The Official AI Canvas Prompting Guide: From Data to Decision

Author: @vangupta 

What is AI Canvas? 

AI Canvas is your no-code data exploration platform within Strata Cloud Manager. It revolutionizes how you interact with your security data, empowering you to ask questions in plain English and get immediate insights. Instead of navigating complex dashboards and filters, you can now have a conversation with your data. This guide will teach you how to ask effective questions to get the precise, actionable answers you need for threat analysis, troubleshooting, and reporting. 

Part 1: The 4 Components of an Effective Canvas Prompt 

A great AI Canvas prompt is not a vague search—it’s a specific, clear command. Let’s start with a vague goal and see how adding each component transforms it into a precise, actionable query. 

Let's start with a common, but vague, goal: 

Show me security issues. 

This is a weak prompt. "Security issues" is too broad. Let's fix it.

Step 1: Add a clear SUBJECT (What data?) 

First, replace the vague term with a specific topic or data entity. This is the main noun of your query.

• Instead of: ...security issues. 
• Try: Show me threats. 

Other examples: risky applications, users, tunnels, application experience scores. 

Step 2: Add an ACTION & Specify the FORMAT (What to do?) 

Next, tell the AI what operation to perform (the verb) and what output you want (the format). 

• Instead of: Show me threats. (This is still vague—a list? a count?)
• Try combining an Action + Format: Show me the top 10 threats. 

Here’s how they work together: 

• Actions (Verbs): Show, List, Count, Compare, Trend, Break down
• Formats (Outputs): top 10, percentage of, a list of names, total number 

Step 3: Add FILTERS (How to narrow?) 

Now, get specific. Add your "WHERE" clause to focus the query. This is the most important step for getting a useful answer. 

• Instead of: Show me the top 10 threats. (Top 10 of all time? All severities?) 
• Try: Show me the top 10 threats with severity high in the last 24 hours. 

Other examples: ...from San Jose, ...where action is 'block', ...for GlobalProtect version 6.3.3. 

Step 4: Add the "How-to-Count" (The Pro-Tip for Accuracy) 

For a truly production-ready metric, you must be explicit about how the AI calculates the numbers. This eliminates guesswork. 

Pro-Tip: Master the "How-to-Count" 

This final component turns a good prompt into a great one. 

• Good Prompt: Show me the top 10 threats with severity high in the last 24 hours. 
• Excellent Prompt: Show me the top 10 threats with severity high in the last 24 hours, ranked by unique session count.

Being explicit (e.g., ranked by unique session count, relative to total unique sessions, use session_id to count) ensures your metrics are accurate and trustworthy. 

Part 1 (Continued): An Investigative Workflow 

Use this systematic approach to explore your data like an expert.

1.  Start with the Big Picture: What's Happening Overall? 
   Begin by understanding the general state of your environment. Ask for high-level summaries to get your bearings.
   • Initial Questions: 
     • Show me the total number of threats in the last 24 hours.
     • Summarize our overall security posture this week. 
2. Zoom In on Specifics: Where Should I Focus?
   Once you have the overview, break down the information into meaningful categories. If you see a high number of threats, find out what kind of threats they are.
   • Follow-up Questions: 
     • Break down threats by category and severity.
     • Show the distribution of traffic by application type.
3.  Identify Key Players: Who or What is Most Involved? 
   Now that you've narrowed the focus, pinpoint the most significant entities contributing to the pattern you're seeing. Who are the top affected users? Which applications are generating the most alerts? 
   • Investigative Questions: 
     • Who are the top 10 affected users for the threat category 'C2'?
     • Which apps generated the most incidents yesterday? 

4. Add Context with Time: Is This Normal or Changing? 
   Understanding if a situation is new, worsening, or improving requires looking at trends and comparisons over time. 
   • Contextual Questions: 
     • Compare incident volume this week vs. last week for user 'jdoe'. 
     • Trend of traffic volume for application 'RiskyApp' over the past 30 days.

5. Connect the Dots: How Are Different Factors Related?
   Dig deeper by exploring relationships between different data points. Are specific users accessing risky apps from certain locations? Are particular threats tied to specific source IPs? 
   • Correlation Questions: 
     • Show top users by threat category and the source IPs they used.
     • What are the most used high-risk applications in the 'San Jose' location? 

6. Hunt for the Unusual: What Stands Out? 
   Finally, ask AI Canvas to actively look for anomalies or outliers that might not be obvious from the previous steps. This can uncover hidden issues or emerging threats. 
   • Anomaly Detection Questions: 
     • What unusual traffic patterns were observed today compared to the last 7 days?
     • Identify any spike in failed login attempts this week. 
       
       

By following this flow – from broad overview to specific correlations and anomalies – you can use AI Canvas to tell a clear story about what's happening in your network and security environment. 

Part 2: Get Started: Prompting for Your Role 

AI Canvas has data for everyone. Here are common starting points tailored to your job function.

Part 3: AI Canvas Prompt Catalog 

Use these proven prompts as a starting point. Mix, match, and modify them to fit your investigation. 

3.A: Threat Analysis 

• Show me the top 5 threat categories, subcategories, and severities in the last 24 hours 
• Show me top affected users by those top 5 threats 
• Show me the top affected users and threat count in the last 24 hours
• Show me the top 5 users along with their threat ID, source IP, and destination IP for threat category C2
• Show me the top threats by session
• Show me the top threat subcategories by session
• Show me the number of threats per PA location 

3.B: Application Analysis 

• Show me the top 10 risky applications that are accessed by top affected users 
• Top 10 applications with highest impacted users in the past 3 hours 
• Show me top applications in the last 30 days 
• Which users are using the highest-risk applications
• What are the most used applications 
• Which users were denied application access in the last 7 days 

3.C: User Analysis 

• How many users are using GlobalProtect version 6.3.3 and what are their names? 
• How many users have been seen in the last week running GlobalProtect version 6.3.3?
• How many Prisma Access users in the last 30 days
• Show me top 10 users with high bandwidth 

3.D: Location & Infrastructure 

• Show me top 10 incidents in PA locations 
• Show me top users impacted by top incidents 
• What are the top 10 Prisma Access locations seeing high traffic volume? 
• What is the current status of each PA location 
• Provide a list of all Prisma Access locations with the respective number of egress IPs for MU, EP, and RNs 
• Give me the list of all migrated Remote Networks 
• Provide me the count of Remote Networks which are down
• Show me the tunnels which are in UP status

Part 3 (Continued): Product-Specific Scenarios 

Target specific data sources for advanced insights. 

3.E: CDSS (Advanced Security) Scenarios 

(Advanced Threat Prevention, Advanced WildFire, Advanced URL Filtering) 

• Show me all files submitted to Advanced WildFire in the last 48 hours that received a malicious verdict. 
• What is the prevention statistics trend for Advanced Threat Prevention over the past 30 days? 
• List top users who visited URLs in the ’Malware’ category according to Advanced URL Filtering. 
• Break down all C2 threats detected by Advanced Threat Prevention by source user and destination IP. 

3.F: ADEM (User Experience) Scenarios 

(Autonomous Digital Experience Management) 

• Show application experience scores for top monitored sites in the last 7 days. 
• List all users experiencing poor mobile user experience (MUX) with O365 today. 
• What is the trend of application performance for ’Salesforce’ over the last 30 days? 
• Show me the network performance metrics for all remote sites in ’San Jose’. 

3.G: Prisma Access Browser Scenarios 

• List users who accessed malicious websites through Prisma Access Browser in the last 24 hours. 
• Show me the top 10 high-risk websites visited via Prisma Access Browser this week. 
• Break down Prisma Access Browser usage by user and data transferred. 

3.H: General Log Viewer Scenarios 

• Show all log entries from source IP ’10.5.1.1’ in the last hour.’
• Find all log viewer data where the user is ’john.doe’ and action is ’deny’. 
• Trend all firewall log entries with severity ’high’ or ’critical’ over the last 3 days. 

Part 4: Level Up: From Good to Great Prompts 

The prompts in our catalog are great starting points. When you need production-ready metrics for a report or a critical investigation, you must add Component #4: The ”How-to-Count”. 

Let’s see how to ”level up” a good prompt into a great one. 

Pro-Tip: Speak the Log's Language 

To make your filters unambiguous, use the specific field names and values found in the underlying logs whenever possible. Instead of just saying "blocked traffic," define exactly what "blocked" means according to the log data. 

• Vague Filter: ...show blocked traffic... 
• Precise Filter using Log Terminology: ...where action value is not 'allow'... or ...where action is 'deny'... (depending on your specific logs). 

This tells AI Canvas exactly which records to include or exclude, removing guesswork. 

Example 1: Threat Analysis 

Goal: Find your most at-risk users. 

The Good Prompt 

‘Show me the top 10 affected users this week by threat count.’ 

• Problem: This is ambiguous. How is ”threat count” measured? Is it total threat sessions? Unique threat types? This is fine for a quick look, but not for a formal report. 

The Great Prompt

‘Show me the top 10 affected users this week, ranked by the count of unique threat IDs. For each user, also include their total session count and a breakdown by threat category.’ 

• What We Added (and Why): 
  • ranked by… unique threat IDs: This is now precise. We are ranking by the variety of threats, not just volume. 
  • include... total session count: This adds critical context. 10 threats in 12 sessions is different from 10 threats in 10,000 sessions. 

Example 2: Application Analysis 

Goal: Find users engaging in risky behavior. 

The Good Prompt 

‘Which users are using the highest-risk applications?’ 

• Problem: ”Using” is vague (sessions or bandwidth?). ”Highest-risk” is vague (level 5, or 4 and 5?). 

The Great Prompt 

‘List all users who generated sessions for applications with a risk level of 4 or 5 in the last 7 days. Rank this list by total data (bytes) sent and received for those applications.’ 

• What We Added (and Why): 
  • risk level of 4 or 5: Precisely defines ”highest-risk.” 
  • rank... by total data: Explicitly defines ”using” as data transfer, which is a better measure of risk. 

Example 3: Traffic & Location Analysis 

Goal: Report on blocked traffic from specific countries. 

The Good Prompt 

‘Show me blocked traffic by country.‘ 

• Problem: Too broad. No time, format, or calculation method. 

The Great Prompt 

‘Provide the top 5 countries by total sessions blocked, defined as action value not ’allow’. Also include total sessions allowed and the percentage blocked, which you must calculate relative to the total unique sessions from that source location.’ 

• What We Added (and Why): 
  • defined as... not 'allow': Explicitly defines ”blocked.”
  • relative to... total unique sessions: This is the most critical part. It ensures the percentage is accurate and not skewed by bad data.