Abstract
Learn more about the Cortex Query Language incidrlist()
function.
Syntax
incidrlist(<IP_address list>, <CIDR_range>)
Description
The incidrlist()
function accepts a string containing a comma-separated list of IP addresses, and an IP range using CIDR notation, and returns true
if all the addresses are in range.
Examples
Return true
if the list of IP addresses fall within the specified IP range. Note that the input type is a comma-separated list of IP addresses, and not an array of IP addresses.
alter inrange = incidrlist("192.168.10.16,192.168.10.3", "192.168.10.0/24") | fields inrange | limit 1
If you want to evaluate a true array of IP addresses, convert the array to a comma-separated list using arraystring(). For example, using the pan_ngfw_traffic_raw
dataset:
dataset = panw_ngfw_traffic_raw | filter dest_ip != null | comp values(dest_ip) as dips by source_ip,action | alter dips = arraystring(dips, ", ") | alter inrange = incidrlist(dips, "192.168.10.0/24") | fields source_ip, action, dips, inrange | limit 100