incidr6 - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language incidr6() function.

Syntax
incidr6(<IPv6_address>, <CIDR1_range1> | <CIDR1_range1, CIDR2_range2, ...>)
Description

The incidr6() function accepts an IPv6 address, and an IPv6 range or comma separated IPv6 ranges using CIDR notation, and returns true if the address is in range. Both the IPv6 address and CIDR ranges can be either an explicit string using quotes (""), such as "3031:3233:3435:3637:3839:4041:4243:4445", or a string field.

Note

The first parameter must contain an IPv6 address contained in an IPv6 field. For production purposes, this IPv6 address will normally be carried in a field that you retrieve from a dataset. For manual usage, assign the IPv6 address to a field, and then use that field with this function.

Multiple CIDRs are defined with comma separated syntax when building an XQL query with the Query Builder or in Correlation Rules. When defining multiple CIDRs, the logical OR is used between the CIDRS listed, so as long as one address is in range the entire statement returns true. Here are a few examples of how this logic works to determine whether the incidr6() function returns true and displays results or false, where no results are displayed:

  • Function returns true and results are displayed:

    dataset = test 
    | alter ip_address = "3031:3233:3435:3637:3839:4041:4243:4445" 
    | filter incidr(ip_address, "3031:3233:3435:3637:0000:0000:0000:0000/64, 6081:6233:6435:6637:0000:0000:0000:0000/64") = true
  • Function returns false and no results are displayed:

    dataset = test 
    | alter ip_address = "3031:3233:3435:3637:3839:4041:4243:4445" 
    | filter incidr(ip_address, "6081:6233:6435:6637:0000:0000:0000:0000/64, 7081:7234:7435:7737:0000:0000:0000:0000/64, fe80::/10") = true
  • Function returns false and no results are displayed:

    dataset = test 
    | alter ip_address = "3031:3233:3435:3637:3839:4041:4243:4445" 
    | filter incidr(ip_address, "3031:3233:3435:3637:0000:0000:0000:0000/64, 7081:7234:7435:7737:0000:0000:0000:0000/64, fe80::/10") = false
  • Function returns true and results are displayed:

    dataset = test 
    | alter ip_address = "3031:3233:3435:3637:3839:4041:4243:4445" 
    | filter incidr(ip_address, "6081:6233:6435:6637:0000:0000:0000:0000/64, 7081:7234:7435:7737:0000:0000:0000:0000/64, fe80::/10") = false

Note

The same logic is used when using the incidr6 and not incidr6 operators. For more information, see Supported operators.

Example

Return a maximum of 10 xdr_data records, if the IPV6 address (3031:3233:3435:3637:3839:4041:4243:4445) is in range by verifying against a single CIDR (3031:3233:3435:3637:0000:0000:0000:0000/64):

alter my_ip = "3031:3233:3435:3637:3839:4041:4243:4445"
| alter inrange = incidr6(my_ip, "3031:3233:3435:3637:0000:0000:0000:0000/64")
| fields inrange
| limit 10

Return a maximum of 10 xdr_data records, if the IPV6 address (3031:3233:3435:3637:3839:4041:4243:4445) is in range by verifying against multiple CIDRs (2001:0db8:85a3:0000:0000:8a2e:0000:0000/64 or fe80::/10):

dataset = xdr_data 
| alter ip_address = "fe80::1" 
| filter incidr6(ip_address, "2001:0db8:85a3:0000:0000:8a2e:0000:0000/64, fe80::/10") = true 
| limit 10