topic Palo EDL list - some malicious IPs not included in VirusTotal

Palo EDL list - some malicious IPs not included

R.Bester — Wed, 09 Apr 2025 11:24:38 GMT

Hi,

Just want to make sure I understand Palo's EDL's correctly: a client has a query about 3 IP addresses that are not included in Palo's EDL, but is picked up as malicious via Virus Total and MXToolbox

138.199.15.177

179.43.149.114

45.148.10.237

The client wants to know why these specific IPs are not present in the EDLs and want's Palo to investigate these IPs to have it be included. According to my understanding, the EDLs are updated via 3rd party vendors, not Palo themselves. That said, these IPs are not well-known for being malicious, even other major vendors like Forti does not categories these as malicious yet.

Is this correct or is there a way to engage with Palo to review these IPs and have then included in the Palo EDLs?

Thanks

Re: Palo EDL list - some malicious IPs not included

JayGolf — Thu, 10 Apr 2025 05:57:36 GMT

Hi @R.Bester ,

If an IP isn’t included in an EDL, it likely just hasn’t met the criteria for inclusion by the list’s owner whether it is from PAN or a third-party.

Do you know which specific EDL you’re referring to and who manages it? If it’s one of Palo’s predefined EDLs, you can open a support ticket to raise the concern and request a review of those IPs.

That said, if you’ve already found strong evidence that certain IPs are malicious, you don’t have to wait. You can easily create and host your own custom EDL that you can reference in your security policy.

EDLs are great to supplement your threat detection, but they shouldn't be the only layer of defense when you come across IPs/domains you would like to block.

Re: Palo EDL list - some malicious IPs not included

R.Bester — Tue, 15 Apr 2025 11:41:25 GMT

Thanks for the reply Jay, I assume it's going to be TAC case if I want put in a request for Palo to review the IPs? Or is there an alternative method to create a 'Threat case'?