https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-filter-cidr-in-xql-search/m-p/425217#M950 <P>Hi, I'm trying to build XQL queries that target internal vs external IP ranges.<BR /><BR />This is easy in the normal query builder with&nbsp;10.0.0.0/8|172.16.0.0/12|192.168.0.0/16 but I'm not able to re-create this in XQL.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">dataset = xdr_data | filter event_type = NETWORK | filter action_remote_ip not in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16") </LI-CODE><P>&nbsp;</P><P>I tried this to look for external connections but I still get results in those ranges so I think it's string matching instead of using the CIDR. I could do this by string matching but this doesn't scale well for some IP ranges.&nbsp;<BR /><BR />I also looked at the 2 CIDR functions <STRONG>incidr</STRONG> and <STRONG>incidrlist&nbsp;</STRONG>however these have a different use case.&nbsp;<BR /><BR />Does anyone know if this is possible? If so can you show me the syntax?&nbsp;<BR /><BR />Thanks,</P><P>John.&nbsp;</P> Sat, 07 Aug 2021 12:18:34 GMT John_Easton 2021-08-07T12:18:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-filter-cidr-in-xql-search/m-p/425217#M950 <P>Hi, I'm trying to build XQL queries that target internal vs external IP ranges.<BR /><BR />This is easy in the normal query builder with&nbsp;10.0.0.0/8|172.16.0.0/12|192.168.0.0/16 but I'm not able to re-create this in XQL.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">dataset = xdr_data | filter event_type = NETWORK | filter action_remote_ip not in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16") </LI-CODE><P>&nbsp;</P><P>I tried this to look for external connections but I still get results in those ranges so I think it's string matching instead of using the CIDR. I could do this by string matching but this doesn't scale well for some IP ranges.&nbsp;<BR /><BR />I also looked at the 2 CIDR functions <STRONG>incidr</STRONG> and <STRONG>incidrlist&nbsp;</STRONG>however these have a different use case.&nbsp;<BR /><BR />Does anyone know if this is possible? If so can you show me the syntax?&nbsp;<BR /><BR />Thanks,</P><P>John.&nbsp;</P> Sat, 07 Aug 2021 12:18:34 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-filter-cidr-in-xql-search/m-p/425217#M950 John_Easton 2021-08-07T12:18:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-filter-cidr-in-xql-search/m-p/426168#M954 <P>I think your search can be accomplished by using this filter setup:</P><P>&nbsp;</P><LI-CODE lang="markup">dataset = xdr_data | filter event_type = NETWORK | alter remote_10 = incidr(action_remote_ip,"10.0.0.0/8") | alter remote_172 = incidr(action_remote_ip,"172.16.0.0/12") | alter remote_192 = incidr(action_remote_ip,"192.168.0.0/16") | filter remote_10 = false and remote_172 = false and remote_192 = false</LI-CODE><P>&nbsp;</P> Wed, 11 Aug 2021 16:50:49 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-filter-cidr-in-xql-search/m-p/426168#M954 JRzepka 2021-08-11T16:50:49Z