Skip to main content

Prisma SASE - Create a security pre-rule for EDL

This Playbook is part of the Prisma SASE by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

This playbook helps to create a security rule to block indicators from an EDL. This playbook should run only once to setup the EDL object and its rule.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Prisma SASE - Create or Edit EDL object
  • Prisma SASE - Create or Edit Security Policy Rule


  • PrismaSASE


This playbook does not use any scripts.


  • prisma-sase-external-dynamic-list-list
  • prisma-sase-candidate-config-push

Playbook Inputs#

NameDescriptionDefault ValueRequired
TSGIDTenant services group ID. If not provided, the tsg_id integration parameter will be used as the default.Optional
FolderThe configuration folder group setting.
The default value is 'Shared'.
URLThe source URL. If the type is ip, url or domain, a value must be provided.Optional
EDLObjectNameThe external dynamic list object name.Optional
RuleNameThe Security Policy Rule name will be created for blocking the indicators.Block Indicators using EDL - XSOAR incident #${}Optional
EDLObjectTypePossible values:
AutoCommitPossible Values:
True -> Will commit and push configuration.
False -> Manual push will be required.
Else --> Will ignore the push section and continue the playbook.

Playbook Outputs#

PrismaSase.CandidateConfigConfiguration job object.unknown
PrismaSase.CandidateConfig.job_idConfiguration job ID.unknown
PrismaSase.CandidateConfig.resultThe configuration push result, e.g. OK, FAIL.unknown
PrismaSase.CandidateConfig.detailsThe configuration push details.unknown
PrismaSase.ExternalDynamicListThe external dynamic list object.unknown
PrismaSase.ExternalDynamicList.idThe external dynamic list ID.unknown
PrismaSase.ExternalDynamicList.nameThe external dynamic list name.unknown
PrismaSase.ExternalDynamicList.folderThe external dynamic list folder.unknown
PrismaSase.ExternalDynamicList.descriptionThe external dynamic list description.unknown
PrismaSase.ExternalDynamicList.typeThe external dynamic list type.unknown
PrismaSase.ExternalDynamicList.sourceThe external dynamic list source.unknown
PrismaSase.ExternalDynamicList.frequencyThe external dynamic list frequency.unknown
PrismaSaseThe root context key for Prisma SASE integration output.unknown
PrismaSase.SecurityRuleFound security rule.unknown
PrismaSase.SecurityRule.actionSecurity rule action.unknown
PrismaSase.SecurityRule.applicationSecurity rule application.unknown
PrismaSase.SecurityRule.categorySecurity rule category.unknown
PrismaSase.SecurityRule.descriptionSecurity rule description.unknown
PrismaSase.SecurityRule.destinationSecurity rule destination.unknown
PrismaSase.SecurityRule.folderSecurity rule folder.unknown
PrismaSase.SecurityRule.fromSecurity rule from field (source zone(s)).unknown
PrismaSase.SecurityRule.idSecurity rule ID.unknown
PrismaSase.SecurityRule.log_settingSecurity rule log setting.unknown
PrismaSase.SecurityRule.nameSecurity rule name.unknown
PrismaSase.SecurityRule.positionSecurity rule position.unknown
PrismaSase.SecurityRule.serviceSecurity rule service.unknown
PrismaSase.SecurityRule.sourceSecurity rule source.unknown
PrismaSase.SecurityRule.source_userSecurity rule source user.unknown
PrismaSase.SecurityRule.toSecurity rule to field (destination zone(s)).unknown
PrismaSase.SecurityRule.negate_destinationSecurity rule negate destination.unknown
PrismaSase.SecurityRule.profile_settingThe Security rule group object in the rule.unknown
PrismaSase.SecurityRule.profile_setting.groupSecurity rule group.unknown

Playbook Image#

Prisma SASE - Create a security pre-rule for EDL