Intergrations of External Dynamic Lists (EDL) with External Systems

SarahEubanks — Tue, 24 Mar 2026 18:13:35 GMT

Hi! I’m looking for guidance on whether entries from External Dynamic Lists (EDL) in Palo Alto Networks can be programmatically accessed or integrated with external systems for broader threat intelligence use.

Specifically, I would like to understand:

Whether EDL contents (IP, domain, URL indicators) can be retrieved via API or another supported method.

If there is a way to export or query EDL data in near real-time or on a scheduled basis.

Whether Palo Alto provides any native integrations or mechanisms to share EDL-derived intelligence with external platforms.

Use Cases:

We are working toward centralizing and reusing threat intelligence across multiple security controls and platforms.

Some example use cases include:

Azure Integration

Continuously ingest Tor exit node IPs into an EDL within Palo Alto

Reuse that same dataset to update Azure controls (Conditional Access, Named Locations, or other access restrictions) to block access to cloud resources from Tor networks

MISP Integration

Leverage EDL data as a source of indicators for ingestion into MISP

Enrich or correlate EDL indicators with existing intelligence in MISP

Use MISP as a central repository while maintaining Palo Alto as an enforcement point

Additional Questions:

Are there recommended architectures or best practices for synchronizing EDL-based intelligence with external systems such as Azure or MISP?

Are there any limitations or considerations around using EDLs as a source of truth for downstream integrations?

Would Palo Alto recommend an alternative approach (Cortex XSOAR, Cortex XDR, or other integrations) for distributing threat intelligence across multiple environments?

If direct access to EDL contents is not supported, are there indirect methods (via logs, Cortex Data Lake, or other telemetry) that could be leveraged to operationalize this data externally?

Re: Intergrations of External Dynamic Lists (EDL) with External Systems

TomYoung — Wed, 25 Mar 2026 02:12:22 GMT

Hi @SarahEubanks ,

Whether EDL contents (IP, domain, URL indicators) can be retrieved via API or another supported method? Yes

https://yo.ur.hg.fw/api/?type=op&cmd=<request><system><external-list><show><type><predefined-ip><num-records>10000</num-records><name>panw-torexit-ip-list</name></predefined-ip></type></show></external-list></system></request>

Here are a few notes:

Without the num-records parameter, the default number is 100. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuUCAW
You can use the API browser to find the XPath for other types of EDLs. https://docs.paloaltonetworks.com/ngfw/api/getting-started/explore-xmlapi/explore-browser
My NGFW did not list the names of the predefined EDLs on the XML API Browser. It is important to know that the XML API Browser mirrors the CLI. I found the names on the CLI and inserted it into the query above. See the output below.

myname@myngfw(active)> request system external-list show type predefined-ip name panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list <name> <name>

If there is a way to export or query EDL data in near real-time or on a scheduled basis? Yes. The API query on the largest predefined IP list took about 1 second.

Whether Palo Alto provides any native integrations or mechanisms to share EDL-derived intelligence with external platforms? I don't think there are integrations native to PAN-OS.

Would Palo Alto recommend an alternative approach (Cortex XSOAR, Cortex XDR, or other integrations) for distributing threat intelligence across multiple environments? I'm sure they would recommend Cortex XSOAR. It has a LOT more features and includes the predefined EDLs. https://xsoar.pan.dev/docs/reference/index (Search for "predefined edl"). You may need the TIM (Threat Intelligence Management) license. I am not sure. https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-SaaS-Documentation/Understand-Cortex-XSOAR-licenses?tocId=0ww116~l5HOISr58cfY75g

Are there any limitations or considerations around using EDLs as a source of truth for downstream integrations? Not that I know.

Are there recommended architectures or best practices for synchronizing EDL-based intelligence with external systems such as Azure or MISP? There are best practice guides for Cortex XSOAR. With regard to automation, there are a million ways to do it. It sounds like you are starting at a good place and will grow from there.

Thanks,

Tom

topic Intergrations of External Dynamic Lists (EDL) with External Systems in Next-Generation Firewall Discussions

Intergrations of External Dynamic Lists (EDL) with External Systems

Re: Intergrations of External Dynamic Lists (EDL) with External Systems