Learn more about the Cortex Query Language incidr6()
function.
Syntax
incidr6(<IPv6_address>, <CIDR1_range1> | <CIDR1_range1, CIDR2_range2, ...>)
Description
The incidr6()
function accepts an IPv6 address, and an IPv6 range or comma separated IPv6 ranges using CIDR notation, and returns true
if the address is in range. Both the IPv6 address and CIDR ranges can be either an explicit string using quotes (""
), such as "3031:3233:3435:3637:3839:4041:4243:4445"
, or a string field.
Note
The first parameter must contain an IPv6 address contained in an IPv6 field. For production purposes, this IPv6 address will normally be carried in a field that you retrieve from a dataset. For manual usage, assign the IPv6 address to a field, and then use that field with this function.
Multiple CIDRs are defined with comma separated syntax when building an XQL query with the Query Builder or in Correlation Rules. When defining multiple CIDRs, the logical OR
is used between the CIDRS listed, so as long as one address is in range the entire statement returns true
. Here are a few examples of how this logic works to determine whether the incidr6()
function returns true
and displays results or false
, where no results are displayed:
Function returns
true
and results are displayed:dataset = test | alter ip_address = "3031:3233:3435:3637:3839:4041:4243:4445" | filter incidr(ip_address, "3031:3233:3435:3637:0000:0000:0000:0000/64, 6081:6233:6435:6637:0000:0000:0000:0000/64") = true
Function returns
false
and no results are displayed:dataset = test | alter ip_address = "3031:3233:3435:3637:3839:4041:4243:4445" | filter incidr(ip_address, "6081:6233:6435:6637:0000:0000:0000:0000/64, 7081:7234:7435:7737:0000:0000:0000:0000/64, fe80::/10") = true
Function returns
false
and no results are displayed:dataset = test | alter ip_address = "3031:3233:3435:3637:3839:4041:4243:4445" | filter incidr(ip_address, "3031:3233:3435:3637:0000:0000:0000:0000/64, 7081:7234:7435:7737:0000:0000:0000:0000/64, fe80::/10") = false
Function returns
true
and results are displayed:dataset = test | alter ip_address = "3031:3233:3435:3637:3839:4041:4243:4445" | filter incidr(ip_address, "6081:6233:6435:6637:0000:0000:0000:0000/64, 7081:7234:7435:7737:0000:0000:0000:0000/64, fe80::/10") = false
Note
The same logic is used when using the incidr6
and not incidr6
operators. For more information, see Supported operators.
Example
Return a maximum of 10 xdr_data
records, if the IPV6 address (3031:3233:3435:3637:3839:4041:4243:4445
) is in range by verifying against a single CIDR (3031:3233:3435:3637:0000:0000:0000:0000/64
):
alter my_ip = "3031:3233:3435:3637:3839:4041:4243:4445" | alter inrange = incidr6(my_ip, "3031:3233:3435:3637:0000:0000:0000:0000/64") | fields inrange | limit 10
Return a maximum of 10 xdr_data
records, if the IPV6 address (3031:3233:3435:3637:3839:4041:4243:4445
) is in range by verifying against multiple CIDRs (2001:0db8:85a3:0000:0000:8a2e:0000:0000/64
or fe80::/10
):
dataset = xdr_data | alter ip_address = "fe80::1" | filter incidr6(ip_address, "2001:0db8:85a3:0000:0000:8a2e:0000:0000/64, fe80::/10") = true | limit 10