# Prisma Access MCP

> Prisma Access connects network security audits to any AI agent via MCP. It lets you run complex checks on your entire SASE environment, from auditing security policies (`get_policies`) to checking global PoP connectivity (`get_service_endpoints`). Use it to review threat logs, analyze traffic patterns, and verify which remote users are connected right now.

## Overview
- **Category:** other
- **Price:** Free

## Description

Prisma Access lets your AI agent punch through your network security data. Forget logging into a dozen different dashboards just to check if everything's running right. This server gives your agent direct access to run complex checks across your entire SASE environment, letting you audit policies, track threats, and verify who’s connected—all from one place.

**Auditing Network Policies:** You can use `get_policies` to pull a full list of every security rule Prisma Access enforces. This is critical for compliance audits; it lets you check for any gaps or rules that might be too permissive across your setup.

**Tracking User Status and Connectivity:** Your agent uses `get_users` to pull a current list of all remote users connected to the system, helping you audit access immediately or spot accounts sitting there doing nothing. To monitor how those connections are actually running, it calls `get_tunnels`, which lists all active SD-WAN and network tunnels, letting you check connectivity status or diagnose if a tunnel just dropped.

**Mapping Network Topology:** If you need to know where your users are operating from, the agent runs `get_locations`. This tool lists mobile user locations and remote networks, giving you an instant map of your current network footprint for routing troubleshooting or general topology review.

**Monitoring Traffic Flow:** To figure out why someone can't access a resource or just analyze how much bandwidth people are using, the agent runs `get_traffic_logs`. This retrieves detailed network traffic logs so you can analyze usage patterns or debug specific access issues quickly.

**Investigating Threats and Service Health:** When something goes wrong, your agent hits the data hard. It calls `get_threat_logs` to pull recent threat detection records. These logs give you the severity level of an attack, the details of what was compromised, and what action Prisma Access actually took against it. For regional reach checks, the agent uses `get_service_endpoints`, which lists all global service endpoints (PoPs) available through Prisma Access; this confirms your regional connectivity options across the board.

**Comprehensive Data Retrieval:** You can also check the overall health of the system using `get_policies` for a comprehensive view of enforcement rules, and you can run `get_service_endpoints` to verify that all global points of presence are active. It’s designed so your agent doesn't have to jump between tools; it pulls everything together.

This setup gives your AI client the raw data—the policies, the logs, the connections—so you don't gotta waste time clicking around in a dozen different web consoles. You just tell it what you need, and it gets the facts.

## Tools

### get_locations
Lists mobile user locations and remote networks for topology review or routing troubleshooting.

### get_policies
Retrieves a list of all security policies enforced in Prisma Access, useful for auditing SASE compliance.

### get_service_endpoints
Lists the global service endpoints (PoPs) available through Prisma Access to check regional connectivity.

### get_threat_logs
Pulls recent threat detection logs, including severity and action taken, for investigating specific attacks.

### get_traffic_logs
Retrieves network traffic logs to help analyze usage patterns or debug access issues quickly.

### get_tunnels
Lists active SD-WAN and network tunnels, helping monitor connectivity status or diagnose tunnel drops.

### get_users
Lists all remote users connected to Prisma Access for auditing access or identifying inactive accounts.

## Capabilities

### Audit Network Policies
Lists all security policies currently enforced by Prisma Access, letting you check for compliance gaps.

### Retrieve Threat Logs
Pulls recent threat detection data. You get the severity, details of the attack, and what action was taken against it.

### Monitor Network Flow
Gets network traffic logs to analyze usage patterns or debug why certain users can't access resources.

### Verify Global Connectivity
Lists Prisma Access service endpoints (PoPs), confirming regional reach and connectivity options.

### Review Network Topology
Lists mobile user locations and remote networks, giving you a map of your current network footprint.

### Track User Status
Retrieves a list of all remote users currently connected to the Prisma Access system.

## Use Cases

### Investigating a suspected data breach
A security engineer gets an alert about unusual activity. They ask their agent to run `get_threat_logs` and then cross-reference the timestamps with `get_traffic_logs`. The agent finds suspicious outbound traffic patterns linked to specific user IDs, narrowing down the scope of the breach instantly.

### Verifying compliance for a new region
A network architect needs to connect an office in a new country. They run `get_service_endpoints` first to confirm local PoP availability, then use `get_policies` to ensure the existing corporate security rules will apply correctly to that endpoint.

### Debugging intermittent VPN drops
A field team reports constant tunnel disconnects. The agent runs `get_tunnels` and sees multiple flapping links. They then check `get_users` to see if a sudden spike in connected users correlates with the tunnel instability, pointing to potential capacity issues.

### Onboarding an executive account
A compliance officer needs to confirm the new exec's access is minimal. They run `get_policies` to review all rules and then use `get_users` to ensure only their specific credentials are logged as active, preventing over-privileging.

## Benefits

- See who’s connected right now: Use `get_users` to instantly list all remote clients. This is faster than checking the VPN console, especially during an incident.
- Verify global coverage: Run `get_service_endpoints` to confirm if a new region has available PoPs before deployment. You can't plan without knowing your physical reach.
- Deep dive into attacks: Combine `get_threat_logs` with `get_policies`. The agent shows you not just *what* happened, but whether the action violated an existing rule.
- Debug connectivity quickly: If users complain about slowness, run `get_traffic_logs` and then check `get_tunnels` to see if the flow is blocked or failing at the tunnel level. It saves hours of manual troubleshooting.
- Audit network shape: Use `get_locations` to map out your entire remote footprint in minutes. This helps you identify any unexpected, unauthorized endpoints accessing your resources.

## How It Works

The bottom line is: instead of running three different scripts or checking three separate dashboards, your agent runs all necessary network and security checks using one prompt.

1. Tell your AI client what you need: 'Check for suspicious activity on user accounts.'
2. The agent recognizes this is a networking task and invokes `get_threat_logs` and `get_users` in sequence.
3. Your client receives structured data containing the list of active users alongside recent threat detections, allowing you to review anomalies immediately.

## Frequently Asked Questions

**How do I check if an old user account is still active using get_users?**
Run `get_users` and filter the results by last login date. This tool lists all connected remote users, so you can quickly identify accounts that haven't logged in recently or are flagged as inactive.

**Can I check if my security policies are blocking a specific type of traffic?**
Yes. First, use `get_policies` to list the rules. Then, you can compare those policies against what is being captured in your network flow data via `get_traffic_logs` to find potential gaps.

**What should I check if users complain about slow connections?**
Check connectivity in steps: 1) Run `get_tunnels` for tunnel status. 2) Check `get_service_endpoints` to validate local PoP health. 3) Review `get_traffic_logs` to see if bandwidth is maxed out.

**How do I check for a recent breach event?**
The quickest way is running `get_threat_logs`. This tool pulls the most critical data, including severity and attack details. If you spot an ID, run `get_users` to see which user owned that connection.

**How can I use get_locations to map out our remote network topology?**
This tool lists mobile user locations and remote networks. You get a clear view of every connected endpoint, letting you audit your overall coverage area and understand where users are physically connecting from.

**What should I check with the get_tunnels tool if we suspect intermittent network drops?**
It lists all active SD-WAN and network tunnels. You can monitor connectivity status here, verifying tunnel links and identifying exactly which connections are dropping or showing instability.

**How do I use get_service_endpoints to verify our PoP list for DNS routing?**
This tool lists all Prisma Access service endpoints (PoPs). You confirm the physical locations and services available, which is necessary for setting up optimal regional connectivity and verifying DNS records.

**If a user reports an access issue, how does running get_traffic_logs help me debug the connection?**
It retrieves recent network traffic logs. You analyze this data to pinpoint specific usage patterns or determine exactly at which point the connection is failing.