Is there an API to add IPs to Cortex XDR EDL programmatically?

N.Majidova — Thu, 07 May 2026 15:36:49 GMT

Hi community,

I'm looking for a way to programmatically add IP addresses to the Cortex XDR External Dynamic List (EDL) via the XDR public API — ideally using a Python script.

Currently, I can see that the EDL is referenced in the Audit Log API as an AUDIT_ENTITY value, but I cannot find any dedicated API endpoint to add or manage IPs in the EDL directly.

Our use case: We have a SOAR platform that automatically investigates alerts. When an IP is confirmed malicious, we want to run a Python script that automatically pushes it to the XDR EDL so our Palo Alto firewall can block it — without any manual intervention.

My questions:
1. Is there any existing API endpoint to add IPs to the XDR EDL (IP Block List)?
2. If not, is this on the roadmap?
3. What is the recommended automated approach for pushing confirmed malicious IPs from a SOAR platform to the XDR EDL?

Thank you!

Re: Is there an API to add IPs to Cortex XDR EDL programmatically?

susekar — Mon, 11 May 2026 14:26:03 GMT

Hello @N.Majidova ,

Greetings for the day.

Regarding the programmatic management of the Cortex XDR External Dynamic List (EDL).

1. Existing API Endpoint for EDL Management:

Currently, the Cortex XDR public API does not support the programmatic addition, modification, or management of IP addresses or domains within the hosted External Dynamic List (EDL). The EDL is designed as a distribution point for indicators to be consumed by external devices, primarily Palo Alto Networks firewalls, and entries must be managed manually via the Cortex XDR management console.

2. Roadmap and Feature Requests:

This is a known product limitation and is actively tracked as a Feature Request (FR) under the following IDs:

CXDR-I-2208: Ability to manage EDL lists using the public API.
CXDR-I-2539: Automation Rules - Ability to add IPs or domains to EDLs.

There is currently no estimated timeframe (ETA) for the implementation of these features. You are encouraged to contact your Palo Alto Networks Account Team or Sales Engineer to express interest and track the progress of these requests.

3. Recommended Automated Approach:

Since direct API management is not available, the following automated or alternative approaches are recommended:

PAN-OS API Integration (Direct to Firewall)

For SOAR platforms, the most effective automated approach is to bypass the XDR-hosted EDL and push the confirmed malicious IPs directly to the Palo Alto Networks Next-Generation Firewall (NGFW) or Panorama using their respective XML or REST APIs.

You can add these IPs to a dedicated Address Group that the firewall uses for blocking.

Manual Bulk Management:

If manual intervention is acceptable for high-volume updates, you can use the Upload File feature in the Action Center. This allows you to import a text file (.txt) with one IP address per line.

Path:
Incident Response → Response → Action Center → New Action → Add to EDL → Select Upload File

Host Firewall Rules:

You may also consider using Host Firewall rules to block communications directly on supported endpoints, though this is managed via profiles rather than a dynamic list API.

(Important Constraints for EDL)

Public IPs Only

Cortex XDR EDLs only support public, routable IP addresses. Attempting to add private (RFC 1918) IP addresses (for example, 10.0.0.0/8 or 192.168.0.0/16) via the standard EDL interface will result in the error: Adding an internal IP address is not supported

Format Limitations

The EDL only supports:

Individual IP addresses
Fully Qualified Domain Names (FQDNs)

Subnets and CIDR ranges are not supported.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Re: Is there an API to add IPs to Cortex XDR EDL programmatically? in Cortex XDR Discussions