Palo Alto Prisma Access
Collect Prisma Access logs from an Amazon S3 bucket via the Strata Logging Service. RunReveal ingests these logs from object storage — this source is not an API-polling integration, so there is no Palo Alto API endpoint or GovCloud API URL to configure. Government and regulated deployments are handled at the storage and AWS account layer instead.
Prerequisites
Before connecting Palo Alto Prisma Access to RunReveal, you need:
- A Prisma Access tenant with the Strata Logging Service configured to forward logs to an Amazon S3 bucket.
- An AWS account with an S3 bucket to receive the logs, and permission to configure bucket event notifications.
Access
This source does not use Palo Alto API credentials. RunReveal reads logs from your S3 bucket using the object-storage ingest you configure:
- Configure the Strata Logging Service to write Prisma Access logs into your S3 bucket.
- Grant RunReveal access to the bucket via the AWS S3 Bucket or AWS S3 Bucket with Custom SQS ingest method.
Infrastructure
RunReveal offers the following ways to ingest Palo Alto Prisma Access logs:
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
Replace <REGION> with the AWS region where your S3 bucket is located (e.g., us-east-1, us-west-2, eu-west-1).
SNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.
Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883. AWS GovCloud buckets (regions us-gov-west-1 and us-gov-east-1) use the aws-us-gov ARN partition — for example arn:aws-us-gov:sns:us-gov-west-1:<ACCOUNT_ID>:runreveal_prisma_access.
Setup
- In Prisma Access, configure the Strata Logging Service to forward logs to your Amazon S3 bucket.
- In AWS, add an event notification on the bucket using the SNS topic ARN from Infrastructure (matching your bucket's region).
- In RunReveal, add the Palo Alto Prisma Access source and choose your ingest method — AWS S3 Bucket or AWS S3 Bucket with Custom SQS.
- Save the source. Logs begin flowing once the Strata Logging Service delivers objects to the bucket and notifications reach RunReveal.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: prisma_access_logs (67 columns)
prisma_access_logs (67 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
| Column | Type |
|---|---|
readOnly | Bool |
rawLog | String |
logType | String |
subtype | String |
application | String |
action | String |
sourceAddress | String |
sourcePort | UInt32 |
destinationAddress | String |
destinationPort | UInt32 |
protocol | String |
rule | String |
sourceUser | String |
destinationUser | String |
natSource | String |
natDestination | String |
natSourcePort | UInt32 |
natDestinationPort | UInt32 |
fromZone | String |
toZone | String |
inboundInterface | String |
outboundInterface | String |
sessionID | UInt64 |
bytesSent | UInt64 |
bytesReceived | UInt64 |
bytes | UInt64 |
packetsSent | UInt64 |
packetsReceived | UInt64 |
sessionDuration | UInt64 |
sessionEndReason | String |
urlCategory | String |
deviceName | String |
deviceSN | String |
Table: prisma_access_traffic_logs (61 columns)
prisma_access_traffic_logs (61 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
| Column | Type |
|---|---|
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
application | String |
action | String |
sourceAddress | String |
sourcePort | UInt32 |
destinationAddress | String |
destinationPort | UInt32 |
protocol | String |
rule | String |
sourceUser | String |
natSource | String |
natDestination | String |
natSourcePort | UInt32 |
natDestinationPort | UInt32 |
fromZone | String |
toZone | String |
sessionID | UInt64 |
bytesSent | UInt64 |
bytesReceived | UInt64 |
bytes | UInt64 |
packetsSent | UInt64 |
packetsReceived | UInt64 |
sessionDuration | UInt64 |
sessionEndReason | String |
urlCategory | String |
deviceName | String |
Table: prisma_access_threat_logs (53 columns)
prisma_access_threat_logs (53 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
| Column | Type |
|---|---|
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
application | String |
action | String |
sourceAddress | String |
sourcePort | UInt32 |
destinationAddress | String |
destinationPort | UInt32 |
protocol | String |
rule | String |
sourceUser | String |
threatID | String |
vendorSeverity | String |
threatCategory | String |
directionOfAttack | String |
fromZone | String |
toZone | String |
sessionID | UInt64 |
deviceName | String |
Table: prisma_access_url_logs (54 columns)
prisma_access_url_logs (54 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
| Column | Type |
|---|---|
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
application | String |
action | String |
sourceAddress | String |
sourcePort | UInt32 |
destinationAddress | String |
destinationPort | UInt32 |
protocol | String |
rule | String |
sourceUser | String |
url | String |
urlCategory | String |
vendorSeverity | String |
httpMethod | String |
userAgent | String |
fromZone | String |
toZone | String |
sessionID | UInt64 |
deviceName | String |
Table: prisma_access_dns_logs (46 columns)
prisma_access_dns_logs (46 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
| Column | Type |
|---|---|
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
action | String |
sourceAddress | String |
dnsCategory | String |
dnsResolverIP | String |
recordType | String |
threatID | String |
threatName | String |
fromZone | String |
toZone | String |
deviceSN | String |
Table: prisma_access_userid_logs (42 columns)
prisma_access_userid_logs (42 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
| Column | Type |
|---|---|
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
user | String |
sourceIP | String |
mappingDataSource | String |
mappingDataSourceType | String |
deviceName | String |
authCompletionTime | String |
Table: prisma_access_hipmatch_logs (45 columns)
prisma_access_hipmatch_logs (45 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
| Column | Type |
|---|---|
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
sourceUser | String |
sourceIP | String |
endpointDeviceName | String |
endpointOSType | String |
hipMatchName | String |
hipMatchType | String |
hostID | String |
endpointSerialNumber | String |
deviceName | String |
Table: prisma_access_audit_logs (40 columns)
prisma_access_audit_logs (40 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
| Column | Type |
|---|---|
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
logSource | String |
eventDetails | String |
eventResult | String |
tsgID | String |
Table: prisma_access_config_logs (43 columns)
prisma_access_config_logs (43 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
| Column | Type |
|---|---|
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
eventName_config | String |
adminUsername | String |
client | String |
eventResult | String |
eventPath | String |
ipAddress | String |
logSourceName | String |
Table: prisma_access_system_logs (40 columns)
prisma_access_system_logs (40 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
| Column | Type |
|---|---|
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
eventDescription | String |
eventComponent | String |
vendorSeverity | String |
logSourceName | String |
Helpful Links
- AWS S3 Bucket ingest — Set up object-storage ingest with a RunReveal-managed SNS topic
- AWS S3 Bucket with Custom SQS — Use your own SQS queue for bucket notifications
- Bring Your Own Cloud (BYOC) — Deploy RunReveal in your own AWS account