Learn how to ingest detection data from Prisma Access.
You can forward data from Prisma Access to Cortex XDR. As soon as your Cortex XDR tenant begins receiving detection data, it begins stitching logs with other Palo Alto Networks-generated logs to form stories. Use the XQL Search to query the data.
Note
Ingesting logs from Prisma Access requires a Cortex XDR Pro per GB license.
You can only stream data from firewalls allocated to the same Customer Support Account (CSP) in the same region.
To ingest detection data from Prisma Access.
Select → → → .
On the Collection Integrations page, select Add Instance to begin a new configuration.
Note
Cortex XDR does not validate your Prisma Access account credentials. You must ensure the account has been deployed in order for data to stream.
In the Connect Prisma Access dialog box, click Connect to establish the instance.
Connection can take up to several minutes.
On the Collection Integrations page, expand Prisma Access to track the status of your instance.
Validate that your data is streaming.
To ensure the data is streaming into your tenant, using XQL, query by: is_prisma_mobile.
(Optional) Manage your Instance.
After you create the Prisma Access instance, on the Collection Integrations page, expand the Prisma Access integration to track the connection, or, if you want, to Delete the instance.