incidrlist - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Cortex XDR
Creation date
Last date published
Reference Guide

Learn more about the Cortex Query Language incidrlist() function.


incidrlist(<IP_address list>, <CIDR_range>)


The incidrlist() function accepts a string containing a comma-separated list of IP addresses, and an IP range using CIDR notation, and returns true if any of the addresses are in range.


Return true if any of the list of IP addresses fall within the specified IP range. Note that the input type is a comma-separated list of IP addresses, and not an array of IP addresses.

alter inrange = incidrlist(",", 
| fields inrange
| limit 1

If you want to evaluate a true array of IP addresses, convert the array to a comma-separated list using arraystring(). For example, using the pan_ngfw_traffic_raw dataset:

dataset = panw_ngfw_traffic_raw 
| filter dest_ip != null
| comp values(dest_ip) as dips by source_ip,action
| alter dips = arraystring(dips, ", ")
| alter inrange = incidrlist(dips, "")
| fields source_ip, action, dips, inrange
| limit 100