This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Inquiry Regarding Publishing Custom Third-Party IOC Feed via EDL Hosting Service

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inquiry Regarding Publishing Custom Third-Party IOC Feed via EDL Hosting Service

Go to solution
karif_123
L0 Member

‎12-10-2025 02:40 AM

Hello Palo Alto Team,

We are exploring the possibility of integrating a third-party threat intelligence feed (Google Threat Intelligence) into Palo Alto Networks firewalls using External Dynamic Lists (EDLs). While reviewing Palo Alto documentation, we noted the following and would appreciate clarification:

Background

  • Based on the documentation, standard EDLs require hosting a text-based IOC file on a web server.
  • We also reviewed documentation for Palo Alto’s EDL Hosting Service, which provides Palo Alto-managed, always-updated EDLs for various SaaS applications.


Our Questions

  • Is it possible for a third party (e.g., a vendor or developer outside of Palo Alto) to publish a custom IOC feed through Palo Alto’s EDL Hosting Service?
  • If yes, what is the required process for onboarding such a feed?
  • Does the EDL Hosting Service support feeds that require authentication (e.g., API key or token)?
  • Are there prerequisites — such as becoming a technology partner, meeting specific compliance standards, or submitting the integration for approval?


Goal

  • We aim to enable customers to consume Google Threat Intelligence IOCs through a Palo Alto–hosted EDL, rather than requiring them to maintain their own hosting infrastructure.
  • We appreciate any guidance or documentation you can provide regarding the feasibility and required steps for publishing a third-party IOC feed within the EDL Hosting Service.


Thank you for your time and assistance.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
JayGolf
Community Team Member

‎12-11-2025 09:20 PM

Hi @karif_123 ,

 

The only way to accomplish this currently is to create a text-based IOC list on a publicly accessible HTTPS server. You could create this list and host it on S3 for quick access. PAN-OS will then pull the feed at the defined interval. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
JayGolf
Community Team Member

‎12-11-2025 09:20 PM

Hi @karif_123 ,

 

The only way to accomplish this currently is to create a text-based IOC list on a publicly accessible HTTPS server. You could create this list and host it on S3 for quick access. PAN-OS will then pull the feed at the defined interval. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
karif_123
L0 Member
In response to JayGolf

‎12-11-2025 11:16 PM

Hi @JayGolf ,

Thank you for the clarification.

I understand that the current supported method is to host a text-based IOC list on a publicly accessible HTTPS server—such as S3 and have PAN-OS pull the feed. This would mean we must maintain our own hosting infrastructure for the feed.

However, I wanted to revisit a couple of questions from my original message:

  1. Does the Palo Alto EDL Hosting Service support feeds that require authentication (for example, via API key or token)?
  2. Is there any possibility for a third party (a vendor or developer outside Palo Alto) to publish a custom IOC feed through the Palo Alto–managed EDL Hosting Service?
  3. If this is supported, what would the onboarding or approval process look like?
    (e.g., partner requirements, certification steps, technical prerequisites)

Our goal is to allow customers to consume Google Threat Intelligence IOCs through a Palo Alto–hosted EDL similar to the SaaS application EDLs Palo Alto already publishes rather than requiring each customer to host the feed themselves.

Any additional guidance or documentation you can share on these specific points would be greatly appreciated.

Thanks again for your support.

0 Likes Likes
  • 1 accepted solution
  • 229 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks