05-07-2026 08:36 AM
Hi community,
I'm looking for a way to programmatically add IP addresses to the Cortex XDR External Dynamic List (EDL) via the XDR public API — ideally using a Python script.
Currently, I can see that the EDL is referenced in the Audit Log API as an AUDIT_ENTITY value, but I cannot find any dedicated API endpoint to add or manage IPs in the EDL directly.
Our use case: We have a SOAR platform that automatically investigates alerts. When an IP is confirmed malicious, we want to run a Python script that automatically pushes it to the XDR EDL so our Palo Alto firewall can block it — without any manual intervention.
My questions:
1. Is there any existing API endpoint to add IPs to the XDR EDL (IP Block List)?
2. If not, is this on the roadmap?
3. What is the recommended automated approach for pushing confirmed malicious IPs from a SOAR platform to the XDR EDL?
Thank you!
05-11-2026 07:26 AM
Hello @N.Majidova ,
Greetings for the day.
Regarding the programmatic management of the Cortex XDR External Dynamic List (EDL).
Currently, the Cortex XDR public API does not support the programmatic addition, modification, or management of IP addresses or domains within the hosted External Dynamic List (EDL). The EDL is designed as a distribution point for indicators to be consumed by external devices, primarily Palo Alto Networks firewalls, and entries must be managed manually via the Cortex XDR management console.
This is a known product limitation and is actively tracked as a Feature Request (FR) under the following IDs:
CXDR-I-2208: Ability to manage EDL lists using the public API.CXDR-I-2539: Automation Rules - Ability to add IPs or domains to EDLs.There is currently no estimated timeframe (ETA) for the implementation of these features. You are encouraged to contact your Palo Alto Networks Account Team or Sales Engineer to express interest and track the progress of these requests.
Since direct API management is not available, the following automated or alternative approaches are recommended:
For SOAR platforms, the most effective automated approach is to bypass the XDR-hosted EDL and push the confirmed malicious IPs directly to the Palo Alto Networks Next-Generation Firewall (NGFW) or Panorama using their respective XML or REST APIs.
You can add these IPs to a dedicated Address Group that the firewall uses for blocking.
If manual intervention is acceptable for high-volume updates, you can use the Upload File feature in the Action Center. This allows you to import a text file (.txt) with one IP address per line.
Path:Incident Response → Response → Action Center → New Action → Add to EDL → Select Upload File
You may also consider using Host Firewall rules to block communications directly on supported endpoints, though this is managed via profiles rather than a dynamic list API.
Cortex XDR EDLs only support public, routable IP addresses. Attempting to add private (RFC 1918) IP addresses (for example, 10.0.0.0/8 or 192.168.0.0/16) via the standard EDL interface will result in the error: Adding an internal IP address is not supported
The EDL only supports:
Subnets and CIDR ranges are not supported.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
