https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automation-rule-to-add-ip-address-to-edl/m-p/584626#M6564 <P><SPAN>Is it possible to create an automation script or rule to add a remote IP address to an EDL in Cortex XDR?&nbsp; I'm exploring the best way to handle this.&nbsp; For example, after the recent CVE-2024-3400 disclosure, I patched my firewalls, and all is good.&nbsp; However, I still receive daily alerts for the 'Palo Alto Networks GlobalProtect OS Command Injection Vulnerability' attempts.&nbsp; They are blocked and currently, I manually locate the IP address in the alert, right-click, and add it to the EDL.&nbsp; The firewall then processes the updated EDL it in the next cycle.&nbsp; I'm looking to automate this process to avoid repetitive manual tasks. If there’s a better solution, I'm open to suggestions.</SPAN></P> Tue, 23 Apr 2024 11:46:38 GMT Drew-Browning 2024-04-23T11:46:38Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automation-rule-to-add-ip-address-to-edl/m-p/584626#M6564 <P><SPAN>Is it possible to create an automation script or rule to add a remote IP address to an EDL in Cortex XDR?&nbsp; I'm exploring the best way to handle this.&nbsp; For example, after the recent CVE-2024-3400 disclosure, I patched my firewalls, and all is good.&nbsp; However, I still receive daily alerts for the 'Palo Alto Networks GlobalProtect OS Command Injection Vulnerability' attempts.&nbsp; They are blocked and currently, I manually locate the IP address in the alert, right-click, and add it to the EDL.&nbsp; The firewall then processes the updated EDL it in the next cycle.&nbsp; I'm looking to automate this process to avoid repetitive manual tasks. If there’s a better solution, I'm open to suggestions.</SPAN></P> Tue, 23 Apr 2024 11:46:38 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automation-rule-to-add-ip-address-to-edl/m-p/584626#M6564 Drew-Browning 2024-04-23T11:46:38Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automation-rule-to-add-ip-address-to-edl/m-p/584671#M6569 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/367097609">@Drew-Browning</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>There is no automated action to add the IP Address from the alerts to the EDL. Maybe adding the IP to a CSV file and then uploading it a few times per day or week can be a better solution. You can upload a file containing IPs or URLs to the EDL using the <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-External-Dynamic-Lists" target="_self">Action Center</A>.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Tue, 23 Apr 2024 18:47:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automation-rule-to-add-ip-address-to-edl/m-p/584671#M6569 jmazzeo 2024-04-23T18:47:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automation-rule-to-add-ip-address-to-edl/m-p/584775#M6581 <P>I was afraid of that.&nbsp; Thanks for your response.</P> Wed, 24 Apr 2024 11:55:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/automation-rule-to-add-ip-address-to-edl/m-p/584775#M6581 Drew-Browning 2024-04-24T11:55:15Z