incidrlist - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-05-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language incidrlist() function.

Syntax

incidrlist(<IP_address list>, <CIDR_range>)

Description

The incidrlist() function accepts a string containing a comma-separated list of IP addresses, and an IP range using CIDR notation, and returns true if any of the addresses are in range.

Examples

Return true if any of the list of IP addresses fall within the specified IP range. Note that the input type is a comma-separated list of IP addresses, and not an array of IP addresses.

alter inrange = incidrlist("192.168.10.16,192.168.10.3", 
                           "192.168.10.0/24")
| fields inrange
| limit 1
      

If you want to evaluate a true array of IP addresses, convert the array to a comma-separated list using arraystring(). For example, using the pan_ngfw_traffic_raw dataset:

dataset = panw_ngfw_traffic_raw 
| filter dest_ip != null
| comp values(dest_ip) as dips by source_ip,action
| alter dips = arraystring(dips, ", ")
| alter inrange = incidrlist(dips, "192.168.10.0/24")
| fields source_ip, action, dips, inrange
| limit 100