is_known_private_ipv4 - Learn more about the Cortex Query Language is_known_private_ipv4() function. - Administrator Guide - Cortex XSIAM - Cortex

is_known_private_ipv4 - Learn more about the Cortex Query Language is_known_private_ipv4() function. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2025-12-29

Syntax

is_known_private_ipv4(<IPv4_address>)

Description

The is_known_private_ipv4() function accepts an IPv4 address, and returns true if the IPv4 string address belongs to any of the following known set of private network IPs:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

The IPv4 address can be either an explicit string using quotes (""), such as "192.168.0.1", or a string field.

Note

The <IPv4_address> must contain an IPv4 address in an IPv4 field. For production purposes, this IPv4 address will normally be carried in a field that you retrieve from a dataset. For manual usage, assign the IPv4 address to a field, and then use that field with this function.

Example

The example provided is based on the following data table for a dataset called ips_test_raw:

_TIME	IP	_VENDOR	_PRODUCT
Mar 26th 2025 19:26:07	1.1.1.1	ips	test
Mar 26th 2025 19:26:07	192.168.1.100	ips	test
Mar 26th 2025 19:26:07	FF0E::1	ips	test
Mar 26th 2025 19:26:07	127.0.0.1	ips	test
Mar 26th 2025 19:26:07	172.32.0.1	ips	test
Mar 26th 2025 19:26:07	2606:4700:4700::1111	ips	test

Returns all the IPv4 addresses that belong to a set of known private network IPs from the ip field in the ips_test_raw dataset. When the is_known_private_ipv4 function returns true, the results are displayed with a new IsKnownPrivateIpv4 column (field) indicating a true value. If the function returns false, no results are returned.

_TIME	IP	_VENDOR	_PRODUCT	ISKNOWNPRIVATEIPV4
Mar 26th 2025 19:26:07	192.168.1.100	ips	test	true