05-07-2026 08:36 AM
Hi community,
I'm looking for a way to programmatically add IP addresses to the Cortex XDR External Dynamic List (EDL) via the XDR public API — ideally using a Python script.
Currently, I can see that the EDL is referenced in the Audit Log API as an AUDIT_ENTITY value, but I cannot find any dedicated API endpoint to add or manage IPs in the EDL directly.
Our use case: We have a SOAR platform that automatically investigates alerts. When an IP is confirmed malicious, we want to run a Python script that automatically pushes it to the XDR EDL so our Palo Alto firewall can block it — without any manual intervention.
My questions:
1. Is there any existing API endpoint to add IPs to the XDR EDL (IP Block List)?
2. If not, is this on the roadmap?
3. What is the recommended automated approach for pushing confirmed malicious IPs from a SOAR platform to the XDR EDL?
Thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
