Palo Alto Prisma Access Integration Guide🔗
Palo Alto Networks' Prisma Access is a cloud-delivered security platform designed to provide secure access to applications and data for users, regardless of their location. Secureworks® Taegis™ XDR ingests Prisma Access logs from the Palo Alto Strata Logging Service (previously called Cortex Data Lake) using the HTTP Ingest transport method.
The following instructions are for configuring the Palo Alto Prisma Access integration to facilitate log ingestion into XDR.
Data Provided from Integration🔗
The following Prisma Access log types are supported by XDR in the JSON format:
- GlobalProtect
- System (GlobalProtect subtype)
- System (auth subtype)
- Threat (not URL subtype)
- Threat (URL subtype)
- Traffic (deny subtype)
- Traffic (drop subtype)
- Userid
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Palo Alto Prisma Access | Auth, HTTP, Netflow | NIDS |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Create the HTTP Ingest integration in XDR🔗
- Follow the steps to create the HTTP Ingest integration.
Important
Save the Integration Key and URL in a secure place.
Configure Palo Alto Prisma Access🔗
Refer to the vendor's documentation to configure the Strata Logging Service to forward Prisma Access logs to XDR.
-
Select
Exabeam Authorizationas the Client Authorization Type. -
Copy the Integration Key generated in the previous section to the ACCESS TOKEN field.
-
Create a Log Forwarding → HTTPS Profile to specify the log types to send to XDR.