Manage external dynamic lists - Configure and manage your external dynamic lists in Cortex XSIAM. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation
Product
Cortex XSIAM
Creation date
2025-07-15
Last date published
2026-06-04
Category
Administrator Guide
Abstract

Configure and manage your external dynamic lists in Cortex XSIAM.

An External Dynamic List (EDL) is a hosted text file. In Cortex XSIAM, you can configure an EDL to share a list of Cortex XSIAM indicators with other products in your network, such as a firewall. For example, your Palo Alto Networks firewall can add IP addresses and domain data from the EDL to block or allow lists.

Cortex XSIAM hosts the following external dynamic lists that you can configure and manage:

  • IP Addresses EDL

  • Domain Names EDL

Configure an EDL

Before you start, you must have a role that includes View/Edit EDL permissions, such as Instance Admin.

If creating a custom role, select View/Edit for EDL (RolesNew RolesINVESTIGATION & RESPONSEResponseEDL).

You can set up an EDL on the Cortex XSIAM tenant or an engine.

Note

  • Configuring custom certificates or private API Keys in the EDL integration instance is supported only on engines, not on the Cortex XSIAM tenant.

  • For EDL integrations on the tenant, you must set a username and password. For long-running integrations running on an engine, we strongly recommend setting a username and password, but it is not required. You can set credentials for all EDL integrations or for a specific integration instance.

  • The legacy external dynamic list PAN-OS integration is deprecated. Use the EDL integration on the Data Sources & Integrations page (by clicking the Automation & Feed Integration link.

Configure the EDL in Cortex XSIAM

  1. Navigate to SettingsConfigurationsIntegrationsExternal Dynamic List Integration.

  2. Under External Dynamic List Credentials, enter a username and password.

  3. In the External Dynamic List - Generic Integration section, click the link to configure the External Dynamic List integration..

  4. Select the Generic Export Indicators Service integration and click Add Instance.

  5. If you are using an engine, add the following:

    • Listen Port: The service to access the EDL runs on this port from within Cortex XSIAM. You need a unique port for each long running integration instance (do not use the same port for multiple instances).

    • Run on single engine: Select the engine from a drop-down.

  6. Enter an indicator query.

    The query updates the EDL list. To view expected results, run !findIndicators query=<your query> from the Cortex XSIAM CLI. Field names in your query must match the machine name for each field.

  7. Enter the maximum list size.

    Note

    If an indicator query returns more indicators than the EDL list size, the list is populated with the most recent n indicators sorted by their last seen timestamp, where n is the maximum size of the EDL.

  8. Important

    The EDL URL must always be prefixed by ext-.

    • If using EDL data on the Cortex XSIAM tenant, run the following curl command to access and test the External Dynamic List:

      https://ext-<cortex-xsiam-address>/xsoar/instance/execute/<instance-name>

      Example 172. 
      curl -v -u user:pass https://ext-mytenant.paloaltonetworks.com/xsoar/instance/execute/edl_instance_01\?q\=type:ip

    • If using EDL data on an engine run the following curl command to access and test the External Dynamic Lis with the engine URL:

      http://<engine-address>:<integration listen port>/

      Example 173. 
      curl -v -u user:pass http://<engine_address>:<listen_port>/?n=50

  9. Save your changes.

Configure the Firewall to authenticate the EDL

  1. Enable the firewall to authenticate the EDL.

    1. Download and save the following root certificate: https://certs.godaddy.com/repository/gdroot-g2.crt.

    2. On the firewall, select DeviceCertificate ManagementCertificates and Import the certificate. Make sure to give the device certificate a descriptive name, and select OK to save the certificate.

    3. Select DeviceCertificate ManagementCertificate Profile and Add a new certificate profile.

    4. Give the profile a descriptive name and Add the certificate to the profile.

    5. Select OK to save the certificate profile.

  2. Set the Cortex XSIAM EDL as the source for a firewall EDL.

    For more detailed information about how Palo Alto Networks firewall EDLs work, how you can use EDLs, and how to configure them, review how to Use an External Dynamic List in Policy.

    1. On the firewall, select ObjectsExternal Dynamic Lists and Add a new list.

    2. Define the list Type as either IP List or Domain List.

    3. Enter the IP Addresses Block List URL or the Domains Block List URL that you recorded in the last step as the list Source.

    4. Select the Certificate Profile that you created in the last step.

    5. Select Client Authentication and enter the username and password that the firewall must use to access the EDL.

    6. Use the Repeat field to define how frequently the firewall retrieves the latest list from Cortex XSIAM .

    7. Click OK to add the new EDL.

  3. Select PoliciesSecurity and Add or edit a security policy rule to add the Cortex XSIAM EDL as match criteria to a security policy rule.

    Review the different ways you can Enforce Policy on an External Dynamic List; this topic describes the complete workflow to add an EDL as match criteria to a security policy rule.

    1. Select PoliciesSecurity and Add or edit a security policy rule.

    2. In the Destination tab, select Destination Zone and select the external dynamic list as the Destination Address.

    3. Click OK to save the security policy rule and Commit your changes.

      You do not need to perform an additional commit or make any subsequent configuration changes for the firewall to enforce the EDL as part of your security policy; even as you update the Cortex XSIAM EDL, the firewall will enforce the list most recently retrieved from Cortex XSIAM .

      Tip

      You can also use the IP list and URL lists as part of a URL Filtering policy, or the domain list as part of a custom Anti-Spyware profile.

Add an IP address or domain to your EDL

You can add to your IP address or Domain lists as you triage issues from the Action Center or throughout Cortex XSIAM .

Note

Ensure EDL sizes don’t exceed your firewall model limit.

To add an IP address or Domain from the Action Center, select Add to EDL. You can choose to enter the IP address or Domain you want to add Manually or choose to Upload File.

During investigation, you can also Add to EDL from the Actions menu that is available from investigation pages such as the Issues View, Causality View, or IP View.

At any time, you can view and make changes to the IP addresses and domain name lists.

  1. Go to Investigation & ResponseResponseAction CenterCurrently Applies ActionsExternal Dynamic List.

  2. Review your IP addresses and domain names lists.

  3. If desired, select New Action to add additional IP addresses and domain names.

  4. If desired, select one or more IP addresses or domain names, right-click and Delete any entries that you no longer want included on the lists.