>
    Strata Copilot
    Strata Copilot Prompts
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Strata Copilot
    5. Strata Copilot Prompts
    Download PDF
    Strata Cloud Manager

    Strata Copilot Prompts

    Table of Contents

    Strata Copilot Prompts

    Explore our prompt library for effective query templates to maximize Strata Copilot's utility, tailored to specific functions.
    Refer to the tips and examples below to get the most from Strata Copilot.

    Tips for Improving Prompts

    To maximize your experience with Strata Copilot and get the most accurate and helpful responses, consider the following tips:
    • Start with a clear and descriptive prompt.
      When initiating a conversation with Strata Copilot, ensure your prompts are descriptive and provide sufficient context. This helps the system to understand your query better and respond more accurately.
    • Use natural language phrasing. Phrase your questions as you would when speaking to a human analyst. This conversational approach often yields better results than overly technical or abbreviated queries.
    • Use action words to structure your prompts. Begin your queries with clear action verbs like "Show me," "Compare," "List," "Highlight," or "Analyze" to clearly communicate what you want Strata Copilot to do.
    • Use precise product terms.
      Refer to features by their exact names (for example "Prisma Access", "Log Viewer," "Prisma SD-WAN") rather than generic words like "logs", "dashboard", "branch", or "events".
    • Include context and scope.
      Add time frames or filters in your prompt (for example "Display a table of top 10 denied applications in the last 24 hours, sorted by deny count," not just "Show denies.").
    • Specify the output format.
      Ask for tables, charts, or summaries (for example "List top 5 sources as a bar chart," or "Give me a bullet-point summary of high-risk alerts.").
    • Start broad, then refine with follow-ups. Begin with general insights before diving into specifics. For example, first ask "Show me security alerts from the past week" before asking "Which devices had the most critical alerts yesterday?"
    • Chain your questions.
      Break complex requests into steps (for example "First, find all devices with failed logins. Then, summarize by location.").
    • Use "versus" or "and" for comparisons.
      Compare two entities clearly (for example "VPN usage vs. firewall usage last week," or "Admins and standard users by number of sessions.").
    • Add "exclude" or "filter" clauses.
      Tell Strata Copilot what to leave out (for example "Show me all high-severity alerts excluding scheduled maintenance windows.").
    • Check for query explanations.
      If you get a result, make sure to read the "How is this response generated" section below the response to ensure that Strata Copilot has interpreted your query accurately.
    • Rephrase ambiguous prompts.
      If Strata Copilot seems confused, try swapping synonyms (for example "failed connections" vs. "connection errors").
    • Refine your questions for better answers.
      If Strata Copilot's response does not meet your expectations, refine your prompts by rephrasing your questions. Strata Copilot adapts and learns from each interaction, improving its ability to deliver precisely what you need over time.
    • Engage regularly for better performance.
      The more you interact with Strata Copilot, the more proficient it becomes in understanding and meeting your specific needs. Regular use is crucial for optimizing its capabilities.
    Most importantly, try rephrasing the question when we don't get it right the first time. We are still learning and your feedback helps us go a long way!
    For prompt inspiration, explore our example prompt library. This curated collection offers effective query patterns tailored to each functional area in Strata Copilot, helping you unlock its full potential.

    Prompt Examples

    Looking for inspiration to get the most out of your Strata Copilot experience? Browse through these example prompts organized by feature area. While not exhaustive, these examples represent commonly useful queries to help you quickly leverage Strata Copilot's capabilities.
    Activity Insights | NGFW Alerts | Prisma Access Browser | Prisma Access SD-WAN | Data Security | IoT Security | Visualization & Reporting

    Activity Insights

    CategoryPrompt
    Performance Monitoring
    • What are the top applications with poor TLS versions affecting performance?
    • How does application performance vary during peak hours?
    • What is the impact of TLS 1.3 on our network latency and throughput?
    • Are there recurring performance issues with specific applications?
    • Can we identify any correlation between device types and application performance issues?
    User Experience Assessment
    • What are the average user experience scores across different network conditions?
    • How does device type affect user experience scores?
    • What network conditions lead to the worst user experiences?
    • Are there specific locations facing frequent user experience issues?
    • How do changes in bandwidth allocation affect user experience?
    Network Integrity and Status
    • What is the current uptime for all our Prisma Access locations?
    • Are there any locations experiencing higher than usual incident rates?
    • How does bandwidth usage correlate with incident occurrences?
    • What are the common categories of incidents across our network?
    • Which locations have the most stable network conditions?
    Network Configuration and Resource Allocation
    • What are the current IP pool allocations and usage rates?
    • How are public IPs being utilized across different locations?
    • Are there any over-allocated or under-utilized resources?
    • How frequently are access permissions reviewed for compliance?
    • What changes in network configuration have occurred in the last quarter?
    Trend Analysis
    • What are the recent trends in mobile user network activity?
    • How has application traffic changed over the past year?
    • Are there emerging security threats based on recent incident trends?
    • What applications are most used during different times of the day?
    • Which network segments are experiencing growth in data usage?
    Service Stability and Performance
    • How stable are the connections for our branch sites over the last month?
    • What are the average downtime instances per branch site?
    • Which service areas have shown improvement in performance after upgrades?
    • Are there specific times when service stability issues peak?
    • What measures have effectively improved service performance?
    Threat Response
    • Tag {application_name} as {tag_type}
    • Quarantine a NGFW device with {fw_device_id}, {host_id} and {device_serial}
    • Quarantine a NGFW device with {fw_device_id} and {host_id}
    • Quarantine a Prisma Access device with {host_id} and {device_serial}
    • Quarantine a Prisma Access device with {host_id}

    NGFW Alerts

    CategoryQuestions
    Policy Modification
    • Modify policy in location {location} to {action} access under conditions: source zone {source_zone}, source address {source_address}, source user {user}, source device {source_device}, destination zone {destination_zone}, destination address {destination_address}, destination device {destination_device}, application {application_name}, service {service}, and URL category {url_category}.
    • Modify policy in location {location} to {action} user {user} access to app {application_name}.
    Alert Management and Analysis
    • What is the average time it takes to resolve NGFW alerts of priority {alert_priority} in past {duration_value} days?
    • What are the top {num_count} oldest NGFW alerts?
    • What are the top {num_count} frequently seen NGFW alerts of category {alert_category} in my deployment?
    • What {alert_state} NGFW alerts in past {duration_value} days have generated PANW support case?
    • How many times in past {duration_value} days did NGFW alerts with priority of {alert_priority} occur in my deployment?
    Operational Commands and Monitoring
    • Show me the output of metric {metric_value} for serial {device_serial} for last {duration_value} days.
    • Show me the output of command {command_value} for serial {device_serial} for last {duration_value} days.

    Prisma Access Browser

    CategoryQuestions
    User Activity and Behavior
    • Which users have been most active in the last {duration_value} {duration_unit}
    • Display the distribution of active devices in last {duration_value} days
    • Display the peak usage hours of Prisma Access Browser across all users in the last {duration_value} {duration_unit}
    • How many Prisma Access Browser users have there been in the last {duration_value} days?
    File Management and Interactions
    • List all activities involving compressed file extensions in the last {duration_value} {duration_unit}
    • What are the most common file types uploaded across the organization, in the last {duration_value} {duration_unit}?
    • What are the most common file types downloaded across the organization, in the last {duration_value} {duration_unit}?
    • List all activities involving file uploads to cloud storage services in the last {duration_value} {duration_unit}
    • List all file downloads heavier than {num_count} MB by user and timestamp, in the last {duration_value} {duration_unit}
    Web Interaction Analytics
    • List top {num_count} non-app URLs that are visited the most in the last {duration_value} {duration_unit}
    • What are the top {num_count} most interacted websites across all users in the {duration_value} {duration_unit}
    • What are the top {num_count} most interacted websites at non-business hours in the last {duration_value} {duration_unit}

    Prisma Access SD-WAN

    CategoryQuestions
    Application Usage and Performance
    • What are new applications on the network seen in the past {duration_value} {duration_unit} that were not seen in the prior?
    • What are the top {num_count} collaboration apps in the past {duration_value} {duration_unit}?
    • What top {num_count} apps have the lowest health score in the past {duration_value} {duration_unit}?
    • Which applications have had the most failed connection attempts in the past {duration_value} {duration_unit}?
    • What are the top applications with packet loss in the past {duration_value} {duration_unit}?
    • Which applications have the highest data transfer rates?
    Network Incidents and Security
    • Show me incident with state as {incident_state}, priority as {incident_priority} and severity as {incident_severity} in the past {duration_value} {duration_unit} at {branch_site_name}.
    • Summarize the incidents that were reported in the past {duration_value} {duration_unit} at {branch_site_name}.
    • How many HA failover events have occurred in the past {duration_value} {duration_unit}?
    • Show me critical process restarts in the past {duration_value} {duration_unit}.
    • List the top sites with incidents of category {incident_category}.
    Site and Network Management
    • Which sites have been down repeatedly in the last {duration_value} {duration_unit}?
    • Analyze the trend of sites that have been down in the last {duration_value} {duration_unit}.
    • Which site is consuming the most bandwidth over the past {duration_value} {duration_unit}?
    • Show me the list of sites with {carrier} network down in the past {duration_value} {duration_unit}.
    • List the sites that have went down in the last {duration_value} {duration_unit}.
    User Behavior and Traffic Analysis
    • Which users have shown the most traffic volume growth in the past {duration_value} {duration_unit}?
    • How many unique users are using my network over the past {duration_value} {duration_unit}?
    • Show me a breakdown of users per site, sorted by most users to least user count over the past {duration_value} {duration_unit}.
    • For username {user} what are the top {num_count} applications in the past {duration_value} {duration_unit}.
    Network Carriers and IP Management
    • What is the traffic distribution per carrier across my network in the past {duration_value} {duration_unit}?
    • How many unique Source IPs are in my network over the past {duration_value} {duration_unit}?
    • Who are the top {num_count} source IPs by traffic volume in my network over the past {duration_value} {duration_unit}?
    • What Source IP addresses have shown the most traffic volume growth in the past {duration_value} {duration_unit}?

    Data Security

    CategoryQuestions
    Incident Detection and Analysis
    • How many new saas incidents have been detected in the last {duration_value} {duration_unit}?
    • What are the top applications we detected saas incidents on in the last {duration_value} {duration_unit}?
    • How many new inline incidents have been detected in the last {duration_value} {duration_unit}?
    • What are the top applications we detected inline incidents on in the last {duration_value} {duration_unit}?
    Incident Management
    • Who are the top assignees for all open saas incidents?
    • Who are the top assignees for all open inline incidents?
    Application and Asset Risk Assessment
    • What are the top high risk applications used in my organization?
    • What are the top unsanctioned applications used in my organization?
    • What are the top tolerated applications used in my organization?
    • What is the data risk for {application_name}?
    • What are the top applications with highest impacted users in the past {duration} hours?
    Asset Exposure and Ownership
    • What are the top sensitive assets with {exposure} exposure?
    • Who are the top users who own assets with {exposure} exposure?
    • Who are the users who own assets which have {data_profile} data?
    • Who are the high data risk users owning sensitive assets in my organization?
    • What are the high risk sensitive assets owned by {user}?

    IoT Security

    CategoryQuestions
    Device and Network Inventory
    • What are the top category of devices in my network by number of devices?
    • What are the most common vendors of type {device_type} devices in my network?
    • Where are my category {device_category} devices?
    • Where are my type {device_type} devices?
    • What are my top device vendors by number of devices?
    Security Posture and Risk Analysis
    • Are there devices with weak security posture in my network?
    • What device categories have a higher number of risky devices?
    • Which devices are affected by vulnerabilities exploited in the wild?
    • What are the riskiest vulnerabilities that can be exploited remotely?
    • Where are my riskiest devices?
    Network Segmentation and Critical Assets
    • Which subnets have mixed business critical IoT devices with IT devices?
    • Which subnets have a higher number of risky devices?
    • Which subnets have devices of type {device_type}?
    • Which subnets have devices of category {device_category}?
    • What are my risky subnets?
    Vulnerability and Attack Vector Analysis
    • Show me top risky devices affected by {vulnerability_priority} priority vulnerabilities.
    • Show me top risky devices affected by {vulnerability_severity} severity vulnerabilities.
    • Show me risky and confirmed vulnerabilities affecting devices of type {device_type}.
    • Show me devices that are affected by {CVE}.
    • Show me risky and confirmed vulnerabilities affecting devices of vendor {device_vendor}.
    Connectivity and External Exposure
    • Show me devices connected to {destination_country}.
    • Show me devices connected to malicious destinations.
    • Which profiles have business critical IoT devices connected to the internet?
    • Which profiles have business critical IoT devices connected to malicious destinations?
    • Are there Windows devices running end of support OS?
    Device Utilization and Downtime
    • How many category {device_category} devices have been offline for more than {duration_value} {duration_unit}?
    • How many type {device_type} devices have been offline for more than {duration_value} {duration_unit}?
    Specific Device Queries
    • Tell me about device with IP {device_ip}.
    • Which devices have used {application_name} application in the last {duration_value} {duration_unit}?
    Alert Management
    • What are the new security alerts I should pay attention to?

    Visualization & Reporting

    CategoryQuestions
    Threat Identification and Analysis
    • What are the top critical threats in my network?
    • Show me the critical severity {threat_category} found on my network in the last {duration_value} {duration_unit}?
    • How many times was the {threat_name} threat seen in the past {duration_value} {duration_unit}?
    • Show me the frequency of the {threat_name} threat seen in the past {duration_value} {duration_unit}?
    • Show me the top threats by session.
    • Show me the top threat subcategories by session.
    • Show me the top 5 users along with their threat ID, source IP, and destination IP for threat category C2.
    Threat Trends and Distribution
    • Show the trend of detected threats in the last {duration_value} {duration_unit}?
    • What is the threat category distribution in the past {duration_value} {duration_unit}?
    • Show me the breakdown of threat activity by allowed vs blocked actions
    URL Monitoring and Security
    • What is the risk level breakdown of URL activity?
    • What are the top risky URLs in my network?
    • Show me the most common blocked URLs by risk category.
    • Show me the total URLs accessed between {start_time} and {end_time}?
    Policy and Guidelines for URLs
    • List the policies for the URL {uri}
    • Outline the rules pertaining to the website {uri}

    © 2025 Palo Alto Networks, Inc. All rights reserved.