Ingest Data from Prisma Access - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-02-26
Last date published
2024-04-14
Category
Administrator Guide
Abstract

Learn how to ingest detection data from Prisma Access.

You can forward data from Prisma Access to Cortex XDR. As soon as your Cortex XDR tenant begins receiving detection data, it begins stitching logs with other Palo Alto Networks-generated logs to form stories. Use the XQL Search to query the data.

Note

Ingesting logs from Prisma Access requires a Cortex XDR Pro per GB license.

You can only stream data from firewalls allocated to the same Customer Support Account (CSP) in the same region.

To ingest detection data from Prisma Access.

  1. Select SettingsConfigurationsData CollectionCollection Integrations.

  2. On the Collection Integrations page, select Add Instance to begin a new configuration.

    Note

    Cortex XDR does not validate your Prisma Access account credentials. You must ensure the account has been deployed in order for data to stream.

  3. In the Connect Prisma Access dialog box, click Connect to establish the instance.

    Connection can take up to several minutes.

    On the Collection Integrations page, expand Prisma Access to track the status of your instance.

  4. Validate that your data is streaming.

    To ensure the data is streaming into your tenant, using XQL, query by: is_prisma_mobile.

  5. (Optional) Manage your Instance.

    After you create the Prisma Access instance, on the Collection Integrations page, expand the Prisma Access integration to track the connection, or, if you want, to Delete the instance.