topic Filter over 100 CIDR in Cortex XDR Discussions

Filter over 100 CIDR

RemiLiquete — Tue, 16 Jul 2024 15:04:57 GMT

Hello,

I have an XQL query and I need IPs to be displayed if they are in some CIDR.

I know about the incidr command and the documentation says we can use it with multiple CIDR if we use coma to separate them.

Example :

filter incidr(ip_address, "192.168.0.0/24, 1.168.0.0/24") = true

It doesn't work at all (I tried with 2 CIDR, I have an empty result and I should have at least one result).

Using multiple lines with alter is not an option since I have over 100 CIDR (and 100 lines with alter to create) and the command will take forever to run.

I was wondering if using a custom dataset will work.

If it does, how can I use it?

Regards,

Rémi.

Re: Filter over 100 CIDR

aspatil — Tue, 16 Jul 2024 16:17:07 GMT

Hello,

Thanks for reaching us using the Live Community.

Please try below:

dataset = endpoints
| arrayexpand ip_address
| filter incidr(ip_address, "192.168.0.0/24, 1.168.0.0/24")
| fields ip_address

If this post answers your question, please mark it as the solution.

Re: Filter over 100 CIDR

RemiLiquete — Thu, 18 Jul 2024 08:28:18 GMT

Hello,

I tried the exact query and the result is empty.

I have IP addresses in 192.168.0.0/24.

If i run the query below, it's working but it's not an option since I have over 100 CIDR:

dataset = endpoints | arrayexpand ip_address | alter srcType = if(incidr(ip_address, "192.168.0.0/24") = true, "local", if(incidr(ip_address, "1.168.0.0/24") = true, "local", "remote")) | filter srcType = "local" | fields ip_address

Regards,

Re: Filter over 100 CIDR

aspatil — Fri, 19 Jul 2024 05:45:05 GMT

Hello @RemiLiquete ,

We have helped you with template. You have to check how to include 100 CIDR, incase if you need assistance you can check with Accounts Team for Professional services.

Hope this helps!