ipv4_is_in_any_range()

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Checks whether IPv4 string address is in any of the specified IPv4 address ranges.

Syntax

ipv4_is_in_any_range(Ipv4Address , Ipv4Range [ , Ipv4Range ...] )

ipv4_is_in_any_range(Ipv4Address , Ipv4Ranges )

Learn more about syntax conventions.

Parameters

Name Type Required Description
Ipv4Address string ✔️ An expression representing an IPv4 address.
Ipv4Range string ✔️ An IPv4 range or list of IPv4 ranges written with IP-prefix notation.
Ipv4Ranges dynamic ✔️ A dynamic array containing IPv4 ranges written with IP-prefix notation.

Note

Either one or more IPv4Range strings or an IPv4Ranges dynamic array is required.

IP-prefix notation

IP-prefix notation (also known as CIDR notation) is a concise way of representing an IP address and its associated network mask. The format is <base IP>/<prefix length>, where the prefix length is the number of leading 1 bits in the netmask. The prefix length determines the range of IP addresses that belong to the network.

For IPv4, the prefix length is a number between 0 and 32. So the notation 192.168.2.0/24 represents the IP address 192.168.2.0 with a netmask of 255.255.255.0. This netmask has 24 leading 1 bits, or a prefix length of 24.

For IPv6, the prefix length is a number between 0 and 128. So the notation fe80::85d:e82c:9446:7994/120 represents the IP address fe80::85d:e82c:9446:7994 with a netmask of ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00. This netmask has 120 leading 1 bits, or a prefix length of 120.

Returns

  • true: If the IPv4 address is in the range of any of the specified IPv4 networks.
  • false: Otherwise.
  • null: If conversion for one of the two IPv4 strings wasn't successful.

Examples

Syntax using list of strings

print Result=ipv4_is_in_any_range('192.168.1.6', '192.168.1.1/24', '10.0.0.1/8', '127.1.0.1/16')

Output

Result
true

Syntax using dynamic array

print Result=ipv4_is_in_any_range("127.0.0.1", dynamic(["127.0.0.1", "192.168.1.1"]))

Output

Result
true

Extend table with IPv4 range check

let LocalNetworks=dynamic([
    "192.168.1.1/16",
    "127.0.0.1/8",
    "10.0.0.1/8"
]);
let IPs=datatable(IP:string) [
    "10.1.2.3",
    "192.168.1.5",
    "123.1.11.21",
    "1.1.1.1"
];
IPs
| extend IsLocal=ipv4_is_in_any_range(IP, LocalNetworks)

Output

IP IsLocal
10.1.2.3 true
192.168.1.5 true
123.1.11.21 false
1.1.1.1 false