You can forward data from Prisma Access. As soon as Cortex XDR begins receiving detection data, the console begins stitching logs with other Palo Alto Network-generated logs to form stories. Use the XQL Search to query the data.
Existing integrations should be migrated to the Cortex Native Data Lake. Make sure you select all your devices to connect directly to Cortex XDR. Integrations not migrated manually will be migrated automatically 2 weeks before the end of the contract with Cortex Data Lake.
Note
Ingesting logs from Prisma Access requires a Cortex XDR Pro per GB license.
You can only stream data from firewalls allocated to the same Customer Support Account (CSP) in the same region.
To ingest detection data from Prisma Access.
Select → → → .
In the Collection Integrations page, select Add Instance to begin a new configuration.
Select your Prisma Access device.
A list of all available devices to choose from is displayed. All firewalls managed by the Prisma Access account will stream data to your tenant.
Devices already connected are listed at the end. A device may be connected via Cortex Data Lake (CDL) or the Cortex XDR console. Depending on the type of connection, you can rectify any streaming issues that may arise.
Note
Cortex XDR does not validate your Prisma Access account credentials, you must ensure the account has been deployed in order for data to stream.
Connect to establish the instance.
Connection can take up to several minutes.
In the Collection Integrations page, expand Prisma Access to track the status of your instance.
Validate that your data is streaming.
To ensure the data is streaming into your tenant, run the XQL Query: dataset = panw_ngfw_system_raw| filter log_source_id = "[prisma access device SN]".
(Optional) Manage your Instance.
After you create the Prisma Access instance, in the Collection Integrations page, expand the Prisma Access to track the connection, or, if you want, to Delete the instance.