is_known_private_ipv6 - Learn more about the Cortex Query Language is_known_private_ipv6() function. - Administrator Guide - Cortex XDR - Cortex

is_known_private_ipv6 - Learn more about the Cortex Query Language is_known_private_ipv6() function. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation

Product

Cortex XDR

License

Prevent

Pro

Creation date

2024-03-06

Last date published

2026-02-10

Syntax

is_known_private_ipv6(<IPv6_address>)

Description

The is_known_private_ipv6() function accepts an IPv6 address, and returns true if the IPv6 string address belongs to any of the following known set of private network IPs:

FC00::/7
FD00::/7

The IPv6 address can be either an explicit string using quotes (""), such as "3031:3233:3435:3637:3839:4041:4243:4445", or a string field.

Note

The <IPv6_address> must contain an IPv6 address in an IPv6 field. For production purposes, this IPv6 address will normally be carried in a field that you retrieve from a dataset. For manual usage, assign the IPv6 address to a field, and then use that field with this function.

Example

The example provided is based on the following data table for a dataset called ips_test_raw:

_TIME	IP	_VENDOR	_PRODUCT
Mar 26th 2025 19:26:07	FC00::1	ips	test
Mar 26th 2025 19:26:07	192.168.1.100	ips	test
Mar 26th 2025 19:26:07	FF0E::1	ips	test
Mar 26th 2025 19:26:07	127.0.0.1	ips	test
Mar 26th 2025 19:26:07	172.32.0.1	ips	test
Mar 26th 2025 19:26:07	2606:4700:4700::1111	ips	test

Returns all the IPv6 addresses that belong to a set of known private network IPs from the ip field in the ips_test_raw dataset. When the is_known_private_ipv6 function returns true, the results are displayed with a new IsKnownPrivateIpv6 column (field) indicating a true value. If the function returns false, no results are returned.

_TIME	IP	_VENDOR	_PRODUCT	ISKNOWNPRIVATEIPV6
Mar 26th 2025 19:26:07	FC00::1	ips	test	true