incidrlist

Cortex XDR XQL incidrlist() function accepts a list of IP addresses, and an IP range in CIDR format, and returns true if all the addresses are in range.

Synopsis

incidrlist(
<IP_address list>
,
<CIDR_range>
)

Description

The
incidrlist()
function accepts a string containing a comma-separated list of IP addresses, and an IP range using CIDR notation, and returns
true
if all the addresses are in range.

Examples

Return
true
if the list of IP addresses fall within the specified IP range. Note that the input type is a comma-separated list of IP addresses, and not an array of IP addresses.
alter inrange = incidrlist("192.168.10.16,192.168.10.3", "192.168.10.0/24") | fields inrange | limit 1
If you want to evaluate a true array of IP addresses, convert the array to a comma-separated list using arraystring(). For example, using the
pan_ngfw_traffic_raw
dataset:
dataset = panw_ngfw_traffic_raw | filter dest_ip != null | comp values(dest_ip) as dips by source_ip,action | alter dips = arraystring(dips, ", ") | alter inrange = incidrlist(dips, "192.168.10.0/24") | fields source_ip, action, dips, inrange | limit 100

Recommended For You