Skip to main content

Request Predefined EDL Content

The API Reference information for retrieving the contents contained within a Palo Alto Networks predefined EDL can be found here.

Overview

The Threat Vault API can be used to request the EDL (external dynamic list) based on the specified name, IP address, and version. Consider the following examples:

Keep a few things in mind when formatting your API query:

  1. All the query strings in Get requests must be a URL-Encoded parameter string. If you use a space in the URL-Encoded request, you must include either a plus sign (+) or %20 to replace the space.
  2. You can specify the content type of the request body and response by specifying the Content-Type header. Some responses generate an HTTP response in addition to a JSON object.
  3. Do not embed API keys in code or application source tree files. This can inadvertently expose the API key. Instead, consider storing the API key in environmental variables or files that are excluded from your application source tree files.

Example 1: Request information about the predefined EDL by referencing the name and release version.

This example specifies the predefined EDL Palo Alto Networks High-Risk IP Addresses based on the AV release version of 4024.

curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/edl?name=panw-highrisk-ip-list&version=4024'

A successful API call returns, within the contents section, status="success" along with a JSON object containing the predefined EDL IP address entries for version 4024.

    "success": true,
    "link": {
        "next": null,
        "previous": null
    },
    "count": 3476,
    "data": [
        {
            "version": "4024",
            "name": "panw-highrisk-ip-list",
            "ipaddr": "45.90.59.131"
        },
        {
            "version": "4024",
            "name": "panw-highrisk-ip-list",
            "ipaddr": "49.12.212.231"
        },
        {
            "version": "4024",
            "name": "panw-highrisk-ip-list",
            "ipaddr": "51.210.176.76"
        },
        {
            "version": "4024",
            "name": "panw-highrisk-ip-list",
            "ipaddr": "62.210.13.20"
        },
        {
            "version": "4024",
            "name": "panw-highrisk-ip-list",
            "ipaddr": "137.184.152.41"
        },
        {
            "version": "4024",
            "name": "panw-highrisk-ip-list",
            "ipaddr": "194.32.107.243"
        }
    ],
    "message": "Successful"
}

Example 2: Request the latest information about the specifed predefined EDL in an array format:

curl -H 'X-API-KEY: API_KEY' 'https://api.threatvault.paloaltonetworks.com/service/v1/edl?name=panw-known-ip-list&version=latest&listformat=array'

A successful API call returns, within the contents section, status="success" along with a JSON object containing the predefined EDL contents.

    "success": true,
    "link": {
        "next": null,
        "previous": null
    },
    "count": 4701,
    "data": {
       "version": "4030",
        "name": "panw-known-ip-list",
        "ipaddr": [
            "45.154.14.235",
            "103.30.246.121",
            "103.75.201.4",
            "103.107.104.19",
            "176.56.128.118"
        ]
    },
    "message": "Successful"
}