01-04-2026 03:23 AM
Hi,
I can't create BIOC with IPV6 query, please any idea?
BR
01-06-2026 07:44 AM
Hello @Bouzeghoub ,
Greetings for the day!
The error “Query failed due to invalid query pattern” when attempting to create a BIOC with an IPv6 query typically occurs because IPv6 fields are not fully supported in the standard BIOC GUI builder, even if those fields appear as selectable options.
While IPv6 support for IOCs (Indicators of Compromise) and EDLs (External Dynamic Lists) is currently limited, IPv6 is supported in BIOC rules when you create them using a direct XQL query.
To successfully create your BIOC, follow the requirements below:
Instead of the GUI-based Behavior section, use the XQL option to define your rule. Complex patterns and specific network fields such as IPv6 often require XQL to pass validation.
For a query to be valid for BIOC creation, it must include an explicit filter on the event_type field.
For network-related IPv6 queries, include:
| filter event_type = NETWORKWhen filtering for IPv6 addresses in XQL, ensure you are using supported operators and valid IPv6 formats. For CIDR matching, use the appropriate IPv6 CIDR functions (for example, incidr6 where applicable).
dataset = xdr_data
| filter event_type = NETWORK
| filter action_remote_ip_v6 = "2001:db8::1" // Replace with your target IPv6Verify field names: Ensure you are using fields specifically designated for IPv6 (such as action_remote_ip_v6), or confirm that the IP fields in your dataset version support IPv6 values.
Test in XQL Search first: Always run the query in the XQL Search tab before saving it as a BIOC. If it fails there, it will not work as a BIOC.
Avoid prohibited clauses: Do not include unsupported commands such as | fields, | dedup, | limit, or | group by, as these are incompatible with the BIOC engine.
------------------
If this fails or if further confirmation of the behavior is required, please create a TAC case so it can be reviewed with them or escalated to the backend engineering team for validation.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
01-06-2026 03:37 AM
Hi,
Please open a case with Palo alto Networks Tech support.
Please mark the solution as accepted ,if it helps.
01-06-2026 07:44 AM
Hello @Bouzeghoub ,
Greetings for the day!
The error “Query failed due to invalid query pattern” when attempting to create a BIOC with an IPv6 query typically occurs because IPv6 fields are not fully supported in the standard BIOC GUI builder, even if those fields appear as selectable options.
While IPv6 support for IOCs (Indicators of Compromise) and EDLs (External Dynamic Lists) is currently limited, IPv6 is supported in BIOC rules when you create them using a direct XQL query.
To successfully create your BIOC, follow the requirements below:
Instead of the GUI-based Behavior section, use the XQL option to define your rule. Complex patterns and specific network fields such as IPv6 often require XQL to pass validation.
For a query to be valid for BIOC creation, it must include an explicit filter on the event_type field.
For network-related IPv6 queries, include:
| filter event_type = NETWORKWhen filtering for IPv6 addresses in XQL, ensure you are using supported operators and valid IPv6 formats. For CIDR matching, use the appropriate IPv6 CIDR functions (for example, incidr6 where applicable).
dataset = xdr_data
| filter event_type = NETWORK
| filter action_remote_ip_v6 = "2001:db8::1" // Replace with your target IPv6Verify field names: Ensure you are using fields specifically designated for IPv6 (such as action_remote_ip_v6), or confirm that the IP fields in your dataset version support IPv6 values.
Test in XQL Search first: Always run the query in the XQL Search tab before saving it as a BIOC. If it fails there, it will not work as a BIOC.
Avoid prohibited clauses: Do not include unsupported commands such as | fields, | dedup, | limit, or | group by, as these are incompatible with the BIOC engine.
------------------
If this fails or if further confirmation of the behavior is required, please create a TAC case so it can be reviewed with them or escalated to the backend engineering team for validation.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
