\"\n| comp count() as finance_activity by action_process_name\n","xql",[14,463,464,469,474,479],{"__ignoreMap":54},[58,465,466],{"class":60,"line":61},[58,467,468],{},"dataset = xdr_data \n",[58,470,471],{"class":60,"line":68},[58,472,473],{},"| alter dept = json_extract_scalar(additional_data, \"$.user_context.department\")\n",[58,475,476],{"class":60,"line":99},[58,477,478],{},"| filter dept == \"Finance\"\n",[58,480,481],{"class":60,"line":114},[58,482,483],{},"| comp count() as finance_activity by action_process_name\n",[443,485,487],{"id":486},"detailed-breakdown","Detailed Breakdown:",[489,490,491,504,513],"ul",{},[492,493,494,499,500,503],"li",{},[26,495,496],{},[14,497,498],{},"$.user_context.department",": The ",[14,501,502],{},"$"," represents the root of the JSON. We then navigate through keys using dot notation.",[492,505,506,509,510,21],{},[26,507,508],{},"Result",": The function returns ",[14,511,512],{},"\"Finance\"",[492,514,515,518,519,522,523,526,527,529],{},[26,516,517],{},"Limitation",": If you tried to extract ",[14,520,521],{},"$.user_context",", the function would return ",[14,524,525],{},"null"," because ",[14,528,264],{}," is an object, not a scalar value.",[34,531],{},[37,533,535,536],{"id":534},"_2-handling-nested-structures-json_extract","2. Handling Nested Structures: ",[14,537,538],{},"json_extract",[10,540,541,542,21],{},"When you need to extract a whole sub-section (like an entire array or object) to process it later, use ",[14,543,538],{},[443,545,547],{"id":546},"the-goal-isolate-asset-metadata","The Goal: Isolate Asset Metadata",[10,549,550],{},"In vulnerability management, you often need to grab the entire asset record to perform multiple extractions from it.",[443,552,456],{"id":553},"the-query-1",[49,555,557],{"className":459,"code":556,"language":461,"meta":54,"style":54},"dataset = issues\n| alter first_asset = json_extract(xdm.issue.extended_fields, \"$.xdm_assets[0]\")\n| alter asset_type = json_extract_scalar(first_asset, \"$.xdm__asset__type\")\n| filter asset_type != null\n",[14,558,559,564,569,574],{"__ignoreMap":54},[58,560,561],{"class":60,"line":61},[58,562,563],{},"dataset = issues\n",[58,565,566],{"class":60,"line":68},[58,567,568],{},"| alter first_asset = json_extract(xdm.issue.extended_fields, \"$.xdm_assets[0]\")\n",[58,570,571],{"class":60,"line":99},[58,572,573],{},"| alter asset_type = json_extract_scalar(first_asset, \"$.xdm__asset__type\")\n",[58,575,576],{"class":60,"line":114},[58,577,578],{},"| filter asset_type != null\n",[443,580,487],{"id":581},"detailed-breakdown-1",[489,583,584,592,604],{},[492,585,586,591],{},[26,587,588],{},[14,589,590],{},"$.xdm_assets[0]",": Uses array indexing to grab the first item in the asset list.",[492,593,594,597,598,600,601,21],{},[26,595,596],{},"Return Value",": Unlike ",[14,599,435],{},", this returns the entire stringified JSON: ",[14,602,603],{},"{\"xdm__asset__name\": \"SEC-SVR-01\", ...}",[492,605,606,609,610,612,613,616],{},[26,607,608],{},"Why use this?"," It saves you from writing ",[14,611,590],{}," over and over again in subsequent ",[14,614,615],{},"alter"," stages.",[34,618],{},[37,620,622],{"id":621},"_3-dealing-with-lists-array-functions","3. Dealing with Lists: Array Functions",[10,624,625],{},"Handling arrays of IP addresses or indicators is a common SOC requirement.",[443,627,629],{"id":628},"the-goal-find-a-specific-malicious-ip","The Goal: Find a Specific Malicious IP",[10,631,632,633,635],{},"We want to check if the ",[14,634,384],{}," list contains a known malicious IP.",[443,637,456],{"id":638},"the-query-2",[49,640,642],{"className":459,"code":641,"language":461,"meta":54,"style":54},"dataset = cloud_logs\n| alter ioc_list = json_extract_array(raw_log, \"$.indicators\")\n| filter array_contains(ioc_list, \"192.168.1.100\")\n| fields _time, ioc_list, action\n",[14,643,644,649,654,659],{"__ignoreMap":54},[58,645,646],{"class":60,"line":61},[58,647,648],{},"dataset = cloud_logs\n",[58,650,651],{"class":60,"line":68},[58,652,653],{},"| alter ioc_list = json_extract_array(raw_log, \"$.indicators\")\n",[58,655,656],{"class":60,"line":99},[58,657,658],{},"| filter array_contains(ioc_list, \"192.168.1.100\")\n",[58,660,661],{"class":60,"line":114},[58,662,663],{},"| fields _time, ioc_list, action\n",[443,665,487],{"id":666},"detailed-breakdown-2",[489,668,669,681,693],{},[492,670,671,676,677,680],{},[26,672,673],{},[14,674,675],{},"json_extract_array",": Converts the JSON string ",[14,678,679],{},"[\"192.168.1.100\", ...]"," into a native XQL array.",[492,682,683,688,689,692],{},[26,684,685],{},[14,686,687],{},"array_contains",": This function ",[26,690,691],{},"only"," works on native arrays, making the previous step mandatory.",[492,694,695,700],{},[26,696,697],{},[14,698,699],{},"json_extract_scalar_array",": If your only goal is to display the indicators cleanly in a report without quotes, use this function instead.",[34,702],{},[37,704,706],{"id":705},"_4-advanced-the-swiss-army-knife-jsonpath","4. Advanced: The \"Swiss Army Knife\" (JSONPath)",[10,708,709,710,21],{},"For complex extractions, Cortex supports recursive descent and wildcards through ",[14,711,712],{},"json_path_extract",[443,714,716],{"id":715},"the-goal-find-the-owner-name-anywhere","The Goal: Find the Owner Name Anywhere",[10,718,719,720,723,724,727],{},"If your JSON structure changes (e.g., owner is sometimes in ",[14,721,722],{},"asset"," and sometimes in ",[14,725,726],{},"project","), you can search for the key globally.",[443,729,456],{"id":730},"the-query-3",[49,732,734],{"className":459,"code":733,"language":461,"meta":54,"style":54},"dataset = issues\n| alter owner = json_path_extract(xdm.issue.extended_fields, \"$..owner_name\")\n// The $.. syntax triggers a recursive search\n",[14,735,736,740,745],{"__ignoreMap":54},[58,737,738],{"class":60,"line":61},[58,739,563],{},[58,741,742],{"class":60,"line":68},[58,743,744],{},"| alter owner = json_path_extract(xdm.issue.extended_fields, \"$..owner_name\")\n",[58,746,747],{"class":60,"line":99},[58,748,749],{},"// The $.. syntax triggers a recursive search\n",[443,751,753],{"id":752},"syntactic-sugar-the-operators","Syntactic Sugar: The Operators",[10,755,756],{},"Cortex provides two extremely helpful operators for cleaner code:",[489,758,759,769],{},[492,760,761,766,767,21],{},[26,762,763],{},[14,764,765],{},"->",": Shortcut for ",[14,768,538],{},[492,770,771,766,776,21],{},[26,772,773],{},[14,774,775],{},"->->",[14,777,435],{},[10,779,780],{},[26,781,782],{},"Modernized Query:",[49,784,786],{"className":459,"code":785,"language":461,"meta":54,"style":54},"dataset = issues\n| alter name = xdm.issue.extended_fields ->-> \"$.xdm_assets[0].xdm__asset__name\"\n",[14,787,788,792],{"__ignoreMap":54},[58,789,790],{"class":60,"line":61},[58,791,563],{},[58,793,794],{"class":60,"line":68},[58,795,796],{},"| alter name = xdm.issue.extended_fields ->-> \"$.xdm_assets[0].xdm__asset__name\"\n",[34,798],{},[37,800,802],{"id":801},"_5-final-step-data-type-casting","5. Final Step: Data Type Casting",[10,804,805],{},"Extracted JSON data is always a string by default. To do math or time analysis, you must cast it.",[443,807,809],{"id":808},"the-goal-filter-by-traffic-volume-bytes","The Goal: Filter by Traffic Volume (Bytes)",[10,811,812,813,815,816,819],{},"In our sample data, ",[14,814,339],{}," is ",[14,817,818],{},"\"15728640\"",". As a string, we can't check if it's greater than a number.",[443,821,456],{"id":822},"the-query-4",[49,824,826],{"className":459,"code":825,"language":461,"meta":54,"style":54},"dataset = network_logs\n| alter bytes = to_integer(json_extract_scalar(raw_payload, \"$.metrics.sent_bytes\"))\n| filter bytes > 10485760 // Greater than 10MB\n| comp sum(bytes) as total_outbound by bin(_time, 1h)\n",[14,827,828,833,838,843],{"__ignoreMap":54},[58,829,830],{"class":60,"line":61},[58,831,832],{},"dataset = network_logs\n",[58,834,835],{"class":60,"line":68},[58,836,837],{},"| alter bytes = to_integer(json_extract_scalar(raw_payload, \"$.metrics.sent_bytes\"))\n",[58,839,840],{"class":60,"line":99},[58,841,842],{},"| filter bytes > 10485760 // Greater than 10MB\n",[58,844,845],{"class":60,"line":114},[58,846,847],{},"| comp sum(bytes) as total_outbound by bin(_time, 1h)\n",[849,850,851,865],"table",{},[852,853,854],"thead",{},[855,856,857,862],"tr",{},[858,859,861],"th",{"align":860},"left","Cast Function",[858,863,864],{"align":860},"Use Case",[866,867,868,879,892],"tbody",{},[855,869,870,876],{},[871,872,873],"td",{"align":860},[14,874,875],{},"to_integer()",[871,877,878],{"align":860},"Count of issues, byte sizes, port numbers.",[855,880,881,886],{},[871,882,883],{"align":860},[14,884,885],{},"to_float()",[871,887,888,889,891],{"align":860},"Percentages (like ",[14,890,360],{},"), risk scores.",[855,893,894,899],{},[871,895,896],{"align":860},[14,897,898],{},"to_timestamp()",[871,900,901],{"align":860},"Custom event times within JSON logs.",[34,903],{},[37,905,907],{"id":906},"best-practices-summary","Best Practices Summary",[909,910,911,924,939],"ol",{},[492,912,913,916,917,920,921,21],{},[26,914,915],{},"Casing",": Always double-check your casing. ",[14,918,919],{},"$.Owner"," $\\neq$ ",[14,922,923],{},"$.owner",[492,925,926,929,930,933,934,938],{},[26,927,928],{},"Validation",": Use ",[14,931,932],{},"to_json_string()"," if your extraction returns null on a field you ",[935,936,937],"em",{},"know"," is there—the field might not be properly typed as JSON yet.",[492,940,941,929,944,946],{},[26,942,943],{},"Visualization",[14,945,699],{}," for dashboard tables; it removes the brackets and quotes that often clutter UI widgets.",[10,948,949],{},"Mastering these JSON functions transforms you from a basic user into a technical power user who can squeeze every bit of value from Cortex logs.",[10,951,952],{},"Happy Hunting!",[954,955,956],"style",{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .sCdxs, html code.shiki .sCdxs{--shiki-default:#F8F8F2}html pre.shiki code .sY8FZ, html code.shiki .sY8FZ{--shiki-default:#8BE9FE}html pre.shiki code .sLL85, html code.shiki .sLL85{--shiki-default:#8BE9FD}html pre.shiki code .s0Tla, html code.shiki .s0Tla{--shiki-default:#FF79C6}html pre.shiki code .seVfx, html code.shiki .seVfx{--shiki-default:#E9F284}html pre.shiki code .s-mGx, html code.shiki .s-mGx{--shiki-default:#F1FA8C}",{"title":54,"searchDepth":68,"depth":68,"links":958},[959,960,962,964,965,966,967],{"id":39,"depth":99,"text":40},{"id":431,"depth":99,"text":961},"1. The Workhorse: json_extract_scalar",{"id":534,"depth":99,"text":963},"2. Handling Nested Structures: json_extract",{"id":621,"depth":99,"text":622},{"id":705,"depth":99,"text":706},{"id":801,"depth":99,"text":802},{"id":906,"depth":99,"text":907},"A comprehensive guide to JSON extraction in Cortex XQL. Learn how to parse complex nested structures, handle arrays, and use advanced XQL operators with real-world data samples.","md",{"date":971,"image":972,"alt":973,"tags":974,"published":980},"22nd Apr 2026","/blogs-img/json-manipulation.png","JSON Manipulation XQL",[975,976,977,978,979],"Cortex","XQL","JSON","DataAnalytics","SecurityEngineering",true,"/blogs/mastering-json-manipulation-in-xql",{"title":5,"description":968},"blogs/3. mastering-json-manipulation-in-xql","Kgvfulg15_1fV_QHTwhoofC8cktZTxVAIJqaTiQvQzI",[986,1788,2228],{"id":987,"title":988,"body":989,"description":1774,"extension":969,"meta":1775,"navigation":980,"ogImage":1777,"path":1784,"seo":1785,"stem":1786,"__hash__":1787},"content/blogs/1. cortex-xql-dashboard-queries-library.md","Cortex XQL Dashboard Queries Library - Posture, Attack Path & Asset Analysis",{"type":7,"value":990,"toc":1762},[991,997,1018,1020,1024,1027,1029,1069,1073,1135,1137,1141,1144,1146,1182,1185,1215,1217,1221,1228,1230,1266,1269,1285,1287,1291,1294,1296,1331,1334,1363,1365,1369,1372,1374,1404,1407,1441,1443,1447,1450,1453,1477,1480,1498,1500,1504,1507,1510,1534,1537,1552,1554,1558,1561,1564,1588,1591,1606,1608,1612,1619,1621,1625,1757,1759],[10,992,993,994,21],{},"A high-performance security dashboard is the heart of a Security Operations Center (SOC). In Cortex XDR/XPro, the power of dashboards comes from ",[26,995,996],{},"XQL (XDR Query Language)",[10,998,999,1000,401,1003,1006,1007,1010,1011,29,1014,1017],{},"In this guide, we will break down eight essential queries for monitoring ",[26,1001,1002],{},"Security Posture",[26,1004,1005],{},"Attack Path"," detections, and ",[26,1008,1009],{},"Asset Inventory",". These queries are specifically designed for dashboard widgets, using the ",[14,1012,1013],{},"comp",[14,1015,1016],{},"view"," stages to create impactful visualizations.",[34,1019],{},[37,1021,1023],{"id":1022},"_1-key-performance-indicator-total-open-issues","1. Key Performance Indicator: Total Open Issues",[10,1025,1026],{},"This query creates a \"Single Value\" widget that displays the total number of critical open issues. It's the first thing an analyst should see.",[443,1028,456],{"id":455},[49,1030,1032],{"className":459,"code":1031,"language":461,"meta":54,"style":54},"dataset=issues \n| filter (xdm.issue.domain = \"POSTURE\" or xdm.issue.detection.method = \"ATTACK_PATH\") \n  and (xdm.issue.status.progress = \"NEW\" or xdm.issue.status.progress = \"UNDER_INVESTIGATION\") \n  and xdm.issue.external_id contains to_string($y_axis.value) \n| fields xdm.issue.id as issue_id \n| comp count(issue_id) as issues \n| view graph type = single subtype = grouped header = \"Open Issues\" xaxis = xdm.issue.status.progress yaxis = issues headerfontsize = 14\n",[14,1033,1034,1039,1044,1049,1054,1059,1064],{"__ignoreMap":54},[58,1035,1036],{"class":60,"line":61},[58,1037,1038],{},"dataset=issues \n",[58,1040,1041],{"class":60,"line":68},[58,1042,1043],{},"| filter (xdm.issue.domain = \"POSTURE\" or xdm.issue.detection.method = \"ATTACK_PATH\") \n",[58,1045,1046],{"class":60,"line":99},[58,1047,1048],{},"  and (xdm.issue.status.progress = \"NEW\" or xdm.issue.status.progress = \"UNDER_INVESTIGATION\") \n",[58,1050,1051],{"class":60,"line":114},[58,1052,1053],{},"  and xdm.issue.external_id contains to_string($y_axis.value) \n",[58,1055,1056],{"class":60,"line":120},[58,1057,1058],{},"| fields xdm.issue.id as issue_id \n",[58,1060,1061],{"class":60,"line":142},[58,1062,1063],{},"| comp count(issue_id) as issues \n",[58,1065,1066],{"class":60,"line":163},[58,1067,1068],{},"| view graph type = single subtype = grouped header = \"Open Issues\" xaxis = xdm.issue.status.progress yaxis = issues headerfontsize = 14\n",[443,1070,1072],{"id":1071},"detailed-explanation","Detailed Explanation:",[489,1074,1075,1083,1117,1127],{},[492,1076,1077,1082],{},[26,1078,1079],{},[14,1080,1081],{},"dataset=issues",": We target the issues dataset, which contains security findings from posture scans and attack path analysis.",[492,1084,1085,1088,1089],{},[26,1086,1087],{},"Filtering Logic",":\n",[489,1090,1091,1101,1111],{},[492,1092,1093,1094,17,1097,1100],{},"We narrow down the scope to ",[14,1095,1096],{},"POSTURE",[14,1098,1099],{},"ATTACK_PATH"," domains.",[492,1102,1103,1104,17,1107,1110],{},"We focus only on active work by filtering for ",[14,1105,1106],{},"NEW",[14,1108,1109],{},"UNDER_INVESTIGATION"," statuses.",[492,1112,1113,1116],{},[14,1114,1115],{},"$y_axis.value",": This is a dynamic parameter, allowing the dashboard to filter based on interactions with other widgets.",[492,1118,1119,1122,1123,1126],{},[26,1120,1121],{},"Aggregation",": ",[14,1124,1125],{},"comp count(issue_id)"," calculates the numeric total.",[492,1128,1129,1122,1131,1134],{},[26,1130,943],{},[14,1132,1133],{},"view graph type = single"," renders this as a large, readable number—perfect for high-level summaries.",[34,1136],{},[37,1138,1140],{"id":1139},"_2-risk-distribution-open-issues-by-severity","2. Risk Distribution: Open Issues by Severity",[10,1142,1143],{},"Not all issues are created equal. This query categorizes your open workload by severity levels (Critical, High, Medium, Low) using a Pie Chart.",[443,1145,456],{"id":553},[49,1147,1149],{"className":459,"code":1148,"language":461,"meta":54,"style":54},"dataset=issues \n| filter (xdm.issue.domain = \"POSTURE\" or xdm.issue.detection.method = \"ATTACK_PATH\") \n  and (xdm.issue.status.progress = \"NEW\" or xdm.issue.status.progress = \"UNDER_INVESTIGATION\") \n  and xdm.issue.external_id contains to_string($y_axis.value) \n| fields xdm.issue.id as issue_id, xdm.issue.severity as severity \n| comp count(issue_id ) as issues by severity \n| view graph type = pie subtype = grouped xaxis = severity yaxis = issues headerfontsize = 14\n",[14,1150,1151,1155,1159,1163,1167,1172,1177],{"__ignoreMap":54},[58,1152,1153],{"class":60,"line":61},[58,1154,1038],{},[58,1156,1157],{"class":60,"line":68},[58,1158,1043],{},[58,1160,1161],{"class":60,"line":99},[58,1162,1048],{},[58,1164,1165],{"class":60,"line":114},[58,1166,1053],{},[58,1168,1169],{"class":60,"line":120},[58,1170,1171],{},"| fields xdm.issue.id as issue_id, xdm.issue.severity as severity \n",[58,1173,1174],{"class":60,"line":142},[58,1175,1176],{},"| comp count(issue_id ) as issues by severity \n",[58,1178,1179],{"class":60,"line":163},[58,1180,1181],{},"| view graph type = pie subtype = grouped xaxis = severity yaxis = issues headerfontsize = 14\n",[443,1183,1072],{"id":1184},"detailed-explanation-1",[489,1186,1187,1197,1206],{},[492,1188,1189,1192,1193,1196],{},[26,1190,1191],{},"Field Selection",": We explicitly bring in ",[14,1194,1195],{},"xdm.issue.severity"," to use it for grouping.",[492,1198,1199,1122,1202,1205],{},[26,1200,1201],{},"Grouping",[14,1203,1204],{},"comp ... by severity"," tells Cortex to create a bucket for every severity level found in the filtered records.",[492,1207,1208,1210,1211,1214],{},[26,1209,943],{},": A ",[14,1212,1213],{},"pie"," chart provides an immediate visual of whether your environment is dominated by critical risks or low-level maintenance tasks.",[34,1216],{},[37,1218,1220],{"id":1219},"_3-structural-analysis-issues-by-category","3. Structural Analysis: Issues by Category",[10,1222,1223,1224,1227],{},"Understanding the ",[935,1225,1226],{},"type"," of security gaps is crucial for remediation. Is it an IAM issue? A network misconfiguration? This query breaks it down.",[443,1229,456],{"id":638},[49,1231,1233],{"className":459,"code":1232,"language":461,"meta":54,"style":54},"dataset=issues \n| filter (xdm.issue.domain = \"POSTURE\" or xdm.issue.detection.method = \"ATTACK_PATH\") \n  and (xdm.issue.status.progress = \"NEW\" or xdm.issue.status.progress = \"UNDER_INVESTIGATION\") \n  and xdm.issue.external_id contains to_string($y_axis.value) \n| fields xdm.issue.id as issue_id, xdm.issue.category as category \n| comp count(issue_id ) as issues by category \n| view graph type = pie subtype = grouped xaxis = category yaxis = issues headerfontsize = 14\n",[14,1234,1235,1239,1243,1247,1251,1256,1261],{"__ignoreMap":54},[58,1236,1237],{"class":60,"line":61},[58,1238,1038],{},[58,1240,1241],{"class":60,"line":68},[58,1242,1043],{},[58,1244,1245],{"class":60,"line":99},[58,1246,1048],{},[58,1248,1249],{"class":60,"line":114},[58,1250,1053],{},[58,1252,1253],{"class":60,"line":120},[58,1254,1255],{},"| fields xdm.issue.id as issue_id, xdm.issue.category as category \n",[58,1257,1258],{"class":60,"line":142},[58,1259,1260],{},"| comp count(issue_id ) as issues by category \n",[58,1262,1263],{"class":60,"line":163},[58,1264,1265],{},"| view graph type = pie subtype = grouped xaxis = category yaxis = issues headerfontsize = 14\n",[443,1267,1072],{"id":1268},"detailed-explanation-2",[489,1270,1271,1279],{},[492,1272,1273,1278],{},[26,1274,1275],{},[14,1276,1277],{},"xdm.issue.category",": This field identifies the security domain of the issue (e.g., Storage, Identity, Networking).",[492,1280,1281,1284],{},[26,1282,1283],{},"Impact",": By visualizing this, SOC managers can assign remediation tasks to specific teams (e.g., the Cloud Infra team vs. the Identity team).",[34,1286],{},[37,1288,1290],{"id":1289},"_4-lifecycle-tracking-issue-progress-status","4. Lifecycle Tracking: Issue Progress Status",[10,1292,1293],{},"Finally, it's important to see the overall health of your issue management process. This query shows how many issues are in each stage of the lifecycle.",[443,1295,456],{"id":730},[49,1297,1299],{"className":459,"code":1298,"language":461,"meta":54,"style":54},"dataset = issues \n| filter xdm.issue.external_id contains to_string($y_axis.value) \n  and xdm.issue.domain = \"POSTURE\" or xdm.issue.detection.method = \"ATTACK_PATH\" \n| fields xdm.issue.id as issue_id, xdm.issue.status.progress as progress \n| comp count(issue_id ) as issues by progress \n| view graph type = pie subtype = grouped xaxis = progress yaxis = issues headerfontsize = 14\n",[14,1300,1301,1306,1311,1316,1321,1326],{"__ignoreMap":54},[58,1302,1303],{"class":60,"line":61},[58,1304,1305],{},"dataset = issues \n",[58,1307,1308],{"class":60,"line":68},[58,1309,1310],{},"| filter xdm.issue.external_id contains to_string($y_axis.value) \n",[58,1312,1313],{"class":60,"line":99},[58,1314,1315],{},"  and xdm.issue.domain = \"POSTURE\" or xdm.issue.detection.method = \"ATTACK_PATH\" \n",[58,1317,1318],{"class":60,"line":114},[58,1319,1320],{},"| fields xdm.issue.id as issue_id, xdm.issue.status.progress as progress \n",[58,1322,1323],{"class":60,"line":120},[58,1324,1325],{},"| comp count(issue_id ) as issues by progress \n",[58,1327,1328],{"class":60,"line":142},[58,1329,1330],{},"| view graph type = pie subtype = grouped xaxis = progress yaxis = issues headerfontsize = 14\n",[443,1332,1072],{"id":1333},"detailed-explanation-3",[489,1335,1336,1357],{},[492,1337,1338,1341,1342,1345,1346,401,1349,1352,1353,1356],{},[26,1339,1340],{},"Shift in Scope",": Unlike the previous queries, this one ",[935,1343,1344],{},"removes"," the status filter. This allows us to see ",[14,1347,1348],{},"RESOLVED",[14,1350,1351],{},"CLOSED",", and ",[14,1354,1355],{},"DISMISSED"," issues alongside the open ones.",[492,1358,1359,1362],{},[26,1360,1361],{},"Business Value",": This widget serves as a progress tracker, showing the ratio of resolved issues vs. pending ones over time.",[34,1364],{},[37,1366,1368],{"id":1367},"_5-cloud-presence-assets-by-region","5. Cloud Presence: Assets by Region",[10,1370,1371],{},"This query provides a geographic overview of your cloud footprint, grouping assets by their assigned cloud region.",[443,1373,456],{"id":822},[49,1375,1377],{"className":459,"code":1376,"language":461,"meta":54,"style":54},"dataset = asset_inventory \n| filter xdm.asset.realm contains to_string($y_axis.value) and xdm.asset.cloud.region != null\n| comp count() as asset_count by xdm.asset.cloud.region\n| sort desc asset_count\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = xdm.asset.cloud.region yaxis = asset_count default_limit = `false` headerfontsize = 14 legend = `false` \n",[14,1378,1379,1384,1389,1394,1399],{"__ignoreMap":54},[58,1380,1381],{"class":60,"line":61},[58,1382,1383],{},"dataset = asset_inventory \n",[58,1385,1386],{"class":60,"line":68},[58,1387,1388],{},"| filter xdm.asset.realm contains to_string($y_axis.value) and xdm.asset.cloud.region != null\n",[58,1390,1391],{"class":60,"line":99},[58,1392,1393],{},"| comp count() as asset_count by xdm.asset.cloud.region\n",[58,1395,1396],{"class":60,"line":114},[58,1397,1398],{},"| sort desc asset_count\n",[58,1400,1401],{"class":60,"line":120},[58,1402,1403],{},"| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = xdm.asset.cloud.region yaxis = asset_count default_limit = `false` headerfontsize = 14 legend = `false`\n",[443,1405,1072],{"id":1406},"detailed-explanation-4",[489,1408,1409,1417,1425,1433],{},[492,1410,1411,1416],{},[26,1412,1413],{},[14,1414,1415],{},"dataset = asset_inventory",": Switches focus to the asset management data.",[492,1418,1419,1424],{},[26,1420,1421],{},[14,1422,1423],{},"xdm.asset.cloud.region != null",": Ensures we only visualize assets where geographic data is available.",[492,1426,1427,1432],{},[26,1428,1429],{},[14,1430,1431],{},"comp count() ... by xdm.asset.cloud.region",": Aggregates the number of assets per region.",[492,1434,1435,1440],{},[26,1436,1437],{},[14,1438,1439],{},"view graph type = column",": Renders a horizontal column chart, ideal for comparing population sizes across regions.",[34,1442],{},[37,1444,1446],{"id":1445},"_6-vendor-distribution-assets-by-provider","6. Vendor Distribution: Assets by Provider",[10,1448,1449],{},"Understanding your multi-cloud concentration is key for risk management. this query breaks down assets by provider (AWS, Azure, GCP, etc.).",[443,1451,456],{"id":1452},"the-query-5",[49,1454,1456],{"className":459,"code":1455,"language":461,"meta":54,"style":54},"dataset = asset_inventory \n| filter xdm.asset.realm contains to_string($y_axis.value) and xdm.asset.provider != null\n| comp count() as asset_count by xdm.asset.provider\n| view graph type = pie show_callouts_names = `true` show_percentage = `false` xaxis = xdm.asset.provider yaxis = asset_count default_limit = `false` font = \"Arial\" headerfontsize = 14 legend = `false` legend_percentage = `true` \n",[14,1457,1458,1462,1467,1472],{"__ignoreMap":54},[58,1459,1460],{"class":60,"line":61},[58,1461,1383],{},[58,1463,1464],{"class":60,"line":68},[58,1465,1466],{},"| filter xdm.asset.realm contains to_string($y_axis.value) and xdm.asset.provider != null\n",[58,1468,1469],{"class":60,"line":99},[58,1470,1471],{},"| comp count() as asset_count by xdm.asset.provider\n",[58,1473,1474],{"class":60,"line":114},[58,1475,1476],{},"| view graph type = pie show_callouts_names = `true` show_percentage = `false` xaxis = xdm.asset.provider yaxis = asset_count default_limit = `false` font = \"Arial\" headerfontsize = 14 legend = `false` legend_percentage = `true`\n",[443,1478,1072],{"id":1479},"detailed-explanation-5",[489,1481,1482,1490],{},[492,1483,1484,1489],{},[26,1485,1486],{},[14,1487,1488],{},"xdm.asset.provider",": Identifies the underlying cloud or infrastructure provider.",[492,1491,1492,1497],{},[26,1493,1494],{},[14,1495,1496],{},"legend_percentage = true",": Enhances the pie chart by showing what fraction of your total inventory belongs to each provider.",[34,1499],{},[37,1501,1503],{"id":1502},"_7-logical-grouping-assets-by-class","7. Logical Grouping: Assets by Class",[10,1505,1506],{},"Assets are often logically divided into classes (e.g., Computer, Storage, Network). this widget provides a high-level view of these classes.",[443,1508,456],{"id":1509},"the-query-6",[49,1511,1513],{"className":459,"code":1512,"language":461,"meta":54,"style":54},"dataset = asset_inventory \n| filter xdm.asset.realm contains to_string($y_axis.value) and xdm.asset.type.class != null \n| comp count() as asset_count by xdm.asset.type.class \n| view graph type = pie subtype = grouped xaxis = xdm.asset.type.class yaxis = asset_count headerfontsize = 14 \n",[14,1514,1515,1519,1524,1529],{"__ignoreMap":54},[58,1516,1517],{"class":60,"line":61},[58,1518,1383],{},[58,1520,1521],{"class":60,"line":68},[58,1522,1523],{},"| filter xdm.asset.realm contains to_string($y_axis.value) and xdm.asset.type.class != null \n",[58,1525,1526],{"class":60,"line":99},[58,1527,1528],{},"| comp count() as asset_count by xdm.asset.type.class \n",[58,1530,1531],{"class":60,"line":114},[58,1532,1533],{},"| view graph type = pie subtype = grouped xaxis = xdm.asset.type.class yaxis = asset_count headerfontsize = 14\n",[443,1535,1072],{"id":1536},"detailed-explanation-6",[489,1538,1539,1547],{},[492,1540,1541,1546],{},[26,1542,1543],{},[14,1544,1545],{},"xdm.asset.type.class",": Provides a primary classification of the asset type.",[492,1548,1549,1551],{},[26,1550,1283],{},": Helps security admins verify if the ratio of compute to storage assets matches organizational expectations.",[34,1553],{},[37,1555,1557],{"id":1556},"_8-categorical-view-assets-by-category","8. Categorical View: Assets by Category",[10,1559,1560],{},"For a more granular look, this query breaks down assets by their specific category, offering deeper insights than simple class-based grouping.",[443,1562,456],{"id":1563},"the-query-7",[49,1565,1567],{"className":459,"code":1566,"language":461,"meta":54,"style":54},"dataset = asset_inventory \n| filter xdm.asset.realm contains to_string($y_axis.value) and xdm.asset.type.category != null\n| comp count() as asset_count by xdm.asset.type.category\n| view graph type = pie subtype = grouped xaxis = xdm.asset.type.category yaxis = asset_count headerfontsize = 14 \n",[14,1568,1569,1573,1578,1583],{"__ignoreMap":54},[58,1570,1571],{"class":60,"line":61},[58,1572,1383],{},[58,1574,1575],{"class":60,"line":68},[58,1576,1577],{},"| filter xdm.asset.realm contains to_string($y_axis.value) and xdm.asset.type.category != null\n",[58,1579,1580],{"class":60,"line":99},[58,1581,1582],{},"| comp count() as asset_count by xdm.asset.type.category\n",[58,1584,1585],{"class":60,"line":114},[58,1586,1587],{},"| view graph type = pie subtype = grouped xaxis = xdm.asset.type.category yaxis = asset_count headerfontsize = 14\n",[443,1589,1072],{"id":1590},"detailed-explanation-7",[489,1592,1593,1601],{},[492,1594,1595,1600],{},[26,1596,1597],{},[14,1598,1599],{},"xdm.asset.type.category",": Drill down into specific categories (e.g., Virtual Machine, Load Balancer, S3 Bucket).",[492,1602,1603,1605],{},[26,1604,943],{},": A grouped pie chart makes it easy to see which specific service categories are most prevalent in your environment.",[34,1607],{},[37,1609,1611],{"id":1610},"pro-tip-for-dashboards","Pro Tip for Dashboards",[10,1613,1614,1615,1618],{},"When using these queries in Cortex, ensure you set the ",[26,1616,1617],{},"Time Range"," to \"Last 7 Days\" or \"Last 30 Days\" in the widget settings. Posture issues can accumulate, and keeping a tight time window helps you focus on recent regressions!",[34,1620],{},[37,1622,1624],{"id":1623},"summary-table-for-quick-reference","Summary Table for Quick Reference",[849,1626,1627,1640],{},[852,1628,1629],{},[855,1630,1631,1634,1637],{},[858,1632,1633],{"align":860},"Widget Goal",[858,1635,1636],{"align":860},"Chart Type",[858,1638,1639],{"align":860},"Key Field",[866,1641,1642,1657,1672,1686,1700,1715,1729,1743],{},[855,1643,1644,1649,1652],{},[871,1645,1646],{"align":860},[26,1647,1648],{},"Total Workload",[871,1650,1651],{"align":860},"Single Value",[871,1653,1654],{"align":860},[14,1655,1656],{},"count(issue_id)",[855,1658,1659,1664,1667],{},[871,1660,1661],{"align":860},[26,1662,1663],{},"Priority View",[871,1665,1666],{"align":860},"Pie Chart",[871,1668,1669],{"align":860},[14,1670,1671],{},"severity",[855,1673,1674,1679,1681],{},[871,1675,1676],{"align":860},[26,1677,1678],{},"Team Assignment",[871,1680,1666],{"align":860},[871,1682,1683],{"align":860},[14,1684,1685],{},"category",[855,1687,1688,1693,1695],{},[871,1689,1690],{"align":860},[26,1691,1692],{},"Process Health",[871,1694,1666],{"align":860},[871,1696,1697],{"align":860},[14,1698,1699],{},"status.progress",[855,1701,1702,1707,1710],{},[871,1703,1704],{"align":860},[26,1705,1706],{},"Regional Spread",[871,1708,1709],{"align":860},"Column Chart",[871,1711,1712],{"align":860},[14,1713,1714],{},"cloud.region",[855,1716,1717,1722,1724],{},[871,1718,1719],{"align":860},[26,1720,1721],{},"Multi-Cloud View",[871,1723,1666],{"align":860},[871,1725,1726],{"align":860},[14,1727,1728],{},"provider",[855,1730,1731,1736,1738],{},[871,1732,1733],{"align":860},[26,1734,1735],{},"Asset Class",[871,1737,1666],{"align":860},[871,1739,1740],{"align":860},[14,1741,1742],{},"type.class",[855,1744,1745,1750,1752],{},[871,1746,1747],{"align":860},[26,1748,1749],{},"Asset Category",[871,1751,1666],{"align":860},[871,1753,1754],{"align":860},[14,1755,1756],{},"type.category",[10,1758,952],{},[954,1760,1761],{},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":54,"searchDepth":68,"depth":68,"links":1763},[1764,1765,1766,1767,1768,1769,1770,1771,1772,1773],{"id":1022,"depth":99,"text":1023},{"id":1139,"depth":99,"text":1140},{"id":1219,"depth":99,"text":1220},{"id":1289,"depth":99,"text":1290},{"id":1367,"depth":99,"text":1368},{"id":1445,"depth":99,"text":1446},{"id":1502,"depth":99,"text":1503},{"id":1556,"depth":99,"text":1557},{"id":1610,"depth":99,"text":1611},{"id":1623,"depth":99,"text":1624},"Build professional security dashboards with these essential XQL queries for monitoring Posture, Attack Paths, and Asset Inventory.",{"date":1776,"image":1777,"alt":1778,"tags":1779,"published":980},"21st Apr 2026","/blogs-img/first.png","Cortex Dashboards XQL",[975,976,1780,1781,1782,1783],"Dashboard","SecurityOps","Posture","AssetInventory","/blogs/cortex-xql-dashboard-queries-library",{"title":988,"description":1774},"blogs/1. cortex-xql-dashboard-queries-library","u6zVMuLGsr_wJ09JdPrU1utcKWhYijh35gMrcu7_IQ4",{"id":1789,"title":1790,"body":1791,"description":2217,"extension":969,"meta":2218,"navigation":980,"ogImage":2219,"path":2224,"seo":2225,"stem":2226,"__hash__":2227},"content/blogs/2. vulnerability-xql-dashboard-creation.md","Vulnerability XQL Dashboard Creation - Mastering Asset Risk & CVE Tracking",{"type":7,"value":1792,"toc":2211},[1793,1804,1807,1809,1813,1819,1821,1875,1877,1930,1932,1936,1939,1941,1988,1990,2016,2018,2022,2028,2030,2083,2085,2126,2128,2132,2204,2207,2209],[10,1794,1795,1796,1799,1800,1803],{},"Effective vulnerability management requires more than just a list of CVEs; it requires ",[26,1797,1798],{},"visibility"," across your entire infrastructure. In Cortex, the ",[14,1801,1802],{},"issues"," dataset provides a centralized view of vulnerabilities discovered by various security modules.",[10,1805,1806],{},"In this blog, we will explore three advanced XQL queries designed to help you build a professional Vulnerability Management Dashboard. We will focus on severity distribution and asset-level risk analysis.",[34,1808],{},[37,1810,1812],{"id":1811},"_1-vulnerability-severity-distribution-by-asset","1. Vulnerability Severity Distribution by Asset",[10,1814,1815,1816,1818],{},"This query creates a ",[26,1817,1666],{}," that groups open vulnerabilities by their severity level. It includes a dynamic filter for specific asset names, making it perfect for \"Asset Detail\" dashboard views.",[443,1820,456],{"id":455},[49,1822,1824],{"className":459,"code":1823,"language":461,"meta":54,"style":54},"dataset = issues\n| alter \n    severity = xdm.issue.severity, \n    asset_name = json_extract_scalar(xdm.issue.extended_fields, \"$.xdm_assets[0].xdm__asset__name\")\n| filter xdm.issue.status.progress != \"RESOLVED\" \n    and xdm.issue.category = \"VULNERABILITY\" \n    and asset_name in ($asset_name)\n| comp count() as issues by severity\n\n| view graph type = pie subtype = grouped xaxis = severity yaxis = issues headerfontsize = 14 seriestitle(\"issues\",\"CVE\") \n",[14,1825,1826,1830,1835,1840,1845,1850,1855,1860,1865,1870],{"__ignoreMap":54},[58,1827,1828],{"class":60,"line":61},[58,1829,563],{},[58,1831,1832],{"class":60,"line":68},[58,1833,1834],{},"| alter \n",[58,1836,1837],{"class":60,"line":99},[58,1838,1839],{},"    severity = xdm.issue.severity, \n",[58,1841,1842],{"class":60,"line":114},[58,1843,1844],{},"    asset_name = json_extract_scalar(xdm.issue.extended_fields, \"$.xdm_assets[0].xdm__asset__name\")\n",[58,1846,1847],{"class":60,"line":120},[58,1848,1849],{},"| filter xdm.issue.status.progress != \"RESOLVED\" \n",[58,1851,1852],{"class":60,"line":142},[58,1853,1854],{},"    and xdm.issue.category = \"VULNERABILITY\" \n",[58,1856,1857],{"class":60,"line":163},[58,1858,1859],{},"    and asset_name in ($asset_name)\n",[58,1861,1862],{"class":60,"line":184},[58,1863,1864],{},"| comp count() as issues by severity\n",[58,1866,1867],{"class":60,"line":199},[58,1868,1869],{"emptyLinePlaceholder":980},"\n",[58,1871,1872],{"class":60,"line":221},[58,1873,1874],{},"| view graph type = pie subtype = grouped xaxis = severity yaxis = issues headerfontsize = 14 seriestitle(\"issues\",\"CVE\")\n",[443,1876,1072],{"id":1071},[489,1878,1879,1889,1914,1922],{},[492,1880,1881,1885,1886,1888],{},[26,1882,1883],{},[14,1884,435],{},": Vulnerability data often contains nested JSON objects. We use this function to pull the specific asset name from the ",[14,1887,46],{}," blob.",[492,1890,1891,1088,1894],{},[26,1892,1893],{},"Filtering",[489,1895,1896,1902,1908],{},[492,1897,1898,1901],{},[14,1899,1900],{},"xdm.issue.status.progress != \"RESOLVED\"",": Ensures we only focus on active vulnerabilities that still require attention.",[492,1903,1904,1907],{},[14,1905,1906],{},"xdm.issue.category = \"VULNERABILITY\"",": Filters out other types of issues (like posture or policy violations) to focus purely on CVEs.",[492,1909,1910,1913],{},[14,1911,1912],{},"$asset_name",": A dashboard variable that allows users to drill down into a specific machine.",[492,1915,1916,1122,1918,1921],{},[26,1917,1121],{},[14,1919,1920],{},"comp count() as issues by severity"," counts the number of vulnerabilities for each risk level (Critical, High, etc.).",[492,1923,1924,1122,1926,1929],{},[26,1925,943],{},[14,1927,1928],{},"seriestitle(\"issues\",\"CVE\")"," renames the data series in the legend for better clarity for SOC analysts.",[34,1931],{},[37,1933,1935],{"id":1934},"_2-regional-vulnerability-heatmap-severity-by-realm","2. Regional Vulnerability Heatmap (Severity by Realm)",[10,1937,1938],{},"Security posture often varies by business unit or cloud environment (\"Realms\"). This query helps you identify which parts of your infrastructure are most at risk by grouping severities by their asset realm.",[443,1940,456],{"id":553},[49,1942,1944],{"className":459,"code":1943,"language":461,"meta":54,"style":54},"dataset = issues\n| alter \n    severity = xdm.issue.severity, \n    asset_realm = json_extract_scalar(xdm.issue.extended_fields, \"$.xdm_assets[0].xdm__asset__realm\")\n| filter xdm.issue.status.progress != \"RESOLVED\" \n    and xdm.issue.category = \"VULNERABILITY\" \n    and asset_realm in (to_string($asset_realm))\n| comp count() as issues by severity\n\n| view graph type = pie subtype = grouped xaxis = severity yaxis = issues headerfontsize = 14 \n",[14,1945,1946,1950,1954,1958,1963,1967,1971,1976,1980,1984],{"__ignoreMap":54},[58,1947,1948],{"class":60,"line":61},[58,1949,563],{},[58,1951,1952],{"class":60,"line":68},[58,1953,1834],{},[58,1955,1956],{"class":60,"line":99},[58,1957,1839],{},[58,1959,1960],{"class":60,"line":114},[58,1961,1962],{},"    asset_realm = json_extract_scalar(xdm.issue.extended_fields, \"$.xdm_assets[0].xdm__asset__realm\")\n",[58,1964,1965],{"class":60,"line":120},[58,1966,1849],{},[58,1968,1969],{"class":60,"line":142},[58,1970,1854],{},[58,1972,1973],{"class":60,"line":163},[58,1974,1975],{},"    and asset_realm in (to_string($asset_realm))\n",[58,1977,1978],{"class":60,"line":184},[58,1979,1864],{},[58,1981,1982],{"class":60,"line":199},[58,1983,1869],{"emptyLinePlaceholder":980},[58,1985,1986],{"class":60,"line":221},[58,1987,1181],{},[443,1989,1072],{"id":1184},[489,1991,1992,2001,2010],{},[492,1993,1994,1997,1998,2000],{},[26,1995,1996],{},"Relational Context",": By extracting ",[14,1999,147],{},", we can see the vulnerability distribution across different cloud accounts or physical locations.",[492,2002,2003,499,2006,2009],{},[26,2004,2005],{},"Dynamic Scope",[14,2007,2008],{},"$asset_realm"," variable allows leadership to see the risk profile of a specific department or region.",[492,2011,2012,2015],{},[26,2013,2014],{},"Logic",": Similar to the first query, this provides a breakdown of severity, but within the context of a wider organizational boundary.",[34,2017],{},[37,2019,2021],{"id":2020},"_3-top-vulnerable-realms-unique-cve-count","3. Top Vulnerable Realms (Unique CVE Count)",[10,2023,2024,2025,21],{},"Not all realms are created equal. Some might have many issues but only a few unique CVEs. This query identifies which asset realms have the highest diversity of vulnerabilities by counting ",[26,2026,2027],{},"unique CVE IDs",[443,2029,456],{"id":638},[49,2031,2033],{"className":459,"code":2032,"language":461,"meta":54,"style":54},"dataset = issues\n| alter asset_realm = json_extract_scalar(xdm.issue.extended_fields, \"$.xdm_assets[0].xdm__asset__realm\")\n| alter cve_id = json_extract_scalar(xdm.issue.extended_fields, \"$.cve_id\")\n| filter xdm.issue.category = \"VULNERABILITY\"\n    and asset_realm != null\n    and cve_id != null\n| comp count_distinct(cve_id) as unique_cves by asset_realm\n| sort desc unique_cves\n\n| view graph type = column subtype = grouped layout = horizontal xaxis = asset_realm yaxis = unique_cves headerfontsize = 14 legend = `false` \n",[14,2034,2035,2039,2044,2049,2054,2059,2064,2069,2074,2078],{"__ignoreMap":54},[58,2036,2037],{"class":60,"line":61},[58,2038,563],{},[58,2040,2041],{"class":60,"line":68},[58,2042,2043],{},"| alter asset_realm = json_extract_scalar(xdm.issue.extended_fields, \"$.xdm_assets[0].xdm__asset__realm\")\n",[58,2045,2046],{"class":60,"line":99},[58,2047,2048],{},"| alter cve_id = json_extract_scalar(xdm.issue.extended_fields, \"$.cve_id\")\n",[58,2050,2051],{"class":60,"line":114},[58,2052,2053],{},"| filter xdm.issue.category = \"VULNERABILITY\"\n",[58,2055,2056],{"class":60,"line":120},[58,2057,2058],{},"    and asset_realm != null\n",[58,2060,2061],{"class":60,"line":142},[58,2062,2063],{},"    and cve_id != null\n",[58,2065,2066],{"class":60,"line":163},[58,2067,2068],{},"| comp count_distinct(cve_id) as unique_cves by asset_realm\n",[58,2070,2071],{"class":60,"line":184},[58,2072,2073],{},"| sort desc unique_cves\n",[58,2075,2076],{"class":60,"line":199},[58,2077,1869],{"emptyLinePlaceholder":980},[58,2079,2080],{"class":60,"line":221},[58,2081,2082],{},"| view graph type = column subtype = grouped layout = horizontal xaxis = asset_realm yaxis = unique_cves headerfontsize = 14 legend = `false`\n",[443,2084,1072],{"id":1268},[489,2086,2087,2099,2112,2120],{},[492,2088,2089,2094,2095,2098],{},[26,2090,2091],{},[14,2092,2093],{},"count_distinct(cve_id)",": This is the key metric. It ignores duplicate instances of the same vulnerability across multiple machines and tells you how many ",[935,2096,2097],{},"unique"," security flaws exist in that realm.",[492,2100,2101,2104,2105,29,2108,2111],{},[26,2102,2103],{},"Data Cleaning",": We explicitly filter for ",[14,2106,2107],{},"asset_realm != null",[14,2109,2110],{},"cve_id != null"," to ensure the resulting chart is clean and professional.",[492,2113,2114,2119],{},[26,2115,2116],{},[14,2117,2118],{},"sort desc",": Ranks the realms from \"Most Vulnerable\" to \"Least Vulnerable,\" allowing for immediate prioritization.",[492,2121,2122,2125],{},[26,2123,2124],{},"Horizontal Column Chart",": This layout is ideal for displaying long realm names or IDs clearly along the Y-axis.",[34,2127],{},[37,2129,2131],{"id":2130},"summary-table-for-dashboard-builders","Summary Table for Dashboard Builders",[849,2133,2134,2149],{},[852,2135,2136],{},[855,2137,2138,2141,2144,2147],{},[858,2139,2140],{"align":860},"Dashboard Widget",[858,2142,2143],{"align":860},"Dataset",[858,2145,2146],{"align":860},"Key Metric",[858,2148,943],{"align":860},[866,2150,2151,2169,2186],{},[855,2152,2153,2158,2162,2167],{},[871,2154,2155],{"align":860},[26,2156,2157],{},"Asset Severity View",[871,2159,2160],{"align":860},[14,2161,1802],{},[871,2163,2164],{"align":860},[14,2165,2166],{},"count()",[871,2168,1666],{"align":860},[855,2170,2171,2176,2180,2184],{},[871,2172,2173],{"align":860},[26,2174,2175],{},"Regional Risk Profile",[871,2177,2178],{"align":860},[14,2179,1802],{},[871,2181,2182],{"align":860},[14,2183,2166],{},[871,2185,1666],{"align":860},[855,2187,2188,2193,2197,2201],{},[871,2189,2190],{"align":860},[26,2191,2192],{},"Top Vulnerable Realms",[871,2194,2195],{"align":860},[14,2196,1802],{},[871,2198,2199],{"align":860},[14,2200,2093],{},[871,2202,2203],{"align":860},"Horizontal Column",[10,2205,2206],{},"Mastering these queries will transform your Cortex dashboard from a simple log viewer into a powerful strategic asset for your security team.",[10,2208,952],{},[954,2210,1761],{},{"title":54,"searchDepth":68,"depth":68,"links":2212},[2213,2214,2215,2216],{"id":1811,"depth":99,"text":1812},{"id":1934,"depth":99,"text":1935},{"id":2020,"depth":99,"text":2021},{"id":2130,"depth":99,"text":2131},"Learn how to build advanced vulnerability management dashboards in Cortex XDR using XQL. Track CVEs, assess asset risk, and visualize vulnerability distribution.",{"date":971,"image":2219,"alt":2220,"tags":2221,"published":980},"/blogs-img/vulnerability-dashboard.png","Vulnerability XQL Dashboard",[975,976,2222,2223,1780,1781],"Vulnerability","CVE","/blogs/vulnerability-xql-dashboard-creation",{"title":1790,"description":2217},"blogs/2. vulnerability-xql-dashboard-creation","17VaAV2pvVSQKDwnQNONNRWnJihS3wh5B0-R00Ws2LE",{"id":4,"title":5,"body":2229,"description":968,"extension":969,"meta":2922,"navigation":980,"ogImage":972,"path":981,"seo":2924,"stem":983,"__hash__":984},{"type":7,"value":2230,"toc":2913},[2231,2237,2243,2245,2247,2251,2545,2547,2551,2555,2557,2561,2563,2583,2585,2611,2613,2617,2621,2623,2625,2627,2647,2649,2673,2675,2677,2679,2681,2685,2687,2707,2709,2733,2735,2737,2741,2743,2749,2751,2767,2769,2771,2789,2793,2805,2807,2809,2811,2813,2819,2821,2841,2879,2881,2883,2907,2909,2911],[10,2232,12,2233,17,2235,21],{},[14,2234,16],{},[14,2236,20],{},[10,2238,24,2239,29,2241,21],{},[26,2240,28],{},[26,2242,32],{},[34,2244],{},[37,2246,40],{"id":39},[10,2248,43,2249,47],{},[14,2250,46],{},[49,2252,2253],{"className":51,"code":52,"language":53,"meta":54,"style":54},[14,2254,2255,2259,2277,2289,2293,2311,2329,2347,2359,2377,2393,2397,2401,2405,2417,2435,2451,2455,2467,2485,2501,2505,2541],{"__ignoreMap":54},[58,2256,2257],{"class":60,"line":61},[58,2258,65],{"class":64},[58,2260,2261,2263,2265,2267,2269,2271,2273,2275],{"class":60,"line":68},[58,2262,72],{"class":71},[58,2264,76],{"class":75},[58,2266,79],{"class":71},[58,2268,83],{"class":82},[58,2270,87],{"class":86},[58,2272,91],{"class":90},[58,2274,79],{"class":86},[58,2276,96],{"class":64},[58,2278,2279,2281,2283,2285,2287],{"class":60,"line":99},[58,2280,72],{"class":71},[58,2282,104],{"class":75},[58,2284,79],{"class":71},[58,2286,83],{"class":82},[58,2288,111],{"class":64},[58,2290,2291],{"class":60,"line":114},[58,2292,117],{"class":64},[58,2294,2295,2297,2299,2301,2303,2305,2307,2309],{"class":60,"line":120},[58,2296,123],{"class":71},[58,2298,126],{"class":75},[58,2300,79],{"class":71},[58,2302,83],{"class":82},[58,2304,87],{"class":86},[58,2306,135],{"class":90},[58,2308,79],{"class":86},[58,2310,96],{"class":64},[58,2312,2313,2315,2317,2319,2321,2323,2325,2327],{"class":60,"line":142},[58,2314,123],{"class":71},[58,2316,147],{"class":75},[58,2318,79],{"class":71},[58,2320,83],{"class":82},[58,2322,87],{"class":86},[58,2324,156],{"class":90},[58,2326,79],{"class":86},[58,2328,96],{"class":64},[58,2330,2331,2333,2335,2337,2339,2341,2343,2345],{"class":60,"line":163},[58,2332,123],{"class":71},[58,2334,168],{"class":75},[58,2336,79],{"class":71},[58,2338,83],{"class":82},[58,2340,87],{"class":86},[58,2342,177],{"class":90},[58,2344,79],{"class":86},[58,2346,96],{"class":64},[58,2348,2349,2351,2353,2355,2357],{"class":60,"line":184},[58,2350,123],{"class":71},[58,2352,189],{"class":75},[58,2354,79],{"class":71},[58,2356,83],{"class":82},[58,2358,196],{"class":64},[58,2360,2361,2363,2365,2367,2369,2371,2373,2375],{"class":60,"line":199},[58,2362,202],{"class":71},[58,2364,205],{"class":75},[58,2366,79],{"class":71},[58,2368,83],{"class":82},[58,2370,87],{"class":86},[58,2372,214],{"class":90},[58,2374,79],{"class":86},[58,2376,96],{"class":64},[58,2378,2379,2381,2383,2385,2387,2389,2391],{"class":60,"line":221},[58,2380,202],{"class":71},[58,2382,226],{"class":75},[58,2384,79],{"class":71},[58,2386,83],{"class":82},[58,2388,87],{"class":86},[58,2390,235],{"class":90},[58,2392,238],{"class":86},[58,2394,2395],{"class":60,"line":241},[58,2396,244],{"class":64},[58,2398,2399],{"class":60,"line":247},[58,2400,250],{"class":64},[58,2402,2403],{"class":60,"line":253},[58,2404,256],{"class":64},[58,2406,2407,2409,2411,2413,2415],{"class":60,"line":259},[58,2408,72],{"class":71},[58,2410,264],{"class":75},[58,2412,79],{"class":71},[58,2414,83],{"class":82},[58,2416,196],{"class":64},[58,2418,2419,2421,2423,2425,2427,2429,2431,2433],{"class":60,"line":273},[58,2420,276],{"class":71},[58,2422,279],{"class":75},[58,2424,79],{"class":71},[58,2426,83],{"class":82},[58,2428,87],{"class":86},[58,2430,288],{"class":90},[58,2432,79],{"class":86},[58,2434,96],{"class":64},[58,2436,2437,2439,2441,2443,2445,2447,2449],{"class":60,"line":295},[58,2438,276],{"class":71},[58,2440,300],{"class":75},[58,2442,79],{"class":71},[58,2444,83],{"class":82},[58,2446,87],{"class":86},[58,2448,309],{"class":90},[58,2450,238],{"class":86},[58,2452,2453],{"class":60,"line":314},[58,2454,317],{"class":64},[58,2456,2457,2459,2461,2463,2465],{"class":60,"line":320},[58,2458,72],{"class":71},[58,2460,325],{"class":75},[58,2462,79],{"class":71},[58,2464,83],{"class":82},[58,2466,196],{"class":64},[58,2468,2469,2471,2473,2475,2477,2479,2481,2483],{"class":60,"line":334},[58,2470,276],{"class":71},[58,2472,339],{"class":75},[58,2474,79],{"class":71},[58,2476,83],{"class":82},[58,2478,87],{"class":86},[58,2480,348],{"class":90},[58,2482,79],{"class":86},[58,2484,96],{"class":64},[58,2486,2487,2489,2491,2493,2495,2497,2499],{"class":60,"line":355},[58,2488,276],{"class":71},[58,2490,360],{"class":75},[58,2492,79],{"class":71},[58,2494,83],{"class":82},[58,2496,87],{"class":86},[58,2498,369],{"class":90},[58,2500,238],{"class":86},[58,2502,2503],{"class":60,"line":374},[58,2504,317],{"class":64},[58,2506,2507,2509,2511,2513,2515,2517,2519,2521,2523,2525,2527,2529,2531,2533,2535,2537,2539],{"class":60,"line":379},[58,2508,72],{"class":71},[58,2510,384],{"class":75},[58,2512,79],{"class":71},[58,2514,83],{"class":82},[58,2516,391],{"class":64},[58,2518,79],{"class":86},[58,2520,396],{"class":90},[58,2522,79],{"class":86},[58,2524,401],{"class":64},[58,2526,79],{"class":86},[58,2528,406],{"class":90},[58,2530,79],{"class":86},[58,2532,401],{"class":64},[58,2534,79],{"class":86},[58,2536,415],{"class":90},[58,2538,79],{"class":86},[58,2540,420],{"class":64},[58,2542,2543],{"class":60,"line":423},[58,2544,426],{"class":64},[34,2546],{},[37,2548,432,2549],{"id":431},[14,2550,435],{},[10,2552,438,2553,21],{},[26,2554,441],{},[443,2556,446],{"id":445},[10,2558,449,2559,452],{},[14,2560,264],{},[443,2562,456],{"id":455},[49,2564,2565],{"className":459,"code":460,"language":461,"meta":54,"style":54},[14,2566,2567,2571,2575,2579],{"__ignoreMap":54},[58,2568,2569],{"class":60,"line":61},[58,2570,468],{},[58,2572,2573],{"class":60,"line":68},[58,2574,473],{},[58,2576,2577],{"class":60,"line":99},[58,2578,478],{},[58,2580,2581],{"class":60,"line":114},[58,2582,483],{},[443,2584,487],{"id":486},[489,2586,2587,2595,2601],{},[492,2588,2589,499,2593,503],{},[26,2590,2591],{},[14,2592,498],{},[14,2594,502],{},[492,2596,2597,509,2599,21],{},[26,2598,508],{},[14,2600,512],{},[492,2602,2603,518,2605,522,2607,526,2609,529],{},[26,2604,517],{},[14,2606,521],{},[14,2608,525],{},[14,2610,264],{},[34,2612],{},[37,2614,535,2615],{"id":534},[14,2616,538],{},[10,2618,541,2619,21],{},[14,2620,538],{},[443,2622,547],{"id":546},[10,2624,550],{},[443,2626,456],{"id":553},[49,2628,2629],{"className":459,"code":556,"language":461,"meta":54,"style":54},[14,2630,2631,2635,2639,2643],{"__ignoreMap":54},[58,2632,2633],{"class":60,"line":61},[58,2634,563],{},[58,2636,2637],{"class":60,"line":68},[58,2638,568],{},[58,2640,2641],{"class":60,"line":99},[58,2642,573],{},[58,2644,2645],{"class":60,"line":114},[58,2646,578],{},[443,2648,487],{"id":581},[489,2650,2651,2657,2665],{},[492,2652,2653,591],{},[26,2654,2655],{},[14,2656,590],{},[492,2658,2659,597,2661,600,2663,21],{},[26,2660,596],{},[14,2662,435],{},[14,2664,603],{},[492,2666,2667,609,2669,612,2671,616],{},[26,2668,608],{},[14,2670,590],{},[14,2672,615],{},[34,2674],{},[37,2676,622],{"id":621},[10,2678,625],{},[443,2680,629],{"id":628},[10,2682,632,2683,635],{},[14,2684,384],{},[443,2686,456],{"id":638},[49,2688,2689],{"className":459,"code":641,"language":461,"meta":54,"style":54},[14,2690,2691,2695,2699,2703],{"__ignoreMap":54},[58,2692,2693],{"class":60,"line":61},[58,2694,648],{},[58,2696,2697],{"class":60,"line":68},[58,2698,653],{},[58,2700,2701],{"class":60,"line":99},[58,2702,658],{},[58,2704,2705],{"class":60,"line":114},[58,2706,663],{},[443,2708,487],{"id":666},[489,2710,2711,2719,2727],{},[492,2712,2713,676,2717,680],{},[26,2714,2715],{},[14,2716,675],{},[14,2718,679],{},[492,2720,2721,688,2725,692],{},[26,2722,2723],{},[14,2724,687],{},[26,2726,691],{},[492,2728,2729,700],{},[26,2730,2731],{},[14,2732,699],{},[34,2734],{},[37,2736,706],{"id":705},[10,2738,709,2739,21],{},[14,2740,712],{},[443,2742,716],{"id":715},[10,2744,719,2745,723,2747,727],{},[14,2746,722],{},[14,2748,726],{},[443,2750,456],{"id":730},[49,2752,2753],{"className":459,"code":733,"language":461,"meta":54,"style":54},[14,2754,2755,2759,2763],{"__ignoreMap":54},[58,2756,2757],{"class":60,"line":61},[58,2758,563],{},[58,2760,2761],{"class":60,"line":68},[58,2762,744],{},[58,2764,2765],{"class":60,"line":99},[58,2766,749],{},[443,2768,753],{"id":752},[10,2770,756],{},[489,2772,2773,2781],{},[492,2774,2775,766,2779,21],{},[26,2776,2777],{},[14,2778,765],{},[14,2780,538],{},[492,2782,2783,766,2787,21],{},[26,2784,2785],{},[14,2786,775],{},[14,2788,435],{},[10,2790,2791],{},[26,2792,782],{},[49,2794,2795],{"className":459,"code":785,"language":461,"meta":54,"style":54},[14,2796,2797,2801],{"__ignoreMap":54},[58,2798,2799],{"class":60,"line":61},[58,2800,563],{},[58,2802,2803],{"class":60,"line":68},[58,2804,796],{},[34,2806],{},[37,2808,802],{"id":801},[10,2810,805],{},[443,2812,809],{"id":808},[10,2814,812,2815,815,2817,819],{},[14,2816,339],{},[14,2818,818],{},[443,2820,456],{"id":822},[49,2822,2823],{"className":459,"code":825,"language":461,"meta":54,"style":54},[14,2824,2825,2829,2833,2837],{"__ignoreMap":54},[58,2826,2827],{"class":60,"line":61},[58,2828,832],{},[58,2830,2831],{"class":60,"line":68},[58,2832,837],{},[58,2834,2835],{"class":60,"line":99},[58,2836,842],{},[58,2838,2839],{"class":60,"line":114},[58,2840,847],{},[849,2842,2843,2851],{},[852,2844,2845],{},[855,2846,2847,2849],{},[858,2848,861],{"align":860},[858,2850,864],{"align":860},[866,2852,2853,2861,2871],{},[855,2854,2855,2859],{},[871,2856,2857],{"align":860},[14,2858,875],{},[871,2860,878],{"align":860},[855,2862,2863,2867],{},[871,2864,2865],{"align":860},[14,2866,885],{},[871,2868,888,2869,891],{"align":860},[14,2870,360],{},[855,2872,2873,2877],{},[871,2874,2875],{"align":860},[14,2876,898],{},[871,2878,901],{"align":860},[34,2880],{},[37,2882,907],{"id":906},[909,2884,2885,2893,2901],{},[492,2886,2887,916,2889,920,2891,21],{},[26,2888,915],{},[14,2890,919],{},[14,2892,923],{},[492,2894,2895,929,2897,933,2899,938],{},[26,2896,928],{},[14,2898,932],{},[935,2900,937],{},[492,2902,2903,929,2905,946],{},[26,2904,943],{},[14,2906,699],{},[10,2908,949],{},[10,2910,952],{},[954,2912,956],{},{"title":54,"searchDepth":68,"depth":68,"links":2914},[2915,2916,2917,2918,2919,2920,2921],{"id":39,"depth":99,"text":40},{"id":431,"depth":99,"text":961},{"id":534,"depth":99,"text":963},{"id":621,"depth":99,"text":622},{"id":705,"depth":99,"text":706},{"id":801,"depth":99,"text":802},{"id":906,"depth":99,"text":907},{"date":971,"image":972,"alt":973,"tags":2923,"published":980},[975,976,977,978,979],{"title":5,"description":968},1776839512513]