Learn how to ingest detection data from Prisma Access.
You can forward data from Prisma Access to Cortex XSIAM. When your Cortex XSIAM tenant begins receiving detection data, it begins stitching logs with other Palo Alto Networks-generated logs to form stories. Use the XQL Search to query the data.
Collection of data from multiple accounts is supported. Super User permissions on both the Cortex XSIAM tenant accounts and the Prisma Access accounts are required for this use case.
Danger
Configuration of data ingestion from multiple accounts requires Super User permissions in both Cortex XSIAM tenant and Prisma Access accounts.
To ingest detection data from Prisma Access:
Select
→ .On the Data Sources page, click Add Data Source, search for and select Prisma Access, and click Connect.
Note
Cortex XSIAM does not validate your Prisma Access account credentials. You must ensure the account has been deployed in order for data to stream.
In the Connect Prisma Access dialog box, you can choose to connect Prisma Access to this account or other accounts:
To connect Prisma Access to this account, click Connect.
To connect Prisma Access to other accounts, click Connect Prisma Access from other accounts and select the account from the accounts listed. Click Connect.
Connection can take up to several minutes.
On the Data Sources page, expand Prisma Access to track the status of your instance.
Validate that your data is streaming.
To ensure the data is streaming into your tenant, using XQL, query by:
is_prisma_mobile
.(Optional) Manage your Instance.
After you create the Prisma Access instance, on the Data Sources page, expand the Prisma Access integration to track the connection, or, if you want, to Delete the instance.