BIOC with IPV6

Bouzeghoub — Sun, 04 Jan 2026 11:23:10 GMT

Hi,

I can't create BIOC with IPV6 query, please any idea?

Re: BIOC with IPV6

ssingh32 — Tue, 06 Jan 2026 11:37:24 GMT

Hi,

Please open a case with Palo alto Networks Tech support.

Please mark the solution as accepted ,if it helps.

Re: BIOC with IPV6

susekar — Tue, 06 Jan 2026 15:44:41 GMT

Hello @Bouzeghoub ,

Greetings for the day!

The error “Query failed due to invalid query pattern” when attempting to create a BIOC with an IPv6 query typically occurs because IPv6 fields are not fully supported in the standard BIOC GUI builder, even if those fields appear as selectable options.

While IPv6 support for IOCs (Indicators of Compromise) and EDLs (External Dynamic Lists) is currently limited, IPv6 is supported in BIOC rules when you create them using a direct XQL query.

To successfully create your BIOC, follow the requirements below:

1. Use the XQL Query Builder

Instead of the GUI-based Behavior section, use the XQL option to define your rule. Complex patterns and specific network fields such as IPv6 often require XQL to pass validation.

2. Include Mandatory Filters

For a query to be valid for BIOC creation, it must include an explicit filter on the event_type field.

For network-related IPv6 queries, include:

3. Use Correct IPv6 Syntax

When filtering for IPv6 addresses in XQL, ensure you are using supported operators and valid IPv6 formats. For CIDR matching, use the appropriate IPv6 CIDR functions (for example, incidr6 where applicable).

Example of a valid IPv6 BIOC XQL structure:

4. Troubleshooting Steps

Verify field names: Ensure you are using fields specifically designated for IPv6 (such as action_remote_ip_v6), or confirm that the IP fields in your dataset version support IPv6 values.
Test in XQL Search first: Always run the query in the XQL Search tab before saving it as a BIOC. If it fails there, it will not work as a BIOC.
Avoid prohibited clauses: Do not include unsupported commands such as | fields, | dedup, | limit, or | group by, as these are incompatible with the BIOC engine.

------------------

If this fails or if further confirmation of the behavior is required, please create a TAC case so it can be reviewed with them or escalated to the backend engineering team for validation.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New year!!

Thanks & Regards,
S. Subashkar Sekar

topic Re: BIOC with IPV6 in Cortex XDR Discussions

BIOC with IPV6

Re: BIOC with IPV6

Re: BIOC with IPV6

1. Use the XQL Query Builder

2. Include Mandatory Filters

3. Use Correct IPv6 Syntax

Example of a valid IPv6 BIOC XQL structure:

4. Troubleshooting Steps