Learn more about the Cortex Query Language incidr()
function.
Syntax
incidr(<IPv4_address>, <CIDR1_range1> | <CIDR1_range1, CIDR2_range2, ...>)
Description
The incidr()
function accepts an IPv4 address, and an IPv4 range or comma separated IPv4 ranges using CIDR notation, and returns true
if the address is in range. Both the IPv4 address and CIDR ranges can be either an explicit string using quotes (""
), such as "192.168.0.1"
, or a string field.
Note
The first parameter must contain an IPv4 address contained in an IPv4 field. For production purposes, this IPv4 address will normally be carried in a field that you retrieve from a dataset. For manual usage, assign the IPv4 address to a field, and then use that field with this function.
Multiple CIDRs are defined with comma separated syntax when building an XQL query with the Query Builder or in Correlation Rules. When defining multiple CIDRs, the logical OR
is used between the CIDRS listed, so as long as one address is in range the entire statement returns true
. Here are a few examples of how this logic works to determine whether the incidr()
function returns true
and displays results or false
, where no results are displayed:
Function returns
true
and results are displayed:dataset = test | alter ip_address = "192.168.0.1" | filter incidr(ip_address, "192.168.0.0/24, 1.168.0.0/24") = true
Function returns
false
and no results are displayed:dataset = test | alter ip_address = "192.168.0.1" | filter incidr(ip_address, "2.168.0.0/24, 1.168.0.0/24") = true
Function returns
false
and no results are displayed:dataset = test | alter ip_address = "192.168.0.1" | filter incidr(ip_address, "192.168.0.0/24, 1.168.0.0/24") = false
Function returns
true
and results are displayed:dataset = test | alter ip_address = "192.168.0.1" | filter incidr(ip_address, "2.168.0.0/24, 1.168.0.0/24") = false
Note
The same logic is used when using the incidr
and not incidr
operators. For more information, see Supported Operators.
Examples
Return a maximum of 10 xdr_data
records, if the IPV4 address (192.168.10.14
) is in range by verifying against a single CIDR (192.168.10.0/24
):
dataset = xdr_data |alter my_ip = "192.168.10.14" | alter inrange = incidr(my_ip, "192.168.10.0/24") | fields inrange | limit 10
Return a maximum of 10 xdr_data
records, if the IPV4 address (192.168.0.1
) is in range by verifying against multiple CIDRs (192.168.0.0/24
or 1.168.0.0/24
):
dataset = xdr_data | alter ip_address = "192.168.0.1" | filter incidr(ip_address, "192.168.0.0/24, 1.168.0.0/24") = true | limit 10