Manage External Dynamic Lists - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Configure and manage your external dynamic lists in Cortex XDR.

An External Dynamic List (EDL) is a text file hosted on an external web server that your Palo Alto Networks firewall uses to provide control over user access to IP addresses and domains that the Cortex XDR has found to be associated with an alert.

Cortex XDR hosts two external dynamic lists you can configure and manage.

  • IP Addresses EDL

  • Domain Names EDL

To maintain an EDL, you must meet the following requirements:

  • Cortex XDR Pro per GB or Cortex Pro per Endpoint license

  • An App Administrator, Privileged Investigator, or Privileged Security Admin role which includes EDL permissions

  • Palo Alto Networks firewall running PAN-OS 9.0 or a later release

  • Access to your Palo Alto Networks firewall configuration

  1. Enable EDL.

    1. Navigate to SettingsConfigurationsIntegrationsExternal Dynamic List Integration.

    2. Enable External Dynamic List and enter the Username and Password that the Palo Alto Networks firewall should use to access the EDL.

  2. Test the URL connection.

    Testing is currently only available using the following curl and Windows PowerShell commands:

    For Linux/OS/Windows

    curl https://edl-<tenant-name>.xdr.<region> -u <user>:<password>

    For Windows PowerShell version 5 and later

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12$username = "username"$password = "password"$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$password)))

  3. Record the IP Addresses EDL URL and the Domains EDL URL. You will need these URLs in the coming steps to point the firewall to these lists.

  4. Save the EDL configuration.

  5. Enable the firewall to authenticate the EDL.

    1. Download and save the following root certificate:

    2. On the firewall, select DeviceCertificate ManagementCertificates and Import the certificate. Make sure to give the device certificate a descriptive name, and select OK to save the certificate.

    3. Select DeviceCertificate ManagementCertificate Profile and Add a new certificate profile.

    4. Give the profile a descriptive name and Add the certificate to the profile.

    5. Select OK to save the certificate profile.

  6. Set the Cortex XDR EDL as the source for a firewall EDL.

    For more detailed information about how Palo Alto Networks firewall EDLs work, how you can use EDLs, and how to configure them, review how to Use an External Dynamic List in Policy.

    1. On the firewall, select ObjectsExternal Dynamic Lists and Add a new list.

    2. Define the list Type as either IP List or Domain List.

    3. Enter the IP Addresses Block List URL or the Domains Block List URL that you recorded in the last step as the list Source.

    4. Select the Certificate Profile that you created in the last step.

    5. Select Client Authentication and enter the username and password that the firewall must use to access the EDL.

    6. Use the Repeat field to define how frequently the firewall retrieves the latest list from Cortex XDR .

    7. Click OK to add the new EDL.

  7. Select PoliciesSecurity and Add or edit a security policy rule to add the Cortex XDR EDL as match criteria to a security policy rule.

    Review the different ways you can Enforce Policy on an External Dynamic List; this topic describes the complete workflow to add an EDL as match criteria to a security policy rule.

    1. Select PoliciesSecurity and Add or edit a security policy rule.

    2. In the Destination tab, select Destination Zone and select the external dynamic list as the Destination Address.

    3. Click OK to save the security policy rule and Commit your changes.

      You do not need to perform an additional commit or make any subsequent configuration changes for the firewall to enforce the EDL as part of your security policy; even as you update the Cortex XDR EDL, the firewall will enforce the list most recently retrieved from Cortex XDR .


      You can also use the domain list as part of a URL Filtering profile or as an object in a custom Anti-Spyware profile; when attached to a security policy rule, a URL Filtering profile allows you to granularly control user access to the domains on the list.

  8. Add an IP address or Domain to your EDL.

    You can add to your IP address or Domain lists as you triage alerts from the Action Center or throughout Cortex XDR .


    Ensure EDL sizes don’t exceed your firewall model limit.

    To add an IP address or Domain from the Action Center, ??? to Add to EDL. You can choose to enter the IP address or Domain you want to add Manually or choose to Upload File.

    During investigation, you can also Add to EDL from the Actions menu that is available from investigation pages such as the Incidents View, Causality View, IP View, or Quick Launcher.

  9. At any time, you can view and make changes to the IP addresses and domain name lists.

    1. Navigate to Incident ResponseResponseAction CenterCurrently Applies ActionsExternal Dynamic List.

    2. Review your IP addresses and domain names lists.

    3. If desired, select New Action to add additional IP addresses and domain names.

    4. If desired, select one or more IP addresses or domain names, right-click and Delete any entries that you no longer want included on the lists.