incidr - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-05-06
Last date published
2024-11-06
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language incidr() function.

Syntax

incidr(<IPv4_address>, <CIDR1_range1> | <CIDR1_range1, CIDR2_range2, ...>)

Description

The incidr() function accepts an IPv4 address, and an IPv4 range or comma separated IPv4 ranges using CIDR notation, and returns true if the address is in range. Both the IPv4 address and CIDR ranges can be either an explicit string using quotes (""), such as "192.168.0.1", or a string field.

Note

The first parameter must contain an IPv4 address contained in an IPv4 field. For production purposes, this IPv4 address will normally be carried in a field that you retrieve from a dataset. For manual usage, assign the IPv4 address to a field, and then use that field with this function.

Multiple CIDRs are defined with comma separated syntax when building an XQL query with the Query Builder or in Correlation Rules. When defining multiple CIDRs, the logical OR is used between the CIDRS listed, so as long as one address is in range the entire statement returns true. Here are a few examples of how this logic works to determine whether the incidr() function returns true and displays results or false, where no results are displayed:

  • Function returns true and results are displayed:

    dataset = test 
    | alter ip_address = "192.168.0.1" 
    | filter incidr(ip_address, "192.168.0.0/24, 1.168.0.0/24") = true
  • Function returns false and no results are displayed:

    dataset = test 
    | alter ip_address = "192.168.0.1" 
    | filter incidr(ip_address, "2.168.0.0/24, 1.168.0.0/24") = true
  • Function returns false and no results are displayed:

    dataset = test 
    | alter ip_address = "192.168.0.1" 
    | filter incidr(ip_address, "192.168.0.0/24, 1.168.0.0/24") = false
  • Function returns true and results are displayed:

    dataset = test 
    | alter ip_address = "192.168.0.1" 
    | filter incidr(ip_address, "2.168.0.0/24, 1.168.0.0/24") = false

Note

The same logic is used when using the incidr and not incidr operators. For more information, see Supported Operators.

Examples

Return a maximum of 10 xdr_data records, if the IPV4 address (192.168.10.14) is in range by verifying against a single CIDR (192.168.10.0/24):

dataset = xdr_data
|alter my_ip = "192.168.10.14"
| alter inrange = incidr(my_ip, "192.168.10.0/24")
| fields inrange
| limit 10
      

Return a maximum of 10 xdr_data records, if the IPV4 address (192.168.0.1) is in range by verifying against multiple CIDRs (192.168.0.0/24 or 1.168.0.0/24):

dataset = xdr_data 
| alter ip_address = "192.168.0.1" 
| filter incidr(ip_address, "192.168.0.0/24, 1.168.0.0/24") = true 
| limit 10