is_ipv6 - Learn more about the Cortex Query Language is_ipv6() function. - Administrator Guide - Cortex XDR - Cortex

is_ipv6 - Learn more about the Cortex Query Language is_ipv6() function. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation

Product

Cortex XDR

License

Prevent

Pro

Creation date

2024-03-06

Last date published

2025-12-16

Syntax

is_ipv6(<IPv6_address>)

Description

The is_ipv6() function accepts a string, and returns true if the string is a valid IPv6 address. The IPv6 address can be either an explicit string using quotes (""), such as "3031:3233:3435:3637:3839:4041:4243:4445", or a string field.

Note

The <IPv6_address> must contain an IPv6 address in an IPv6 field. For production purposes, this IPv6 address will normally be carried in a field that you retrieve from a dataset. For manual usage, assign the IPv6 address to a field, and then use that field with this function.

Example

The example provided is based on the following data table for a dataset called ips_test_raw:

_TIME	IP	_VENDOR	_PRODUCT
Mar 26th 2025 19:26:07	1.1.1.1	ips	test
Mar 26th 2025 19:26:07	192.168.1.100	ips	test
Mar 26th 2025 19:26:07	FF0E::1	ips	test
Mar 26th 2025 19:26:07	127.0.0.1	ips	test
Mar 26th 2025 19:26:07	172.32.0.1	ips	test
Mar 26th 2025 19:26:07	2606:4700:4700::1111	ips	test

Returns all the IPv6 addresses from the ip field in the ips_test_raw dataset. When the is_ipv6 function returns true, the results are displayed with a new IsIpv6 column (field) indicating a true value. If the function returns false, no results are returned.

_TIME	IP	_VENDOR	_PRODUCT	ISIPV6
Mar 26th 2025 19:26:07	FF0E::1	ips	test	true
Mar 26th 2025 19:26:07	2606:4700:4700::1111	ips	test	true