>
    Strata Copilot
    Setup AI Agent Discovery
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Agent Discovery
    5. Setup AI Agent Discovery
    Download PDF
    Prisma AIRS

    Setup AI Agent Discovery

    Table of Contents

    Setup AI Agent Discovery

    Learn how to setup and configure AI Agent Discovery
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime Security
    To configure AI Agent Discovery, the primary requirement is to set up the necessary permissions and roles in your AWS and Azure accounts for the discovery system to access agent configurations and logs. The initial setup also includes enabling log forwarding for runtime monitoring. After setting up permissions, you can onboard AI agents. There are a few key points to consider:
    • For new accounts, you'll need to onboard a cloud account if one is not present in the tenant.
    • For existing accounts in an enabled state, you need to re-apply the Terraform to provide AI Agent Discovery access for existing onboarded accounts. This process updates the inline discovery permissions.
    • For existing accounts in a disabled state (that is, cloud accounts that are disabled), attempts to re-enable the account results in failed validation. To resolve this issue, download the onboarding Terraform before enabling the account again.
      These issues apply to both AWS and Azure accounts.

    Setup AWS Bedrock

    The goal when setting up AWS Bedrock is to enable AI Agent Discovery to inventory agents and access invocation logs. There are two primary steps for setting up AI Agent Discovery in an AWS Bedrock environment:
    1. Set the appropriate permissions. You’ll need to grant an IAM Role to the discovery account with the permissions required to list and read agent configurations and related resources.
    2. Set up runtime logging. You need to enable Bedrock Log forwarding to an S3 bucket to capture runtime interactions. This setup provides the logs necessary to parse Agent to Model, Agent to Tool, Agent to Knowledge Base, and Agent to Agent interactions.
    To setup AWS Bedrock, you'll need to perform the tasks noted in the AWS Cloud Account Prerequisites page. Specifically:
    1. Create an AWS S3 Bucket.
    2. Ensure that Model Invocation Logging is set up. Refer to Step 5 for using the AWS Bedrock Console to manage model permissions and enable model access.

    Setup Azure Support for AI Foundry/Open AI Service

    The goal when setting up Azure for AI Foundry/Open AI Service is to enable AI Agent Discovery to read agent and assistant configurations. To do this, you'll need to set the appropriate permissions by granting minimal permissions, which include read access for AI Services agents, assets, OpenAI assistants, and files. Additionally, you’ll need to allow perimeter firewall public IPs.
    Runtime logging is not currently supported; Azure model logs are currently not supported; the dashboard will only show static, configured information.
    To set up Azure for AI Agent Discovery, you'll need to perform the tasks noted in the Azure Cloud Account Onboarding Prerequisites page.
    When setting up the Azure cloud account it's important to grant access to the storage account from specific IP addresses. To do this, refer to the section Grant Access to Storage Account from IP Addresses on the Azure Cloud Account Onboarding Prerequisites page.

    © 2025 Palo Alto Networks, Inc. All rights reserved.