Supported Cortex XSOAR versions: 5.5.0 and later.
Use the Generic Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators.
PAN-OS EDL Management, this integration hosts the EDL on the Cortex XSOAR server. Follow these steps to migrate your EDLs.
- Convert existing EDL lists to indicators in Cortex XSOAR. This can be done automatically:
- Extract your EDL as a text file from the web server it's currently hosted on.
- Upload it as a file to the Playground and use the
- Go to the
Indicatorspage and filter to find all of the indicators you extracted from the text file.
- If needed, batch select the indicators and add a tag to the indicators you want to host as a specific EDL. Use this tag in the
Indicator Queryintegration parameter when configuring the integration. For example, if you want to create an allowed list of indicators and a blocked list of indicators.
- Edit the EDL object on the PAN-OS device to pull from the
Export Indicators Service (PAN-OS EDL Service)instance, as explained in Access the Export Indicators Service by Instance Name (HTTPS). You can edit the EDL object using the panorama-edit-edl command in the
Palo Alto Networks PAN-OSintegration.
- Commit and push the configuration from the Panorama device to its respective Firewalls using the PAN-OS Commit Configuration playbook.
- If you have a deployment with 100 firewalls or more, we recommend using your Panorama device and creating an EDL object there, which will be populated from the
PAN-OS EDL Service. Then push the EDL object to the respective firewalls.
- Follow the instructions in the rest of this guide to make sure that the PAN-OS device is connected to the EDL service.
Important Note: EDL is designed to spawn on two processes: nginx and python. Nginx is the process that listens on the configured port, while the python process listens on the configured port + 1. This means that if an integration was configured for port 9009, the nginx process will listen on port 9009 and python on port 9010. When running without --network=host the python port is not exposed to the machine.
- Export a list of malicious IPs to block via a firewall.
- Export a list of indicators to a service such as Splunk, using a supported output format.
- Generate feeds to be used on PAN-OS as External Dynamic Lists.
- Create External Dynamic Lists (EDLs) of the IP addresses, URLs, and domains used by ransomware, known APT groups, and active malware campaigns for tracking in AutoFocus.
- Create External Dynamic Lists to track IPs and URLs commonly used by Microsoft Office365 or CDNs and cloud services, or used as tor exit nodes.
- Navigate to Settings > Integrations > Servers & Services.
- Search for Generic Export Indicators Service.
- Click Add instance to create and configure a new integration instance.
|Update list on demand only||Enabling this prevents automatic list refresh.||False|
|Indicator Query||The query to run to update the indicators list. To view expected results, run the following command from the Cortex XSOAR CLI ||False|
|Outbound Format||The format of the exported list.||True|
|Exported Fields||For use with JSON and CSV formats - select specific Cortex XSOAR fields to export. If given the value 'all' - all Cortex XSOAR fields are exported. If empty - only value and type are exported.||False|
|List Size||Maximum number of items in the list.||True|
|Refresh Rate||How often to refresh the list (e.g., less than 1 minute, 5 minutes, 12 hours, 7 days, 3 months, 1 year). For performance reasons, we do not recommend setting this value at less than 1 minute.||False|
|Listen Port||Runs the service on this port from within Cortex XSOAR. Requires a unique port for each long-running integration instance. Do not use the same port for multiple instances.||True|
|Certificate (Required for HTTPS)||For use with HTTPS - the certificate that the service should use.||False|
|Private Key (Required for HTTPS)||For use with HTTPS - the private key that the service should use.||False|
|Username||Uses basic authentication for accessing the list. If empty, no authentication is enforced.||False|
|Password||Uses basic authentication for accessing the list. If empty, no authentication is enforced.||False|
|Add comment to empty list||If selected, add to an empty list the comment "# Empty list".||False|
|Strip ports from URLs||If selected, ports in URLs are removed. For example, 'www.example.com:9999/path' becomes 'www.example.com/path'.||False|
|Strip protocols from URLs||If selected, strips the protocol from URLs (http/https)/.||False|
|Truncate URL length||If selected, URLs are truncated to no more than 254 characters.||False|
|Prepend string to list||String to add to beginning of published list. Supports newline characters (\n).||False|
|Append string to list||String to add to end of published list. Supports newline characters (\n).||False|
|IP Collapsing||For use with PAN-OS (text) format - collapse method for IPs (none, range, CIDR).||False|
|PAN-OS: drop invalid URL entries||For use with PAN-OS (text) format - if selected, any URL entry that is not compliant with PAN-OS URL format is dropped instead of rewritten.||False|
|McAfee Gateway: Indicator List Type||For use with McAfee Web Gateway format - set the indicator list type.||False|
|Symantec ProxySG: Default Category||For use with Symantec ProxySG format - set the default category for the output.||False|
|Symantec ProxySG: Listed Categories||For use with Symantec ProxySG format - set the categories that should be listed in the output. If not set, lists all existing categories.||False|
|Show CSV formats as Text||If selected, CSV format appears in a textual webpage instead of initiating a file download.||False|
|XSOAR Indicator Page Size||Internal page size used when querying Cortex XSOAR for the indicators.||False|
|Maximum CIDR network prefix bits size||CIDRs with a lower network prefix bits number are not included. For example - if the number is 8, then 0.0.0.0/2 is excluded from the list.||False|
|Exclude top level domainGlobs||Option to remove top level domainGlobs from the list. For example - *.com.||False|
|Advanced: NGINX Global Directives||NGINX global directives to be passed on the command line using the -g option. Each directive should end with ||False|
|Advanced: NGINX Server Conf||NGINX server configuration to be used instead of the default NGINX_SERVER_CONF used in the integration code. Advanced configuration to be used only if instructed by Cortex XSOAR Support.||False|
|Advanced: NGINX Read Timeout||NGNIX read timeout in seconds.||False|
|Advanced: use legacy queries||When enabled, the integration queries the server using full queries. Advanced configuration to be used only if instructed by Cortex XSOAR Support, or you've encountered log errors in the form of: 'msgpack: invalid code.'||False|
There are two integrations parameters used as safeguards:
Maximum CIDR network prefix bits size and
Exclude top level domainGlobs.
These parameters prevent the integration from incorrectly inserting unwanted TLDs or a CIDR with a too wide range.
The default value for
Maximum CIDR network prefix bits size is 8, which means that CIDRs with a lower network prefix bits number are not included (such as 0.0.0.0/2).
The default value for
Exclude top level domainGlobs is off. If enabled, the exported list does not hold indicators such as
*.org and other top level domains.
When parsing domainGlob indicator types, the parser creates two different inputs (usually how DNS Firewalls work). For example if the domainGlob
*.bad.com is parsed, it outputs two lines to the list:
The DNS also blocks
bad.com which does not happen if only
*.bad.com is listed.
IP Collapsing is enabled, duplications of IP ranges are removed. For example if there are 2 CIDRs in the list -
18.104.22.168/16 - only
22.214.171.124/8 will be included in the exported list.
Option to add a list of constant values to the exported list.
Expected value is a string, supports newline characters (
PAN-OS: drop invalid URL entries is enabled, any URL entry that is not compliant with PAN-OS URL format is dropped instead of rewritten.
This applies to the
CSV formats - select specific Cortex XSOAR fields to export.
If given the value
all - all of Cortex XSOAR's available fields will be exported. If set to empty - only the indicator value and type will be exported.
Optional system fields are:
In addition to the system fields, you can also search for custom fields.
In order to get the list of all available fields to search by, you can configure the
Exported Fields parameter with the
all option and check the list returned.
Note: By default, the route is open without security hardening and might expose you to network risks. Cortex XSOAR recommends that you use credentials to connect to the integration.
To access the Export Indicators service by instance name, make sure Instance execute external is enabled.
- In Cortex XSOAR, go to Settings > About > Troubleshooting.
- In the Server Configuration section, verify that the instance.execute.external key is set to true. If this key does not exist, click + Add Server Configuration and add the instance.execute.external and set the value to true. See this documentation for further information.
- In a web browser, go to
Use the following arguments in the URL to change the request:
|n||The maximum number of entries in the output. If no value is provided, uses the value specified in the List Size parameter configured in the instance configuration.|
|s||The starting entry index from which to export the indicators.|
|v||The output format. Supports |
|q||The query used to retrieve indicators from the system.|
|t||Only with |
|sp||If set, strips ports off URLs.|
|pr||If set, strips protocol off URLs.|
|di||Only with |
|tr||Only with |
|cd||Only with |
|ca||Only with |
|tx||Whether to output |
|mc||Configure max CIDR size.|
|nt||Configure whether to exclude top level domainGlobs.|
You can execute these commands from the Cortex XSOAR CLI as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Updates values stored in the List (only available On-Demand).
|query||The query used to retrieve indicators from the system. Leave empty to use the query from the integration parameters.||Optional|
|format||The output format.||Optional|
|edl_size||The maximum number of entries in the output. If no value is provided, uses the value specified in the List Size parameter configured in the instance configuration.||Optional|
|print_indicators||If set to true, prints the indicators that were saved to the export indicators service.||Required|
|mwg_type||For use with McAfee Web Gateway format to indicate the list type.||Optional|
|url_port_stripping||If true, strips the port off URLs.||Optional|
|url_protocol_stripping||If true, strips the port off URLs.||Optional|
|drop_invalids||For use with PAN-OS (text) format - if checked any URL entry which is not compliant with PAN-OS EDL URL format is dropped instead of rewritten.||Optional|
|category_attribute||For use with Symantec ProxySG format - set the categories that should be listed in the output. If not set lists all existing categories.||Optional|
|category_default||For use with Symantec ProxySG format - set the default category for the output.||Optional|
|collapse_ips||For use with PAN-OS (text) format - Whether to collapse IPs, and if so - to ranges or CIDRs||Optional|
|csv_text||If true, outputs csv format as textual web pages||Optional|
|add_comment_if_empty||If selected, add to an empty List the comment "# Empty List".||Optional|
There is no context output for this command.
'EDL will be updated the next time you access it'
Memory issue can happen in CSV / JSON format over 150,000 if all fields are selected.
- 10,000 indicators can take 10 - 20 seconds.
- 100,000 indicators can take 1 - 3 minutes.
- 1,000,000 indicators can take over half an hour. In 5 minutes (the default timeout of the integration) the integration can export between 200,000 to 400,000 indicators, depending on the load of the server, the existing indicators in the server, and the query used. The NGINX Read Timeout can be set to increase the timeout.