ipv6_is_match()

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Matches two IPv6 or IPv4 network address strings. The two IPv6/IPv4 strings are parsed and compared while accounting for the combined IP-prefix mask calculated from argument prefixes, and the optional prefix argument.

Note

The function can accept and compare arguments representing both IPv6 and IPv4 network addresses. If the caller knows that arguments are in IPv4 format, use the ipv4_is_match() function. This function will result in better runtime performance.

Syntax

ipv6_is_match(ip1,ip2[ ,prefix])

Learn more about syntax conventions.

Parameters

Name Type Required Description
ip1, ip2 string ✔️ An expression representing an IPv6 or IPv4 address. IPv6 and IPv4 strings can be masked using IP-prefix notation.
prefix int An integer from 0 to 128 representing the number of most-significant bits that are taken into account.

IP-prefix notation

IP-prefix notation (also known as CIDR notation) is a concise way of representing an IP address and its associated network mask. The format is <base IP>/<prefix length>, where the prefix length is the number of leading 1 bits in the netmask. The prefix length determines the range of IP addresses that belong to the network.

For IPv4, the prefix length is a number between 0 and 32. So the notation 192.168.2.0/24 represents the IP address 192.168.2.0 with a netmask of 255.255.255.0. This netmask has 24 leading 1 bits, or a prefix length of 24.

For IPv6, the prefix length is a number between 0 and 128. So the notation fe80::85d:e82c:9446:7994/120 represents the IP address fe80::85d:e82c:9446:7994 with a netmask of ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00. This netmask has 120 leading 1 bits, or a prefix length of 120.

Returns

  • true: If the long representation of the first IPv6/IPv4 string argument is equal to the second IPv6/IPv4 string argument.
  • false: Otherwise.
  • null: If conversion for one of the two IPv6/IPv4 strings wasn't successful.

Examples

IPv6/IPv4 comparison equality case - IP-prefix notation specified inside the IPv6/IPv4 strings

datatable(ip1_string:string, ip2_string:string)
[
 // IPv4 are compared as IPv6 addresses
 '192.168.1.1',    '192.168.1.1',       // Equal IPs
 '192.168.1.1/24', '192.168.1.255',     // 24 bit IP4-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255/24',  // 24 bit IP4-prefix is used for comparison
 '192.168.1.1/30', '192.168.1.255/24',  // 24 bit IP4-prefix is used for comparison
  // IPv6 cases
 'fe80::85d:e82c:9446:7994', 'fe80::85d:e82c:9446:7994',         // Equal IPs
 'fe80::85d:e82c:9446:7994/120', 'fe80::85d:e82c:9446:7998',     // 120 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994', 'fe80::85d:e82c:9446:7998/120',     // 120 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994/120', 'fe80::85d:e82c:9446:7998/120', // 120 bit IP6-prefix is used for comparison
 // Mixed case of IPv4 and IPv6
 '192.168.1.1',      '::ffff:c0a8:0101', // Equal IPs
 '192.168.1.1/24',   '::ffff:c0a8:01ff', // 24 bit IP-prefix is used for comparison
 '::ffff:c0a8:0101', '192.168.1.255/24', // 24 bit IP-prefix is used for comparison
 '::192.168.1.1/30', '192.168.1.255/24', // 24 bit IP-prefix is used for comparison
]
| extend result = ipv6_is_match(ip1_string, ip2_string)

Output

ip1_string ip2_string result
192.168.1.1 192.168.1.1 1
192.168.1.1/24 192.168.1.255 1
192.168.1.1 192.168.1.255/24 1
192.168.1.1/30 192.168.1.255/24 1
fe80::85d:e82c:9446:7994 fe80::85d:e82c:9446:7994 1
fe80::85d:e82c:9446:7994/120 fe80::85d:e82c:9446:7998 1
fe80::85d:e82c:9446:7994 fe80::85d:e82c:9446:7998/120 1
fe80::85d:e82c:9446:7994/120 fe80::85d:e82c:9446:7998/120 1
192.168.1.1 ::ffff:c0a8:0101 1
192.168.1.1/24 ::ffff:c0a8:01ff 1
::ffff:c0a8:0101 192.168.1.255/24 1
::192.168.1.1/30 192.168.1.255/24 1

IPv6/IPv4 comparison equality case- IP-prefix notation specified inside the IPv6/IPv4 strings and as additional argument of the ipv6_is_match() function

datatable(ip1_string:string, ip2_string:string, prefix:long)
[
 // IPv4 are compared as IPv6 addresses 
 '192.168.1.1',    '192.168.1.0',   31, // 31 bit IP4-prefix is used for comparison
 '192.168.1.1/24', '192.168.1.255', 31, // 24 bit IP4-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255', 24, // 24 bit IP4-prefix is used for comparison
   // IPv6 cases
 'fe80::85d:e82c:9446:7994', 'fe80::85d:e82c:9446:7995',     127, // 127 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994/127', 'fe80::85d:e82c:9446:7998', 120, // 120 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994/120', 'fe80::85d:e82c:9446:7998', 127, // 120 bit IP6-prefix is used for comparison
 // Mixed case of IPv4 and IPv6
 '192.168.1.1/24',   '::ffff:c0a8:01ff', 127, // 127 bit IP6-prefix is used for comparison
 '::ffff:c0a8:0101', '192.168.1.255',    120, // 120 bit IP6-prefix is used for comparison
 '::192.168.1.1/30', '192.168.1.255/24', 127, // 120 bit IP6-prefix is used for comparison
]
| extend result = ipv6_is_match(ip1_string, ip2_string, prefix)

Output

ip1_string ip2_string prefix result
192.168.1.1 192.168.1.0 31 1
192.168.1.1/24 192.168.1.255 31 1
192.168.1.1 192.168.1.255 24 1
fe80::85d:e82c:9446:7994 fe80::85d:e82c:9446:7995 127 1
fe80::85d:e82c:9446:7994/127 fe80::85d:e82c:9446:7998 120 1
fe80::85d:e82c:9446:7994/120 fe80::85d:e82c:9446:7998 127 1
192.168.1.1/24 ::ffff:c0a8:01ff 127 1
::ffff:c0a8:0101 192.168.1.255 120 1
::192.168.1.1/30 192.168.1.255/24 127 1