Ingest Data from Prisma Access - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Learn how to ingest detection data from Prisma Access.

You can forward data from Prisma Access to Cortex XDR. As soon as your Cortex XDR tenant begins receiving detection data, it begins stitching logs with other Palo Alto Networks-generated logs to form stories. Use the XQL Search to query the data.


Ingesting logs from Prisma Access requires a Cortex XDR Pro per GB license.

You can only stream data from firewalls allocated to the same Customer Support Account (CSP) in the same region.

To ingest detection data from Prisma Access.

  1. Select SettingsConfigurationsData CollectionCollection Integrations.

  2. On the Collection Integrations page, select Add Instance to begin a new configuration.


    Cortex XDR does not validate your Prisma Access account credentials. You must ensure the account has been deployed in order for data to stream.

  3. In the Connect Prisma Access dialog box, click Connect to establish the instance.

    Connection can take up to several minutes.

    On the Collection Integrations page, expand Prisma Access to track the status of your instance.

  4. Validate that your data is streaming.

    To ensure the data is streaming into your tenant, using XQL, query by: is_prisma_mobile.

  5. (Optional) Manage your Instance.

    After you create the Prisma Access instance, on the Collection Integrations page, expand the Prisma Access integration to track the connection, or, if you want, to Delete the instance.