incidrlist - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language incidrlist() function.

Syntax
incidrlist(<IP_address list>, <CIDR_range>)
Description

The incidrlist() function accepts a string containing a comma-separated list of IP addresses, and an IP range using CIDR notation, and returns true if all the addresses are in range.

Examples

Return true if the list of IP addresses fall within the specified IP range. Note that the input type is a comma-separated list of IP addresses, and not an array of IP addresses.

alter inrange = incidrlist("192.168.10.16,192.168.10.3", 
                           "192.168.10.0/24")
| fields inrange
| limit 1
      

If you want to evaluate a true array of IP addresses, convert the array to a comma-separated list using arraystring(). For example, using the pan_ngfw_traffic_raw dataset:

dataset = panw_ngfw_traffic_raw 
| filter dest_ip != null
| comp values(dest_ip) as dips by source_ip,action
| alter dips = arraystring(dips, ", ")
| alter inrange = incidrlist(dips, "192.168.10.0/24")
| fields source_ip, action, dips, inrange
| limit 100