diff --git a/eql/functions.py b/eql/functions.py
index 4d6a6d7..7191064 100644
--- a/eql/functions.py
+++ b/eql/functions.py
@@ -4,8 +4,16 @@
 from .errors import EqlError
 from .signatures import SignatureMixin
 from .types import TypeHint
-from .utils import (fold_case, get_ipaddress, get_subnet, is_insensitive,
-                    is_number, is_string, to_unicode)
+from .utils import (
+    fold_case,
+    get_ipaddress,
+    get_subnet,
+    is_cidr_pattern,
+    is_insensitive,
+    is_number,
+    is_string,
+    to_unicode,
+)
 
 _registry = {}
 REGEX_FLAGS = re.UNICODE | re.DOTALL
@@ -222,17 +230,6 @@ def run(cls, ip_address, *cidr_matches):
 
         return False
 
-    @classmethod
-    def is_cidr(cls, cidr):
-        """Check if a string is a valid CIDR notation."""
-        if "/" not in cidr:
-            return False
-        try:
-            get_subnet(cidr)
-            return True
-        except ValueError:
-            return False
-
     @classmethod
     def validate(cls, arguments):
         """Validate the calling convention and change the argument order if necessary."""
@@ -249,7 +246,7 @@ def validate(cls, arguments):
             # overwrite the original node
             text = argument.node.value.strip()
 
-            if not cls.is_cidr(text):
+            if not is_cidr_pattern(text):
                 return pos
 
             # Since it does match, we should also rewrite the string to align to the base of the subnet
diff --git a/eql/utils.py b/eql/utils.py
index 82e836f..a3131c2 100644
--- a/eql/utils.py
+++ b/eql/utils.py
@@ -68,6 +68,15 @@ def is_insensitive():
     """Check if insensitivity is enabled."""
     return CASE_INSENSITIVE
 
+def is_cidr_pattern(cidr):
+    """Check if a string is a valid CIDR notation."""
+    if "/" not in cidr:
+        return False
+    try:
+        get_subnet(cidr)
+        return True
+    except ValueError:
+        return False
 
 def fold_case(s):
     """Helper function for normalizing case for strings."""