Submit EDL entries from a security incident record for Palo Alto Networks Next-Generation Firewall

  • Versão de lançamento: Australia
  • Atualizado 12 de mar. de 2026
  • 2 min. de leitura

    • Observables attached to a security incident record are submitted for approval as External Dynamic List (EDL) entries to EDLs. An approval process for EDL entries is part of the preconfigured workflow. The firewall imports EDL entries — IP addresses, URLs, domains — that are included in EDL lists and enforces policy.

    Antes de Iniciar

    Role required: sn_si.analyst for submitting EDL entries. To approve EDL entries: Approval is assigned to sn_si.admin by default, but this authority can be assigned as required by your organization.

    Por Que e Quando Desempenhar Esta Tarefa

    Users with the sn_si.analyst role submit EDL entries by requesting a block on observables attached to a security incident record. Once submitted, an EDL entry with a status of Pending is generated and sent for approval. The following example shows a block request for a URL observable.

    Procedimento

    1. Navigate to All > Security Incident > Incidents > Show All Incidents, and click a security incident record to open it.
    2. Click the Show IoC related link.
      Show IoC related link on the Security Incident record.
    3. In the Observables related list, select the observables you want to block and from the Actions on selected rows list, select Block Request.
      Select observables and run block request on Security Incident record.
    4. In the dialog box that is displayed, click the search icon (Search icon).
    5. From the list that is displayed, select the EDL you want to attach this entry to.
      Nota:
      For this example, the entry observable type (URL) should match the EDL observable type (URL).
      Select the EDL for the entry.
    6. In the Block Request dialog box with the EDL name displayed in the Implementation field, click Block.
      Block Request dialog box.
    7. Navigate to Palo Alto Networks NGFW Integration > Firewall EDL Entries and click Firewall EDL Entries.
      Firewall EDL Entries list.
    8. In the Palo Alto Networks Firewall External Dynamic List Entries list, click your observable in the Entry value column to open the record.

      For this example, the record for mail.dgtnetworks.com is displayed.

      EDL entry record.

      The status is Pending, the Active check box is cleared, and the work notes show that there is a request to add the observable. This EDL Entry request is ready for approval.

      The Entry value and Observable fields show different formats for the URL observable.

      Entry value field and Observable field show different formats for the same observable.

      The icon next to the Observable field is a link to the ServiceNow AI Platform® Observable table.

      The value in the Observable field (http://mail.dgtnetworks.com) links to the Observable table, and it matches the format that was brought over from the Security Incident Response incident-triggering event.

      The ServiceNow AI Platform® may automatically modify EDL entries so that they are compatible with the Palo Alto Networks EDL URL format.

      In this example, the observable was created with the http:// protocol (http://mail.dgtnetworks.com), and this format is displayed in the Observable field. The http:// protocol is stripped off automatically from the observable by the ServiceNow AI Platform® so it is compatible with Palo Alto Networks and can be retrieved. As a result, mail.dgtnetworks.com is displayed in the Entry value field.

    O que Fazer Depois

    Approve EDL entries.