From f10b0ffe1071288ec392407e039636957f4365cd Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Sun, 4 Apr 2021 23:55:52 +0000
Subject: [PATCH 1/9] #24724: Add Global Protect logs

---
 x-pack/filebeat/module/panw/fields.go         |    2 +-
 .../module/panw/panos/_meta/fields.yml        |   67 +
 .../module/panw/panos/config/input.yml        |   90 +-
 .../panw/panos/ingest/globalprotect.yml       |   37 +
 .../module/panw/panos/ingest/pipeline.yml     | 1132 ++++++++---------
 .../module/panw/panos/ingest/threat.yml       |   49 +
 .../module/panw/panos/ingest/traffic.yml      |   87 ++
 .../filebeat/module/panw/panos/manifest.yml   |    6 +-
 .../module/panw/panos/test/global_protect.log |    2 +
 .../test/global_protect.log-expected.json     |  113 ++
 .../test/pan_inc_threat.log-expected.json     |  104 +-
 .../panw/panos/test/threat.log-expected.json  |  152 +--
 12 files changed, 1095 insertions(+), 746 deletions(-)
 create mode 100644 x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml
 create mode 100644 x-pack/filebeat/module/panw/panos/ingest/threat.yml
 create mode 100644 x-pack/filebeat/module/panw/panos/ingest/traffic.yml
 create mode 100644 x-pack/filebeat/module/panw/panos/test/global_protect.log
 create mode 100644 x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json

diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go
index 1990a4b7403..eae833bfa26 100644
--- a/x-pack/filebeat/module/panw/fields.go
+++ b/x-pack/filebeat/module/panw/fields.go
@@ -19,5 +19,5 @@ func init() {
 // AssetPanw returns asset data.
 // This is the base64 encoded gzipped contents of module/panw.
 func AssetPanw() string {
-	return "eJzMmM9u4zYQxu95irm5BeLcesmhQNpFgABpamw27TGgqZHEmiK1w2Fc7dMvSEu21qYsxc4G0c2Sye83fz6S0hxW2FxDLcz6AoAVa9z+ytBJUjUra67h9wsAgL9s5jVCbgkWQlu40WzhAXltaeXgl8XNw/zvx18vAHKFOnPXcdAcjKh204aLmxqvoSDr6/ZOQixct3EeyMlWwCXGOaCKFFftn/pSsKdn3e52SvWY9A/6lqJ8IuhNzKBt4a76Yw+wemTkNTrkH6VavBU2a0vZ3rNjjADwICoEm0fGMDlwKRgqwbLEDLhUDhw6p6y5SgI560likucgXeM0bdLYAv7PaLKIxbaea3xB3YqBXf6Hkq/2RqfS1if9Zs0+51juJhCH63GDFQTaeg9lrc+jDCPl4iB5bwu1VXkFmRH7DQZHizqRaGEdzx9uvnRlFFlG6NwlqLy7FZ4qBzVSbqnC7JBxuM69zKYAuwAGHk7gP4zgbpEC3K4illJ57EC0NcXboQSxHUzSqhk6VkaEed/Jrz3FD2faTz22j+XcPtlHtG+/qn0P9++fZ+RRK4+YeaKHBmJKu3qCr0edfR7XBIujyQiFGzD4SQeEL+FgEOcE0fUeMFIVsPqFTQKZzWHnndabVu3EtaaWon5WKdO+gakXQq6QQYqaPSHcfYqGFsAloRgqK5zp6ikOk7aqvFHcpEOfEv7EFITrz04tZkDb9bwUrtyekkPL/zZnX+8O6QONlSv9XqfOIHViS4XgTuuXP5QR1MA2O12nbGgcGg68SwRhhG6+YbouyybG8q/S2a2iMI5elMTU+pYucjL3nvQ7pd6TPjHzUjAWlpqf4+bb2K+xHk+f78P2xzMX2Z8+32+109tIGNsV5DKOeUHKlGQIC2uJmwoLk4FyyQlQcYkEs0poJZX1bnYJs4JEsxaEs0uwBLMlGlWY2ZiJtF0f2v6MzeIuHFeM0GB8haQkqAwNq1whxS5GIcvDA0z6xRK/ejQSn42vlkhJxsRGOwJ4bwtAw9T0yeIrr3KgjCSs0DBmrTwroXWijk9GffW4C0nbIiKNxNQu9oRH3ppPynvoOkubzglSUzaXPai3bIPEx469Rog2fwVd+PFT+bZZS5H1gYQcfIGawjI/gLmJEwKLFZotwdFvLkHtlSKPNcqQ/c0iFSboPvpoW6T955fPZws5vxwUS6q+KGIv9LNr9te+M8r9z2ZScI1jrEAZx8JIvPgeAAD//2MhKUk="
+	return "eJzMmcFu4zYTx+/7FAPswd8HxLn1kkMBt8EWAdKssdm0R2NMjiU2FKklR/ZqT32Nvl6fpCBl2YpNW4rjBPFhN5Eizo8z858Z0WN4pPoKSjSrDwCsWNPmN0leOFWysuYKfv4AAPC7lZUmWFgHU9QWJpot3BGvrHv08L/p5G78+f7/HwAWirT0V/GhMRgstsuGD9clXUHmbFWurySMhc+nuA4snC2Ac4prQBEpLtd/1DUFO/as315OWT1m+ol966L5xKabPYO2mb/sPruH1SFzlSZP/NTUGu+R6pV1cufeMUYAuMOCwC4iY1gcOEeGAlnkJIFz5cGT98qayySQt5UTlOTZc1c/zdppbIG+MxkZsdiWY01L0mtjYOd/keDLnadTbuuS/rBml7PPdwOIw+e+wQoG1vE+5LUujzJMboF7zjsv1MbKM8gM7iYYHA3qQKKp9Ty+m3xtw4hSOvL+AtSivRTuKg8luYV1Bcl9xsNx7ng2Bdhu4MDNAfz7O7iZpgA3VcS6lB9bEG1Ndj6UYGwLk5SqJM/KYFj3jfTasfjuRHvdYXtfyu2SvUf5dqPa1XD3+suE3CvlHjEP1NCBPaVVPUDXvcp+GdcAiZORjtAfEPhJA8LXMBjENQHb3AMmVwSsbmCTQKYZdt6o3qytnVhrSoHlTKVEewZRT1E8EoPAkitHcHMdBY3AuSM8FFZ4oaqHKEzYoqiM4jq99SHbH+iC8Pm1tRY9oO1qnKPPN1NySPmfxlyV2yH9QGItlH6rqTOYOjGlwuZOy5dflEFXw8Y7baY0NJ4MB945ARrU9Q9Kx2Vex738qbT8pFx4zi2VoFR9Swc56fvK6TdyfeX0iZ4XyJRZV7+Omj/FfI3xePhyG9ofj3xkf/hyu7GdbiPh2TYgF/GZJTmpBEMorDk1EUYjQfnkAqQ4JwejArUSylZ+dAGjzGG9QkejC7AORnMyKjOjPhFpu9qX/QuaxU0YVwxqMFVBTglQkgyrhSIXs5hQ5PsDTPrFkr5VZATNTFXMySUZE422B/DWZkCGXd0li6+8yoMywlFBhkmuzbNCrRNxfDDqW0XbLWmbRaSePa2LvaMjb80n+T1knXVN5gRTQ5rLDtQ50yBx2LGTCFHmz6ALv7wq38ZrKbIuEIqDL1BDWMZ7MJO4IDA+ktkQHD1zCdaeaeS+JBG83xSpsEB76KNtltZfNZ+92JCv5geNJa0uleMK9czXu7XvBeH+o1kUfO2ZClDGM5qO/J488HE7TC9Dysqdu8dIPh5n+Rj/nYBnp0wGPrer8H9wjOkcw0W7B2SxpcutfwW4MO1XTXG7uW4K42/azlFPnWUSDOi9ykzs2GtJNyNGwOllLlDkytCemM8E3nVi5cn9+/c/vrXZU2aEVmR4Zv1seaDXnPzy1CwNksLkFZE+34eWP6AHbqjeG9ErOSmy7ORbWQ5E84zZc3oEfcei1HQFc1pYR2NtM7Vb13vIk1KOHG0aCmsMPe0YR7rKQmN2xlhPYK64mZRBGakEcoBUm1oMK4zfUKzQSZJB01M01mGBfecMztkzZkDCj8iNkebHHD1YISrnKGwF0NRHy+QTzpmwMp0YyjBle6ncB2va50IxtEJhmBdXivMGK5j0DXaL3EPpqCRkYdJf65wEGcthHJxDJq6nCd9QxiQNpXJzir09xnt6Dra9jmWpY/5YcxHfTXw1j4090SJCsCSFH9d+Uc17jUYfsnEZphthjfSX53elJ6dQH3tnOLlENUt3vJpqM2EKb+pqDyhWnM8K4tw+Z+7e1Kzb68n0DLUqUIQm3kS2GSz/CwAA///rDZqq"
 }
diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
index 4fa1094f56f..60a339b63be 100644
--- a/x-pack/filebeat/module/panw/panos/_meta/fields.yml
+++ b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
@@ -147,3 +147,70 @@
       type: keyword
       description: >
         Virtual system instance
+
+    # - name: eventid
+    #   type: keyword
+    #   description: >
+    #     A string showing the name of the event.
+
+    # - name: hostid
+    #   type: keyword
+    #   description: >
+    #     The unique ID that GlobalProtect assigns to identify the host.
+
+    # - name: machinename
+    #   type: keyword
+    #   description: >
+    #     The name of the user’s machine.
+
+    - name: client_os_ver
+      type: keyword
+      description: >
+        The client device’s OS version.
+
+    - name: client_os
+      type: keyword
+      description: >
+        The client device’s OS version.
+
+    - name: client_ver
+      type: keyword
+      description: >
+        The client’s GlobalProtect app version.
+
+    - name: stage
+      type: keyword
+      example: before-login
+      description: >
+        A string showing the stage of the connection
+
+    - name: actionflags
+      type: keyword
+      description: >
+        A bit field indicating if the log was forwarded to Panorama.
+
+    - name: error
+      type: keyword
+      description: >
+        A string showing that error that has occurred in any event.
+
+    - name: error_code
+      type: integer
+      description: >
+        An integer associated with any errors that occurred.
+
+    - name: repeatcnt
+      type: integer
+      description: >
+        The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred.
+
+    - name: serial_number
+      type: keyword
+      description: >
+        The serial number of the user’s machine or device.
+
+    - name: auth_method
+      type: keyword
+      example: LDAP
+      description: >
+        A string showing the authentication type
diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
index f56e2ecba39..b5ef682cbb4 100644
--- a/x-pack/filebeat/module/panw/panos/config/input.yml
+++ b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -172,6 +172,87 @@ processors:
         destination.user.email: 52
         observer.hostname: 59
 
+  - extract_array:
+      when:
+       equals:
+          panw.panos.type: GLOBALPROTECT
+      field: csv
+      omit_empty: true
+      overwrite_keys: true
+      fail_on_error: false
+      mappings:
+        panw.panos.virtual_sys: 7
+        event.code: 8
+        panw.panos.stage: 9
+        panw.panos.auth_method: 10
+        panw.panos.tunnel_type: 11
+        _temp_.srcuser: 12
+        _temp_.srcloc: 13
+        host.name: 14
+        source.nat.ip: 15
+        client.nat.ip: 15
+        _temp_.public_ipv6: 16
+        host.ip: 17
+        source.ip: 17
+        client.ip: 17
+        source.address: 17
+        client.address: 17
+        _temp_.private_ipv6: 18
+        host.id: 19
+        panw.panos.serial_number: 20
+        panw.panos.client_ver: 21
+        panw.panos.client_os: 22
+        panw.panos.client_os_ver: 23
+        panw.panos.repeatcnt: 24
+        event.reason: 25
+        panw.panos.error: 26
+        panw.panos.description: 27
+        event.outcome: 28
+        observer.geo.name: 29
+        event.duration: 30
+        panw.panos.connect_method: 31
+        panw.panos.error_code: 32
+        observer.hostname: 33
+        panw.panos.sequence_number: 34
+        panw.panos.actionflags: 35
+
+  - extract_array:
+      when:
+       equals:
+          panw.panos.type: USERID
+      field: csv
+      omit_empty: true
+      overwrite_keys: true
+      fail_on_error: false
+      mappings:
+        panw.panos.virtual_sys: 7
+        client.ip: 8
+        source.ip: 8
+        source.address: 8
+        _temp_.srcuser: 9
+        panw.panos.datasourcename: 10
+        panw.panos.eventid: 11
+        panw.panos.repeatcnt: 12
+        panw.panos.timeout: 13
+        source.port: 14
+        client.port: 14
+        destination.port: 15
+        server.port: 15
+        panw.panos.datasource: 16
+        panw.panos.datasourcetype: 17
+        panw.panos.sequence_number: 18
+        panw.panos.actionflags: 19
+        panw.panos.dg_hier: 20
+        panw.panos.vsys_name: 21
+        observer.hostname: 22
+        panw.panos.vsys_id: 23
+        panw.panos.factortype: 24
+        panw.panos.factorcompletiontime: 25
+        panw.panos.factorno: 26
+        panw.panos.ugflags: 27
+        source.user.name: 28
+        client.user.name: 28
+
   - drop_fields:
       fields:
         - csv
@@ -190,15 +271,6 @@ processors:
         internal_zones: {{ .internal_zones | tojson }}
 {{ end }}
 
-  - community_id: ~
-
-  - community_id:
-      target: panw.panos.network.nat.community_id
-      fields:
-        source_ip: source.nat.ip
-        source_port: source.nat.port
-        destination_ip: destination.nat.ip
-        destination_port: destination.nat.port
 
   # Copy NAT data from ECS fields to the original non-ECS fields to retain
   # backward compatibility. This should be removed for 8.0.
diff --git a/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml b/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml
new file mode 100644
index 00000000000..713be3ba954
--- /dev/null
+++ b/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml
@@ -0,0 +1,37 @@
+---
+description: Pipeline for PanOS Global Protect Logs
+processors:
+  - set:
+      field: source.ip
+      value: "{{_temp_.private_ipv6}}"
+      if: ctx?._temp_?.private_ipv6 != "" && ctx?._temp_?.private_ipv6 != "0.0.0.0"
+  - set:
+      field: source.nat.ip
+      value: "{{_temp_.public_ipv6}}"
+      if: ctx?._temp_?.public_ipv6 != "" && ctx?._temp_?.public_ipv6 != "0.0.0.0"
+  - grok:
+      field: _temp_.srcuser
+      ignore_missing: true
+      ignore_failure: true
+      patterns:
+        - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}'
+        - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}'
+        - '%{USERNAME:source.user.name}'
+      if: ctx?._temp_?.srcuser != null
+  - set:
+      field: network.type
+      value: 'ipv4'
+      if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")'
+  - set:
+      field: network.type
+      value: 'ipv6'
+      if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")'
+
+on_failure:
+  - append:
+      field: error.message
+      value: >-
+        error in Global Protect pipeline:
+        error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+        with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+        {{ _ingest.on_failure_message }}
diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
index 6fdd0cac2ef..685fff2a669 100644
--- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -1,624 +1,542 @@
 description: "Pipeline for Palo Alto Networks PAN-OS Logs"
 processors:
- - set:
-     field: event.ingested
-     value: '{{_ingest.timestamp}}'
+  - set:
+      field: event.ingested
+      value: '{{_ingest.timestamp}}'
 
-# keep message as log.original.
- - rename:
-     field: message
-     target_field: log.original
+  # keep message as log.original.
+  - rename:
+      field: message
+      target_field: log.original
 
 # Get the timezone from the IETF header if present. Otherwise the timezone
 # value added by the add_locale processor will be used.
- - grok:
-     field: _temp_.ietf_header
-     patterns:
-       - '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?'
-     ignore_failure: true
-
-# Set @timestamp to the time when the entry was generated at the data plane.
- - date:
-     if: "ctx.event.timezone == null"
-     field: "_temp_.generated_time"
-     formats:
-       - "yyyy/MM/dd HH:mm:ss"
-     on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
- - date:
-     if: "ctx.event.timezone != null"
-     field: "_temp_.generated_time"
-     formats:
-       - "yyyy/MM/dd HH:mm:ss"
-     timezone: "{{ event.timezone }}"
-     on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
-
-# event.created is the time the event was received at the management plane.
- - date:
-     if: "ctx.event.timezone == null && ctx.event.created != null "
-     field: "event.created"
-     target_field: "event.created"
-     formats:
-       - "yyyy/MM/dd HH:mm:ss"
-     on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
- - date:
-     if: "ctx.event.timezone != null && ctx.event.created != null "
-     field: "event.created"
-     target_field: "event.created"
-     formats:
-       - "yyyy/MM/dd HH:mm:ss"
-     timezone: "{{ event.timezone }}"
-     on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
-
-# event.start (traffic only) is the time the session started.
- - date:
-     if: "ctx.event.timezone == null && ctx.event.start != null"
-     field: "event.start"
-     target_field: "event.start"
-     formats:
-       - "yyyy/MM/dd HH:mm:ss"
-     on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
- - date:
-     if: "ctx.event.timezone != null && ctx.event.start != null"
-     field: "event.start"
-     target_field: "event.start"
-     timezone: "{{ event.timezone }}"
-     formats:
-       - "yyyy/MM/dd HH:mm:ss"
-     on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
-
-# convert integer fields as the output of the CSV processor is always a string.
- - convert: { type: long, ignore_missing: true, field: client.bytes }
- - convert: { type: long, ignore_missing: true, field: client.packets }
- - convert: { type: long, ignore_missing: true, field: client.port }
- - convert: { type: long, ignore_missing: true, field: server.bytes }
- - convert: { type: long, ignore_missing: true, field: server.packets }
- - convert: { type: long, ignore_missing: true, field: server.port }
- - convert: { type: long, ignore_missing: true, field: source.bytes }
- - convert: { type: long, ignore_missing: true, field: source.packets }
- - convert: { type: long, ignore_missing: true, field: source.port }
- - convert: { type: long, ignore_missing: true, field: destination.bytes }
- - convert: { type: long, ignore_missing: true, field: destination.packets }
- - convert: { type: long, ignore_missing: true, field: destination.port }
- - convert: { type: long, ignore_missing: true, field: network.bytes }
- - convert: { type: long, ignore_missing: true, field: network.packets }
- - convert: { type: long, ignore_missing: true, field: event.duration }
- - convert: { type: long, ignore_missing: true, field: _temp_.labels }
- - convert: { type: long, ignore_missing: true, field: panw.panos.sequence_number }
- - convert: { type: long, ignore_missing: true, field: source.nat.port }
- - convert: { type: long, ignore_missing: true, field: destination.nat.port }
- - convert: { type: long, ignore_missing: true, field: client.nat.port }
- - convert: { type: long, ignore_missing: true, field: server.nat.port }
-
-# Remove PCAP ID when zero (no packet capture).
- - remove:
-     if: 'ctx?.panw?.panos?.network?.pcap_id == "0"'
-     field:
-       - panw.panos.network.pcap_id
-
-# Extract 'flags' bitfield into labels.
- - script:
-     lang: painless
-     if: 'ctx?._temp_?.labels != null && ctx._temp_.labels != 0'
-     params:
-       pcap_included: 0x80000000
-       ipv6_session: 0x02000000
-       ssl_decrypted: 0x01000000
-       url_filter_denied: 0x00800000
-       nat_translated: 0x00400000
-       captive_portal: 0x00200000
-       x_forwarded_for: 0x00080000
-       http_proxy: 0x00040000
-       container_page: 0x00008000
-       temporary_match: 0x00002000
-       symmetric_return: 0x00000800
-     source: >
-       def labels = ctx?.labels;
-       if (labels == null) {
+  - grok:
+      field: _temp_.ietf_header
+      patterns:
+        - '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?'
+      ignore_failure: true
+
+  # Set @timestamp to the time when the entry was generated at the data plane.
+  - date:
+      if: "ctx.event.timezone == null"
+      field: "_temp_.generated_time"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+  - date:
+      if: "ctx.event.timezone != null"
+      field: "_temp_.generated_time"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+      timezone: "{{ event.timezone }}"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+
+  # event.created is the time the event was received at the management plane.
+  - date:
+      if: "ctx.event.timezone == null && ctx.event.created != null "
+      field: "event.created"
+      target_field: "event.created"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+  - date:
+      if: "ctx.event.timezone != null && ctx.event.created != null "
+      field: "event.created"
+      target_field: "event.created"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+      timezone: "{{ event.timezone }}"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+
+  # event.start (traffic only) is the time the session started.
+  - date:
+      if: "ctx.event.timezone == null && ctx.event.start != null"
+      field: "event.start"
+      target_field: "event.start"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+  - date:
+      if: "ctx.event.timezone != null && ctx.event.start != null"
+      field: "event.start"
+      target_field: "event.start"
+      timezone: "{{ event.timezone }}"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+
+  # convert integer fields as the output of the CSV processor is always a string.
+  - convert: { type: long, ignore_missing: true, field: client.bytes }
+  - convert: { type: long, ignore_missing: true, field: client.packets }
+  - convert: { type: long, ignore_missing: true, field: client.port }
+  - convert: { type: long, ignore_missing: true, field: server.bytes }
+  - convert: { type: long, ignore_missing: true, field: server.packets }
+  - convert: { type: long, ignore_missing: true, field: server.port }
+  - convert: { type: long, ignore_missing: true, field: source.bytes }
+  - convert: { type: long, ignore_missing: true, field: source.packets }
+  - convert: { type: long, ignore_missing: true, field: source.port }
+  - convert: { type: long, ignore_missing: true, field: destination.bytes }
+  - convert: { type: long, ignore_missing: true, field: destination.packets }
+  - convert: { type: long, ignore_missing: true, field: destination.port }
+  - convert: { type: long, ignore_missing: true, field: network.bytes }
+  - convert: { type: long, ignore_missing: true, field: network.packets }
+  - convert: { type: long, ignore_missing: true, field: event.duration }
+  - convert: { type: long, ignore_missing: true, field: _temp_.labels }
+  - convert: { type: long, ignore_missing: true, field: panw.panos.sequence_number }
+  - convert: { type: long, ignore_missing: true, field: source.nat.port }
+  - convert: { type: long, ignore_missing: true, field: destination.nat.port }
+  - convert: { type: long, ignore_missing: true, field: client.nat.port }
+  - convert: { type: long, ignore_missing: true, field: server.nat.port }
+
+  - community_id:
+      ignore_missing: true
+
+  - community_id:
+      target_field: panw.panos.network.nat.community_id
+      ignore_missing: true
+      ignore_failure: true
+      source_ip: source.nat.ip
+      source_port: source.nat.port
+      destination_ip: destination.nat.ip
+      destination_port: destination.nat.port
+
+  # Remove PCAP ID when zero (no packet capture).
+  - remove:
+      if: 'ctx?.panw?.panos?.network?.pcap_id == "0"'
+      field:
+        - panw.panos.network.pcap_id
+
+  # Extract 'flags' bitfield into labels.
+  - script:
+      lang: painless
+      if: 'ctx?._temp_?.labels != null && ctx._temp_.labels != 0'
+      params:
+        pcap_included: 0x80000000
+        ipv6_session: 0x02000000
+        ssl_decrypted: 0x01000000
+        url_filter_denied: 0x00800000
+        nat_translated: 0x00400000
+        captive_portal: 0x00200000
+        x_forwarded_for: 0x00080000
+        http_proxy: 0x00040000
+        container_page: 0x00008000
+        temporary_match: 0x00002000
+        symmetric_return: 0x00000800
+      source: >
+        def labels = ctx?.labels;
+        if (labels == null) {
           labels = new HashMap();
           ctx['labels'] = labels;
-       }
-       long value = ctx._temp_.labels;
-       for (entry in params.entrySet()) {
+        }
+        long value = ctx._temp_.labels;
+        for (entry in params.entrySet()) {
           if ((value & entry.getValue()) != 0) {
               labels[entry.getKey()] = true;
           }
-       }
-
-# normalize event.duration and determine event.end.
- - script:
-     lang: painless
-     if: 'ctx?.event?.duration != null'
-     params:
-       NANOS_IN_A_SECOND: 1000000000
-     source: >
-       long nanos = ctx['event']['duration'] * params.NANOS_IN_A_SECOND;
-       ctx['event']['duration'] = nanos;
-       def start = ctx.event?.start;
-       if (start != null) {
+        }
+
+  # normalize event.duration and determine event.end.
+  - script:
+      lang: painless
+      if: 'ctx?.event?.duration != null'
+      params:
+        NANOS_IN_A_SECOND: 1000000000
+      source: >
+        long nanos = ctx['event']['duration'] * params.NANOS_IN_A_SECOND;
+        ctx['event']['duration'] = nanos;
+        def start = ctx.event?.start;
+        if (start != null) {
           ctx.event['end'] = ZonedDateTime.parse(start).plusNanos(nanos);
-       }
-
-# Set network.direction using src/dst zone (traffic logs).
- - set:
-     field: network.direction
-     value: inbound
-     if: >
-       ctx?.panw?.panos?.type == "TRAFFIC" &&
-       ctx?._temp_?.external_zones != null &&
-       ctx?._temp_?.internal_zones != null &&
-       ctx?.observer?.ingress?.zone != null &&
-       ctx?.observer?.egress?.zone != null &&
-       ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
-       ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
- - set:
-     field: network.direction
-     value: outbound
-     if: >
-       ctx?.panw?.panos?.type == "TRAFFIC" &&
-       ctx?._temp_?.external_zones != null &&
-       ctx?._temp_?.internal_zones != null &&
-       ctx?.observer?.ingress?.zone != null &&
-       ctx?.observer?.egress?.zone != null &&
-       ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
-       ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
- - set:
-     field: network.direction
-     value: internal
-     if: >
-       ctx?.panw?.panos?.type == "TRAFFIC" &&
-       ctx?._temp_?.internal_zones != null &&
-       ctx?.observer?.ingress?.zone != null &&
-       ctx?.observer?.egress?.zone != null &&
-       ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
-       ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
- - set:
-     field: network.direction
-     value: external
-     if: >
-       ctx?.panw?.panos?.type == "TRAFFIC" &&
-       ctx?._temp_?.external_zones != null &&
-       ctx?.observer?.ingress?.zone != null &&
-       ctx?.observer?.egress?.zone != null &&
-       ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
-       ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
- - set:
-     field: network.direction
-     value: unknown
-     if: >
-       ctx?.panw?.panos?.type == "TRAFFIC" &&
-       ctx?._temp_?.external_zones != null &&
-       ctx?._temp_?.internal_zones != null &&
-       (
-         (
-           !ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) &&
-           !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone)
-         ) ||
-         (
-           !ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) &&
-           !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone)
-         )
-       )
-# Set network.direction from threat direction (Threat logs).
- - set:
-     field: network.direction
-     value: inbound
-     if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")'
-
- - set:
-     field: network.direction
-     value: outbound
-     if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")'
-
- - set:
-     field: network.direction
-     value: unknown
-     if: 'ctx?.panw?.panos?.type == "THREAT" && ctx?.network?.direction == null'
-
-# Set network.type for TRAFFIC.
- - set:
-     field: network.type
-     value: 'ipv4'
-     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session == null'
- - set:
-     field: network.type
-     value: 'ipv6'
-     if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session != null'
-
-  # Set event.category depending on log type.
- - set:
-     field: event.kind
-     value: event
-     if: 'ctx?.panw?.panos?.type == "TRAFFIC"'
- - append:
-     field: event.category
-     allow_duplicates: false
-     value:
-       - network_traffic
-       - network
-     if: 'ctx?.panw?.panos?.type == "TRAFFIC"'
- - set:
-     field: event.kind
-     value: alert
-     if: 'ctx?.panw?.panos?.type == "THREAT"'
- - append:
-     field: event.category
-     allow_duplicates: false
-     value:
-       - security_threat
-       - intrusion_detection
-       - network
-     if: 'ctx?.panw?.panos?.type == "THREAT"'
- - append:
-     field: event.type
-     allow_duplicates: false
-     value: allowed
-     if: "ctx?.panw?.panos?.action != null && ['alert', 'allow', 'continue'].contains(ctx.panw.panos.action)"
- - append:
-     field: event.type
-     allow_duplicates: false
-     value: denied
-     if: "ctx?.panw?.panos?.action != null && ['deny', 'drop', 'reset-client', 'reset-server', 'reset-both', 'block-url', 'block-ip', 'random-drop', 'sinkhole', 'block'].contains(ctx.panw.panos.action)"
- - set:
-     field: event.outcome
-     value: success
-
-
-# event.action for traffic logs.
- - set:
-     field: event.action
-     value: flow_started
-     if: 'ctx?.panw?.panos?.sub_type == "start"'
- - append:
-     field: event.type
-     allow_duplicates: false
-     value:
-       - start
-       - connection
-     if: 'ctx?.panw?.panos?.sub_type == "start"'
- - set:
-     field: event.action
-     value: flow_terminated
-     if: 'ctx?.panw?.panos?.sub_type == "end"'
- - append:
-     field: event.type
-     allow_duplicates: false
-     value:
-       - end
-       - connection
-     if: 'ctx?.panw?.panos?.sub_type == "end"'
- - set:
-     field: event.action
-     value: flow_dropped
-     if: 'ctx?.panw?.panos?.sub_type == "drop"'
- - append:
-     field: event.type
-     allow_duplicates: false
-     value:
-       - denied
-       - connection
-     if: 'ctx?.panw?.panos?.sub_type == "drop"'
- - set:
-     field: event.action
-     value: flow_denied
-     if: 'ctx?.panw?.panos?.sub_type == "deny"'
- - append:
-     field: event.type
-     allow_duplicates: false
-     value:
-       - denied
-       - connection
-     if: 'ctx?.panw?.panos?.sub_type == "deny"'
-
-# event.action for threat logs.
- - set:
-     field: event.action
-     value: data_match
-     if: 'ctx?.panw?.panos?.sub_type == "data"'
- - set:
-     field: event.action
-     value: file_match
-     if: 'ctx?.panw?.panos?.sub_type == "file"'
- - set:
-     field: event.action
-     value: flood_detected
-     if: 'ctx?.panw?.panos?.sub_type == "flood"'
- - set:
-     field: event.action
-     value: packet_attack
-     if: 'ctx?.panw?.panos?.sub_type == "packet"'
- - set:
-     field: event.action
-     value: scan_detected
-     if: 'ctx?.panw?.panos?.sub_type == "scan"'
- - set:
-     field: event.action
-     value: spyware_detected
-     if: 'ctx?.panw?.panos?.sub_type == "spyware"'
- - set:
-     field: event.action
-     value: url_filtering
-     if: 'ctx?.panw?.panos?.sub_type == "url"'
- - set:
-     field: event.action
-     value: virus_detected
-     if: 'ctx?.panw?.panos?.sub_type == "virus"'
- - set:
-     field: event.action
-     value: exploit_detected
-     if: 'ctx?.panw?.panos?.sub_type == "vulnerability"'
- - set:
-     field: event.action
-     value: wildfire_verdict
-     if: 'ctx?.panw?.panos?.sub_type == "wildfire"'
- - set:
-     field: event.action
-     value: wildfire_virus_detected
-     if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"'
-
-
-# Set numeric log.level from event.severity.
- - set:
-     field: "event.severity"
-     if: 'ctx.log.level == "critical"'
-     value: 1
- - set:
-     field: "event.severity"
-     if: 'ctx.log.level == "high"'
-     value: 2
- - set:
-     field: "event.severity"
-     if: 'ctx.log.level == "medium"'
-     value: 3
- - set:
-     field: "event.severity"
-     if: 'ctx.log.level == "low"'
-     value: 4
- - set:
-     field: "event.severity"
-     if: 'ctx.log.level == "informational"'
-     value: 5
-
-# Normalize event.outcome.
-# These values appear in the TRAFFIC docs but look like a mistake.
- - set:
-     field: panw.panos.action
-     value: 'drop-icmp'
-     if: 'ctx?.panw?.panos?.action == "drop icmp" || ctx?.panw?.panos?.action == "drop ICMP"'
- - set:
-     field: panw.panos.action
-     value: 'reset-both'
-     if: 'ctx?.panw?.panos?.action == "reset both"'
- - set:
-     field: panw.panos.action
-     value: 'reset-client'
-     if: 'ctx?.panw?.panos?.action == "reset client"'
- - set:
-     field: panw.panos.action
-     value: 'reset-server'
-     if: 'ctx?.panw?.panos?.action == "reset server"'
-
-# Build related.ip array from src/dest/NAT IPs.
- - append:
-     if: 'ctx?.source?.ip != null'
-     field: related.ip
-     allow_duplicates: false
-     value:
-       - '{{source.ip}}'
- - append:
-     if: 'ctx?.destination?.ip != null'
-     field: related.ip
-     allow_duplicates: false
-     value:
-       - '{{destination.ip}}'
- - append:
-     if: 'ctx?.source?.nat?.ip != null'
-     field: related.ip
-     allow_duplicates: false
-     value:
-       - '{{source.nat.ip}}'
- - append:
-     if: 'ctx?.destination?.nat?.ip != null'
-     field: related.ip
-     allow_duplicates: false
-     value:
-       - '{{destination.nat.ip}}'
-
-# Geolocation for source.
- - geoip:
-     if: 'ctx?.source?.ip != null'
-     field: source.ip
-     target_field: source.geo
-
-# Geolocation for destination.
- - geoip:
-     if: 'ctx?.destination?.ip != null'
-     field: destination.ip
-     target_field: destination.geo
-
-# IP Autonomous System (AS) Lookup
- - geoip:
-     database_file: GeoLite2-ASN.mmdb
-     field: source.ip
-     target_field: source.as
-     properties:
-       - asn
-       - organization_name
-     ignore_missing: true
- - geoip:
-     database_file: GeoLite2-ASN.mmdb
-     field: destination.ip
-     target_field: destination.as
-     properties:
-       - asn
-       - organization_name
-     ignore_missing: true
- - rename:
-     field: source.as.asn
-     target_field: source.as.number
-     ignore_missing: true
- - rename:
-     field: source.as.organization_name
-     target_field: source.as.organization.name
-     ignore_missing: true
- - rename:
-     field: destination.as.asn
-     target_field: destination.as.number
-     ignore_missing: true
- - rename:
-     field: destination.as.organization_name
-     target_field: destination.as.organization.name
-     ignore_missing: true
-
-# Set source|destination.geo.name from panw's srcloc|dstloc
- - rename:
-     if: 'ctx.source?.geo?.name == null'
-     field: _temp_.srcloc
-     target_field: source.geo.name
-     ignore_missing: true
- - rename:
-     if: 'ctx.destination?.geo?.name == null'
-     field: _temp_.dstloc
-     target_field: destination.geo.name
-     ignore_missing: true
-
-# Append NAT community_id to network.community_id
- - append:
-     if: 'ctx?.panw?.panos?.network?.nat?.community_id != null'
-     field: network.community_id
-     allow_duplicates: false
-     value:
+        }
+
+## TRAFFIC
+  - pipeline:
+      if: ctx?.panw?.panos?.type == "TRAFFIC"
+      name: '{< IngestPipeline "traffic" >}'
+
+# ## THREAT
+  - pipeline:
+      if: ctx?.panw?.panos?.type == "THREAT"
+      name: '{< IngestPipeline "threat" >}'
+
+# ## GLOBAL PROTECT
+  - pipeline:
+      if: ctx?.panw?.panos?.type == "GLOBALPROTECT"
+      name: '{< IngestPipeline "globalprotect" >}'
+
+  - append:
+      field: event.type
+      allow_duplicates: false
+      value: allowed
+      if: "ctx?.panw?.panos?.action != null && ['alert', 'allow', 'continue'].contains(ctx.panw.panos.action)"
+  - append:
+      field: event.type
+      allow_duplicates: false
+      value: denied
+      if: "ctx?.panw?.panos?.action != null && ['deny', 'drop', 'reset-client', 'reset-server', 'reset-both', 'block-url', 'block-ip', 'random-drop', 'sinkhole', 'block'].contains(ctx.panw.panos.action)"
+  - set:
+      field: event.outcome
+      value: failure
+      if: "ctx?.event?.type != null && ctx?.event?.type.contains('denied')"
+  - set:
+      field: event.outcome
+      value: success
+      if: ctx?.event?.outcome == null
+
+  # event.action for traffic logs.
+  - set:
+      field: event.action
+      value: flow_started
+      if: 'ctx?.panw?.panos?.sub_type == "start"'
+  - append:
+      field: event.type
+      allow_duplicates: false
+      value:
+        - start
+        - connection
+      if: 'ctx?.panw?.panos?.sub_type == "start"'
+  - set:
+      field: event.action
+      value: flow_terminated
+      if: 'ctx?.panw?.panos?.sub_type == "end"'
+  - append:
+      field: event.type
+      allow_duplicates: false
+      value:
+        - end
+        - connection
+      if: 'ctx?.panw?.panos?.sub_type == "end"'
+  - set:
+      field: event.action
+      value: flow_dropped
+      if: 'ctx?.panw?.panos?.sub_type == "drop"'
+  - append:
+      field: event.type
+      allow_duplicates: false
+      value:
+        - denied
+        - connection
+      if: 'ctx?.panw?.panos?.sub_type == "drop"'
+  - set:
+      field: event.action
+      value: flow_denied
+      if: 'ctx?.panw?.panos?.sub_type == "deny"'
+  - append:
+      field: event.type
+      allow_duplicates: false
+      value:
+        - denied
+        - connection
+      if: 'ctx?.panw?.panos?.sub_type == "deny"'
+
+  # event.action for threat logs.
+  - set:
+      field: event.action
+      value: data_match
+      if: 'ctx?.panw?.panos?.sub_type == "data"'
+  - set:
+      field: event.action
+      value: file_match
+      if: 'ctx?.panw?.panos?.sub_type == "file"'
+  - set:
+      field: event.action
+      value: flood_detected
+      if: 'ctx?.panw?.panos?.sub_type == "flood"'
+  - set:
+      field: event.action
+      value: packet_attack
+      if: 'ctx?.panw?.panos?.sub_type == "packet"'
+  - set:
+      field: event.action
+      value: scan_detected
+      if: 'ctx?.panw?.panos?.sub_type == "scan"'
+  - set:
+      field: event.action
+      value: spyware_detected
+      if: 'ctx?.panw?.panos?.sub_type == "spyware"'
+  - set:
+      field: event.action
+      value: url_filtering
+      if: 'ctx?.panw?.panos?.sub_type == "url"'
+  - set:
+      field: event.action
+      value: virus_detected
+      if: 'ctx?.panw?.panos?.sub_type == "virus"'
+  - set:
+      field: event.action
+      value: exploit_detected
+      if: 'ctx?.panw?.panos?.sub_type == "vulnerability"'
+  - set:
+      field: event.action
+      value: wildfire_verdict
+      if: 'ctx?.panw?.panos?.sub_type == "wildfire"'
+  - set:
+      field: event.action
+      value: wildfire_virus_detected
+      if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"'
+
+
+  # Set numeric log.level from event.severity.
+  - set:
+      field: "event.severity"
+      if: 'ctx?.log?.level == "critical"'
+      value: 1
+  - set:
+      field: "event.severity"
+      if: 'ctx?.log?.level == "high"'
+      value: 2
+  - set:
+      field: "event.severity"
+      if: 'ctx?.log?.level == "medium"'
+      value: 3
+  - set:
+      field: "event.severity"
+      if: 'ctx?.log?.level == "low"'
+      value: 4
+  - set:
+      field: "event.severity"
+      if: 'ctx?.log?.level == "informational"'
+      value: 5
+
+  # Normalize event.outcome.
+  # These values appear in the TRAFFIC docs but look like a mistake.
+  - lowercase:
+      field: panw.panos.action
+      ignore_missing: true
+  - gsub:
+      field: panw.panos.action
+      pattern: \s
+      replacement: "-"
+      ignore_missing: true
+
+  # - set:
+  #     field: panw.panos.action
+  #     value: 'drop-icmp'
+  #     if: 'ctx?.panw?.panos?.action == "drop icmp" || ctx?.panw?.panos?.action == "drop ICMP"'
+  # - set:
+  #     field: panw.panos.action
+  #     value: 'reset-both'
+  #     if: 'ctx?.panw?.panos?.action == "reset both"'
+  # - set:
+  #     field: panw.panos.action
+  #     value: 'reset-client'
+  #     if: 'ctx?.panw?.panos?.action == "reset client"'
+  # - set:
+  #     field: panw.panos.action
+  #     value: 'reset-server'
+  #     if: 'ctx?.panw?.panos?.action == "reset server"'
+
+  # Build related.ip array from src/dest/NAT IPs.
+  - append:
+      if: 'ctx?.source?.ip != null'
+      field: related.ip
+      allow_duplicates: false
+      value:
+        - '{{source.ip}}'
+  - append:
+      if: 'ctx?.destination?.ip != null'
+      field: related.ip
+      allow_duplicates: false
+      value:
+        - '{{destination.ip}}'
+  - append:
+      if: 'ctx?.source?.nat?.ip != null'
+      field: related.ip
+      allow_duplicates: false
+      value:
+        - '{{source.nat.ip}}'
+  - append:
+      if: 'ctx?.destination?.nat?.ip != null'
+      field: related.ip
+      allow_duplicates: false
+      value:
+        - '{{destination.nat.ip}}'
+
+  # Geolocation for source.
+  - geoip:
+      if: 'ctx?.source?.ip != null'
+      field: source.ip
+      target_field: source.geo
+
+  # Geolocation for destination.
+  - geoip:
+      if: 'ctx?.destination?.ip != null'
+      field: destination.ip
+      target_field: destination.geo
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+
+  # Set source|destination.geo.name from panw's srcloc|dstloc
+  - rename:
+      if: 'ctx.source?.geo?.name == null'
+      field: _temp_.srcloc
+      target_field: source.geo.name
+      ignore_missing: true
+  - rename:
+      if: 'ctx.destination?.geo?.name == null'
+      field: _temp_.dstloc
+      target_field: destination.geo.name
+      ignore_missing: true
+
+  # Append NAT community_id to network.community_id
+  - append:
+      if: 'ctx?.panw?.panos?.network?.nat?.community_id != null'
+      field: network.community_id
+      allow_duplicates: false
+      value:
       - '{{panw.panos.network.nat.community_id}}'
 
- - grok:
-     if: 'ctx?.panw?.panos?.threat?.name != null'
-     field: panw.panos.threat.name
-     ignore_failure: true
-     patterns:
-       - '%{GREEDYDATA:panw.panos.threat.name}\(\s*%{GREEDYDATA:panw.panos.threat.id}\s*\)'
-
- - set:
-     field: panw.panos.threat.name
-     value: 'URL-filtering'
-     if: 'ctx?.panw?.panos?.threat?.id == "9999"'
-
- - set:
-     field: rule.name
-     value: "{{panw.panos.ruleset}}"
-     ignore_empty_value: true
-
-# Set url and file values
- - rename:
-     if: 'ctx?.panw?.panos?.sub_type != "url"'
-     field: url.original
-     target_field: file.name
-     ignore_missing: true
-
- - grok:
-     field: url.original
-     patterns:
-       - '(%{ANY:url.scheme}\:\/\/)?(%{USERNAME:url.username}(\:%{PASSWORD:url.password})?\@)?%{DOMAIN:url.domain}(\:%{POSINT:url.port})?(%{PATH:url.path})?(\?%{QUERY:url.query})?(\#%{ANY:url.fragment})?'
-     ignore_missing: true
-     pattern_definitions:
-       USERNAME: '[^\:]*'
-       PASSWORD: '[^@]*'
-       DOMAIN: '[^\/\?#\:]*'
-       PATH: '[^\?#]*'
-       QUERY: '[^#]*'
-       ANY: '.*'
-     if: 'ctx?.url?.original != null && ctx?.url?.original != "-/" && ctx?.url?.original != ""'
-
- - grok:
-     field: url.path
-     patterns:
-       - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:url.extension}))?'
-     ignore_missing: true
-     pattern_definitions:
-       FILENAME: '[^\.]+'
-       ANY: '.*'
-     if: 'ctx?.url?.path != null && ctx?.url?.path != ""'
-
- - grok:
-     field: file.name
-     patterns:
-       - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:file.extension}))?'
-     ignore_missing: true
-     pattern_definitions:
-       FILENAME: '[^\.]+'
-       ANY: '.*'
-     if: 'ctx?.file?.name != null && ctx?.file?.name != ""'
-
- - append:
-     field: related.user
-     allow_duplicates: false
-     value: "{{client.user.name}}"
-     if: "ctx?.client?.user?.name != null"
-
- - append:
-     field: related.user
-     allow_duplicates: false
-     value: "{{source.user.name}}"
-     if: "ctx?.source?.user?.name != null"
-
- - append:
-     field: related.user
-     allow_duplicates: false
-     value: "{{server.user.name}}"
-     if: "ctx?.server?.user?.name != null"
-
- - append:
-     field: related.user
-     allow_duplicates: false
-     value: "{{destination.user.name}}"
-     if: "ctx?.destination?.user?.name != null"
-
- - append:
-     field: related.user
-     allow_duplicates: false
-     value: "{{url.username}}"
-     if: "ctx?.url?.username != null && ctx?.url?.username != ''"
-     allow_duplicates: false
-
- - append:
-     field: related.hash
-     allow_duplicates: false
-     value: "{{panw.panos.file.hash}}"
-     if: "ctx?.panw?.panos?.file?.hash != null"
-
- - append:
-     field: related.hosts
-     allow_duplicates: false
-     value: "{{observer.hostname}}"
-     if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''"
-     allow_duplicates: false
-
- - append:
-     field: related.hosts
-     allow_duplicates: false
-     value: "{{url.domain}}"
-     if: "ctx?.url?.domain != null && ctx.url?.domain != ''"
-     allow_duplicates: false
-
-# Remove temporary fields.
- - remove:
-     field:
-       - _temp_
-     ignore_missing: true
-
-# Remove NAT fields when translation was not done.
- - remove:
-     field:
-       - source.nat.ip
-       - source.nat.port
-       - client.nat.ip
-       - client.nat.port
-     if: 'ctx?.source?.nat?.ip == "0.0.0.0" && ctx?.source?.nat?.port == 0'
- - remove:
-     field:
-       - destination.nat.ip
-       - destination.nat.port
-       - server.nat.ip
-       - server.nat.port
-     if: 'ctx?.destination?.nat?.ip == "0.0.0.0" && ctx?.destination?.nat?.port == 0'
+  - set:
+      field: rule.name
+      value: "{{panw.panos.ruleset}}"
+      ignore_empty_value: true
+
+  # Set url and file values
+  - rename:
+      if: 'ctx?.panw?.panos?.sub_type != "url"'
+      field: url.original
+      target_field: file.name
+      ignore_missing: true
+
+  - grok:
+      field: url.original
+      patterns:
+        - '(%{ANY:url.scheme}\:\/\/)?(%{USERNAME:url.username}(\:%{PASSWORD:url.password})?\@)?%{DOMAIN:url.domain}(\:%{POSINT:url.port})?(%{PATH:url.path})?(\?%{QUERY:url.query})?(\#%{ANY:url.fragment})?'
+      ignore_missing: true
+      pattern_definitions:
+        USERNAME: '[^\:]*'
+        PASSWORD: '[^@]*'
+        DOMAIN: '[^\/\?#\:]*'
+        PATH: '[^\?#]*'
+        QUERY: '[^#]*'
+        ANY: '.*'
+      if: 'ctx?.url?.original != null && ctx?.url?.original != "-/" && ctx?.url?.original != ""'
+
+  - grok:
+      field: url.path
+      patterns:
+        - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:url.extension}))?'
+      ignore_missing: true
+      pattern_definitions:
+        FILENAME: '[^\.]+'
+        ANY: '.*'
+      if: 'ctx?.url?.path != null && ctx?.url?.path != ""'
+
+  - grok:
+      field: file.name
+      patterns:
+        - '%{FILENAME}((?:\.%{ANY})*(\.%{ANY:file.extension}))?'
+      ignore_missing: true
+      pattern_definitions:
+        FILENAME: '[^\.]+'
+        ANY: '.*'
+      if: 'ctx?.file?.name != null && ctx?.file?.name != ""'
+
+  - append:
+      field: related.user
+      allow_duplicates: false
+      value: "{{client.user.name}}"
+      if: "ctx?.client?.user?.name != null"
+
+  - append:
+      field: related.user
+      allow_duplicates: false
+      value: "{{source.user.name}}"
+      if: "ctx?.source?.user?.name != null"
+
+  - append:
+      field: related.user
+      allow_duplicates: false
+      value: "{{server.user.name}}"
+      if: "ctx?.server?.user?.name != null"
+
+  - append:
+      field: related.user
+      allow_duplicates: false
+      value: "{{destination.user.name}}"
+      if: "ctx?.destination?.user?.name != null"
+
+  - append:
+      field: related.user
+      allow_duplicates: false
+      value: "{{url.username}}"
+      if: "ctx?.url?.username != null && ctx?.url?.username != ''"
+      allow_duplicates: false
+
+  - append:
+      field: related.hash
+      allow_duplicates: false
+      value: "{{panw.panos.file.hash}}"
+      if: "ctx?.panw?.panos?.file?.hash != null"
+
+  - append:
+      field: related.hosts
+      allow_duplicates: false
+      value: "{{observer.hostname}}"
+      if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''"
+      allow_duplicates: false
+
+  - append:
+      field: related.hosts
+      allow_duplicates: false
+      value: "{{url.domain}}"
+      if: "ctx?.url?.domain != null && ctx.url?.domain != ''"
+      allow_duplicates: false
+
+  # Remove temporary fields.
+  - remove:
+      field:
+        - _temp_
+      ignore_missing: true
+
+  # Remove NAT fields when translation was not done.
+  - remove:
+      field:
+        - source.nat.ip
+        - source.nat.port
+        - client.nat.ip
+        - client.nat.port
+      if: 'ctx?.source?.nat?.ip == "0.0.0.0" && ctx?.source?.nat?.port == 0'
+  - remove:
+      field:
+        - destination.nat.ip
+        - destination.nat.port
+        - server.nat.ip
+        - server.nat.port
+      if: 'ctx?.destination?.nat?.ip == "0.0.0.0" && ctx?.destination?.nat?.port == 0'
 
 on_failure:
   - set:
diff --git a/x-pack/filebeat/module/panw/panos/ingest/threat.yml b/x-pack/filebeat/module/panw/panos/ingest/threat.yml
new file mode 100644
index 00000000000..31ff25bbaa0
--- /dev/null
+++ b/x-pack/filebeat/module/panw/panos/ingest/threat.yml
@@ -0,0 +1,49 @@
+---
+description: Pipeline for PanOS Threat Logs
+processors:
+  # Set network.direction from threat direction (Threat logs).
+  - set:
+      field: network.direction
+      value: inbound
+      if: '(ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")'
+  - set:
+      field: network.direction
+      value: outbound
+      if: '(ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")'
+  - set:
+      field: network.direction
+      value: unknown
+      if: 'ctx?.network?.direction == null'
+
+  # Set event.category depending on log type.
+  - set:
+      field: event.kind
+      value: alert
+  - append:
+      field: event.category
+      allow_duplicates: false
+      value:
+        - security_threat
+        - intrusion_detection
+        - network
+
+  - grok:
+      if: 'ctx?.panw?.panos?.threat?.name != null'
+      field: panw.panos.threat.name
+      ignore_failure: true
+      patterns:
+        - '%{GREEDYDATA:panw.panos.threat.name}\(\s*%{GREEDYDATA:panw.panos.threat.id}\s*\)'
+
+  - set:
+      field: panw.panos.threat.name
+      value: 'URL-filtering'
+      if: 'ctx?.panw?.panos?.threat?.id == "9999"'
+
+on_failure:
+  - append:
+      field: error.message
+      value: >-
+        error in Threat pipeline:
+        error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+        with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+        {{ _ingest.on_failure_message }}
diff --git a/x-pack/filebeat/module/panw/panos/ingest/traffic.yml b/x-pack/filebeat/module/panw/panos/ingest/traffic.yml
new file mode 100644
index 00000000000..0bfda89f66a
--- /dev/null
+++ b/x-pack/filebeat/module/panw/panos/ingest/traffic.yml
@@ -0,0 +1,87 @@
+---
+description: Pipeline for PanOS Traffic Logs
+processors:
+  # Set network.direction using src/dst zone (traffic logs).
+  - set:
+      field: network.direction
+      value: inbound
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+  - set:
+      field: network.direction
+      value: outbound
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: internal
+      if: >
+        ctx?._temp_?.internal_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: external
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?.observer?.ingress?.zone != null &&
+        ctx?.observer?.egress?.zone != null &&
+        ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+        ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
+  - set:
+      field: network.direction
+      value: unknown
+      if: >
+        ctx?._temp_?.external_zones != null &&
+        ctx?._temp_?.internal_zones != null &&
+        (
+          (
+            !ctx._temp_.external_zones.contains(ctx?.observer?.egress?.zone) &&
+            !ctx._temp_.internal_zones.contains(ctx?.observer?.egress?.zone)
+          ) ||
+          (
+            !ctx._temp_.external_zones.contains(ctx?.observer?.ingress?.zone) &&
+            !ctx._temp_.internal_zones.contains(ctx?.observer?.ingress?.zone)
+          )
+        )
+
+  # Set network.type for TRAFFIC.
+  - set:
+      field: network.type
+      value: 'ipv4'
+      if: 'ctx?.labels?.ipv6_session == null'
+  - set:
+      field: network.type
+      value: 'ipv6'
+      if: 'ctx?.labels?.ipv6_session != null'
+
+  # Set event.category depending on log type.
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      allow_duplicates: false
+      value:
+        - network_traffic
+        - network
+on_failure:
+  - append:
+      field: error.message
+      value: >-
+        error in Traffic pipeline:
+        error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+        with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+        {{ _ingest.on_failure_message }}
diff --git a/x-pack/filebeat/module/panw/panos/manifest.yml b/x-pack/filebeat/module/panw/panos/manifest.yml
index 958a4ba7247..3bbf088dd91 100644
--- a/x-pack/filebeat/module/panw/panos/manifest.yml
+++ b/x-pack/filebeat/module/panw/panos/manifest.yml
@@ -21,7 +21,11 @@ var:
     default:
       - untrust
 
-ingest_pipeline: ingest/pipeline.yml
+ingest_pipeline:
+  - ingest/pipeline.yml
+  - ingest/traffic.yml
+  - ingest/threat.yml
+  - ingest/globalprotect.yml
 input: config/input.yml
 
 requires.processors:
diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log b/x-pack/filebeat/module/panw/panos/test/global_protect.log
new file mode 100644
index 00000000000..08ae3bde65d
--- /dev/null
+++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log
@@ -0,0 +1,2 @@
+1,2021/03/24 11:30:00,013101001305,GLOBALPROTECT,0,2305,2021/03/24 11:30:00,vsys1,portal-prelogin,before-login,,,,BE,,11.134.5.168,0.0.0.0,10.52.36.15,0.0.0.0,09300bcc-23-4900-8de9-32695452fa,,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,GlobalProtect Portal,69200719497738,0x0
+1,2021/03/24 11:29:49,013101001308,GLOBALPROTECT,0,2305,2021/03/24 11:29:49,vsys1,gateway-config-release,configuration,,,domain\user,BE,CP935,83.14.113.11,0.0.0.0,10.20.13.217,0.0.0.0,e0957c11-93-437a-9e23-9f0c24059898,5J9VN53,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,GlobalProtect_GW,6919501582016786,0x0
diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
new file mode 100644
index 00000000000..78d762a2a36
--- /dev/null
+++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
@@ -0,0 +1,113 @@
+[
+    {
+        "@timestamp": "2021-03-24T11:30:00.000-02:00",
+        "client.address": "10.52.36.15",
+        "client.ip": "10.52.36.15",
+        "client.nat.ip": "11.134.5.168",
+        "event.code": "portal-prelogin",
+        "event.dataset": "panw.panos",
+        "event.duration": 0,
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "host.id": "09300bcc-23-4900-8de9-32695452fa",
+        "host.ip": "10.52.36.15",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.original": "1,2021/03/24 11:30:00,013101001305,GLOBALPROTECT,0,2305,2021/03/24 11:30:00,vsys1,portal-prelogin,before-login,,,,BE,,11.134.5.168,0.0.0.0,10.52.36.15,0.0.0.0,09300bcc-23-4900-8de9-32695452fa,,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,,0,GlobalProtect Portal,69200719497738,0x0",
+        "network.type": "ipv4",
+        "observer.hostname": "GlobalProtect Portal",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "013101001305",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.client_os": "Windows",
+        "panw.panos.client_os_ver": "Microsoft Windows 10 Pro , 64-bit",
+        "panw.panos.client_ver": "5.2.4",
+        "panw.panos.error_code": "0",
+        "panw.panos.repeatcnt": "1",
+        "panw.panos.sequence_number": 69200719497738,
+        "panw.panos.source.nat.ip": "11.134.5.168",
+        "panw.panos.stage": "before-login",
+        "panw.panos.sub_type": "0",
+        "panw.panos.type": "GLOBALPROTECT",
+        "panw.panos.virtual_sys": "vsys1",
+        "related.hosts": [
+            "GlobalProtect Portal"
+        ],
+        "related.ip": [
+            "10.52.36.15",
+            "11.134.5.168"
+        ],
+        "service.type": "panw",
+        "source.address": "10.52.36.15",
+        "source.geo.name": "BE",
+        "source.ip": "10.52.36.15",
+        "source.nat.ip": "11.134.5.168",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-24T11:29:49.000-02:00",
+        "client.address": "10.20.13.217",
+        "client.ip": "10.20.13.217",
+        "client.nat.ip": "83.14.113.11",
+        "event.code": "gateway-config-release",
+        "event.dataset": "panw.panos",
+        "event.duration": 0,
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "host.id": "e0957c11-93-437a-9e23-9f0c24059898",
+        "host.ip": "10.20.13.217",
+        "host.name": "CP935",
+        "input.type": "log",
+        "log.offset": 304,
+        "log.original": "1,2021/03/24 11:29:49,013101001308,GLOBALPROTECT,0,2305,2021/03/24 11:29:49,vsys1,gateway-config-release,configuration,,,domain\\user,BE,CP935,83.14.113.11,0.0.0.0,10.20.13.217,0.0.0.0,e0957c11-93-437a-9e23-9f0c24059898,5J9VN53,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,,0,GlobalProtect_GW,6919501582016786,0x0",
+        "network.type": "ipv4",
+        "observer.hostname": "GlobalProtect_GW",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "013101001308",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.client_os": "Windows",
+        "panw.panos.client_os_ver": "Microsoft Windows 10 Pro , 64-bit",
+        "panw.panos.client_ver": "5.2.4",
+        "panw.panos.error_code": "0",
+        "panw.panos.repeatcnt": "1",
+        "panw.panos.sequence_number": 6919501582016786,
+        "panw.panos.serial_number": "5J9VN53",
+        "panw.panos.source.nat.ip": "83.14.113.11",
+        "panw.panos.stage": "configuration",
+        "panw.panos.sub_type": "0",
+        "panw.panos.type": "GLOBALPROTECT",
+        "panw.panos.virtual_sys": "vsys1",
+        "related.hosts": [
+            "GlobalProtect_GW"
+        ],
+        "related.ip": [
+            "10.20.13.217",
+            "83.14.113.11"
+        ],
+        "related.user": [
+            "user"
+        ],
+        "service.type": "panw",
+        "source.address": "10.20.13.217",
+        "source.geo.name": "BE",
+        "source.ip": "10.20.13.217",
+        "source.nat.ip": "83.14.113.11",
+        "source.user.domain": "domain",
+        "source.user.name": "user",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
index 5388af2b903..c5f32daf182 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
@@ -1333,7 +1333,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1630,7 +1630,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3258,7 +3258,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3355,7 +3355,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3452,7 +3452,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3551,7 +3551,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3648,7 +3648,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3744,7 +3744,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3843,7 +3843,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3939,7 +3939,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4036,7 +4036,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4132,7 +4132,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4322,7 +4322,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4417,7 +4417,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4512,7 +4512,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4608,7 +4608,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4706,7 +4706,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4804,7 +4804,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4903,7 +4903,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5002,7 +5002,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5101,7 +5101,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5190,7 +5190,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5294,7 +5294,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5383,7 +5383,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5477,7 +5477,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5580,7 +5580,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5669,7 +5669,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5760,7 +5760,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5861,7 +5861,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5957,7 +5957,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6053,7 +6053,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6142,7 +6142,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6246,7 +6246,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6892,7 +6892,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6982,7 +6982,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7076,7 +7076,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7166,7 +7166,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7256,7 +7256,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7346,7 +7346,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7527,7 +7527,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7889,7 +7889,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7983,7 +7983,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8073,7 +8073,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8257,7 +8257,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8531,7 +8531,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8712,7 +8712,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8802,7 +8802,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8983,7 +8983,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -9073,7 +9073,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -9163,7 +9163,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -9253,7 +9253,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -9434,7 +9434,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
index ef9975180c1..4ffdc338032 100644
--- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
@@ -27,7 +27,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -132,7 +132,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -237,7 +237,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -342,7 +342,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -447,7 +447,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -552,7 +552,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -657,7 +657,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -762,7 +762,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -867,7 +867,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -972,7 +972,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1077,7 +1077,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1182,7 +1182,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1287,7 +1287,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1392,7 +1392,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1497,7 +1497,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1602,7 +1602,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1707,7 +1707,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1812,7 +1812,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1917,7 +1917,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2022,7 +2022,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2127,7 +2127,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2232,7 +2232,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2337,7 +2337,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2442,7 +2442,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2547,7 +2547,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2652,7 +2652,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2757,7 +2757,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2862,7 +2862,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2967,7 +2967,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3072,7 +3072,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3177,7 +3177,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3282,7 +3282,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3387,7 +3387,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3492,7 +3492,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3597,7 +3597,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3702,7 +3702,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3810,7 +3810,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3918,7 +3918,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4026,7 +4026,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4134,7 +4134,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4242,7 +4242,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4350,7 +4350,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4458,7 +4458,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4566,7 +4566,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4674,7 +4674,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4782,7 +4782,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4890,7 +4890,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4998,7 +4998,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5106,7 +5106,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5214,7 +5214,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5319,7 +5319,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5424,7 +5424,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5529,7 +5529,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5634,7 +5634,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5739,7 +5739,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5844,7 +5844,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5949,7 +5949,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6054,7 +6054,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6159,7 +6159,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6264,7 +6264,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6372,7 +6372,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6480,7 +6480,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6588,7 +6588,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6696,7 +6696,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6804,7 +6804,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6912,7 +6912,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7020,7 +7020,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7128,7 +7128,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7236,7 +7236,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7344,7 +7344,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7452,7 +7452,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7560,7 +7560,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7668,7 +7668,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7776,7 +7776,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7884,7 +7884,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7992,7 +7992,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "success",
+        "event.outcome": "failure",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [

From 01a6c7ed1e6ec8ec0a642c4ff8436dcd6af090f0 Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Mon, 5 Apr 2021 00:37:23 +0000
Subject: [PATCH 2/9] Add User ID (more changes needed)

---
 CHANGELOG.next.asciidoc                       |  1 +
 .../module/panw/panos/_meta/fields.yml        | 10 +++++++
 .../module/panw/panos/config/input.yml        |  2 +-
 .../module/panw/panos/ingest/pipeline.yml     | 26 +++++------------
 .../module/panw/panos/ingest/userid.yml       | 29 +++++++++++++++++++
 .../filebeat/module/panw/panos/manifest.yml   |  1 +
 .../module/panw/panos/test/userid.log         |  6 ++++
 7 files changed, 55 insertions(+), 20 deletions(-)
 create mode 100644 x-pack/filebeat/module/panw/panos/ingest/userid.yml
 create mode 100644 x-pack/filebeat/module/panw/panos/test/userid.log

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 2e5fe77ae71..c29848e2d49 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -851,6 +851,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - New module `zookeeper` for Zookeeper service and audit logs {issue}25061[25061] {pull}25128[25128]
 - Add parsing for `haproxy.http.request.raw_request_line` field  {issue}25480[25480] {pull}25482[25482]
 - Mark `filestream` input beta. {pull}25560[25560]
+- Update PanOS module to parse Global Protect & User ID logs. {issue}24722[24722] {issue}24724[24724] {pull}24927[24927]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
index 60a339b63be..faf460a383d 100644
--- a/x-pack/filebeat/module/panw/panos/_meta/fields.yml
+++ b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
@@ -214,3 +214,13 @@
       example: LDAP
       description: >
         A string showing the authentication type
+
+    - name: datasource
+      type: keyword
+      description: >
+        Source from which mapping information is collected.
+
+    - name: datasourcetype
+      type: keyword
+      description: >
+        Mechanism used to identify the IP/User mappings within a data source.
diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
index b5ef682cbb4..a302a624e55 100644
--- a/x-pack/filebeat/module/panw/panos/config/input.yml
+++ b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -231,7 +231,7 @@ processors:
         source.address: 8
         _temp_.srcuser: 9
         panw.panos.datasourcename: 10
-        panw.panos.eventid: 11
+        event.code: 11
         panw.panos.repeatcnt: 12
         panw.panos.timeout: 13
         source.port: 14
diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
index 685fff2a669..52dd703132e 100644
--- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -155,16 +155,21 @@ processors:
       if: ctx?.panw?.panos?.type == "TRAFFIC"
       name: '{< IngestPipeline "traffic" >}'
 
-# ## THREAT
+## THREAT
   - pipeline:
       if: ctx?.panw?.panos?.type == "THREAT"
       name: '{< IngestPipeline "threat" >}'
 
-# ## GLOBAL PROTECT
+## GLOBAL PROTECT
   - pipeline:
       if: ctx?.panw?.panos?.type == "GLOBALPROTECT"
       name: '{< IngestPipeline "globalprotect" >}'
 
+## USER ID
+  - pipeline:
+      if: ctx?.panw?.panos?.type == "USERID"
+      name: '{< IngestPipeline "userid" >}'
+
   - append:
       field: event.type
       allow_duplicates: false
@@ -310,23 +315,6 @@ processors:
       replacement: "-"
       ignore_missing: true
 
-  # - set:
-  #     field: panw.panos.action
-  #     value: 'drop-icmp'
-  #     if: 'ctx?.panw?.panos?.action == "drop icmp" || ctx?.panw?.panos?.action == "drop ICMP"'
-  # - set:
-  #     field: panw.panos.action
-  #     value: 'reset-both'
-  #     if: 'ctx?.panw?.panos?.action == "reset both"'
-  # - set:
-  #     field: panw.panos.action
-  #     value: 'reset-client'
-  #     if: 'ctx?.panw?.panos?.action == "reset client"'
-  # - set:
-  #     field: panw.panos.action
-  #     value: 'reset-server'
-  #     if: 'ctx?.panw?.panos?.action == "reset server"'
-
   # Build related.ip array from src/dest/NAT IPs.
   - append:
       if: 'ctx?.source?.ip != null'
diff --git a/x-pack/filebeat/module/panw/panos/ingest/userid.yml b/x-pack/filebeat/module/panw/panos/ingest/userid.yml
new file mode 100644
index 00000000000..41ca3846cfb
--- /dev/null
+++ b/x-pack/filebeat/module/panw/panos/ingest/userid.yml
@@ -0,0 +1,29 @@
+---
+description: Pipeline for PanOS Global ProtectUser ID Logs
+processors:
+  - grok:
+      field: _temp_.srcuser
+      ignore_missing: true
+      ignore_failure: true
+      patterns:
+        - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}'
+        - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}'
+        - '%{USERNAME:source.user.name}'
+      if: ctx?._temp_?.srcuser != null
+  - set:
+      field: network.type
+      value: 'ipv4'
+      if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(".")'
+  - set:
+      field: network.type
+      value: 'ipv6'
+      if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")'
+
+on_failure:
+  - append:
+      field: error.message
+      value: >-
+        error in User ID pipeline:
+        error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+        with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+        {{ _ingest.on_failure_message }}
diff --git a/x-pack/filebeat/module/panw/panos/manifest.yml b/x-pack/filebeat/module/panw/panos/manifest.yml
index 3bbf088dd91..f159064e374 100644
--- a/x-pack/filebeat/module/panw/panos/manifest.yml
+++ b/x-pack/filebeat/module/panw/panos/manifest.yml
@@ -26,6 +26,7 @@ ingest_pipeline:
   - ingest/traffic.yml
   - ingest/threat.yml
   - ingest/globalprotect.yml
+  - ingest/userid.yml
 input: config/input.yml
 
 requires.processors:
diff --git a/x-pack/filebeat/module/panw/panos/test/userid.log b/x-pack/filebeat/module/panw/panos/test/userid.log
new file mode 100644
index 00000000000..c86223c9c45
--- /dev/null
+++ b/x-pack/filebeat/module/panw/panos/test/userid.log
@@ -0,0 +1,6 @@
+1,2021/03/24 11:00:49,013101001305,USERID,login,2305,2021/03/24 11:00:49,vsys1,10.50.35.36,domain\john.smith,,0,1,10800,0,0,<data-source-collected>,<data-source-type>,1252774,0x0,0,0,0,0,,FW01,1,,2021/03/24 11:00:49,1,0x80000000,john.smith
+1,2021/03/24 10:59:45,013101001305,USERID,logout,2305,2021/03/24 10:59:45,vsys1,10.55.18.7,domain\john.smith,,0,1,0,0,0,<data-source-collected>,<data-source-type>,1252765,0x0,0,0,0,0,,FW01,1,,2021/03/24 10:59:45,1,0x80000000,john.smith
+1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,1,0x0
+1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,2,0x0
+1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,3,0x0
+1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,4,0x0

From f71ccc8b0cb935f7f59dc588f90e461f027e5f38 Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Wed, 7 Apr 2021 15:17:26 +0000
Subject: [PATCH 3/9] update userid ingest

---
 x-pack/filebeat/module/panw/fields.go         |   2 +-
 .../module/panw/panos/_meta/fields.yml        |  48 +++
 .../module/panw/panos/config/input.yml        |   1 +
 .../panw/panos/test/userid.log-expected.json  | 304 ++++++++++++++++++
 4 files changed, 354 insertions(+), 1 deletion(-)
 create mode 100644 x-pack/filebeat/module/panw/panos/test/userid.log-expected.json

diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go
index eae833bfa26..30f6934b62d 100644
--- a/x-pack/filebeat/module/panw/fields.go
+++ b/x-pack/filebeat/module/panw/fields.go
@@ -19,5 +19,5 @@ func init() {
 // AssetPanw returns asset data.
 // This is the base64 encoded gzipped contents of module/panw.
 func AssetPanw() string {
-	return "eJzMmcFu4zYTx+/7FAPswd8HxLn1kkMBt8EWAdKssdm0R2NMjiU2FKklR/ZqT32Nvl6fpCBl2YpNW4rjBPFhN5Eizo8z858Z0WN4pPoKSjSrDwCsWNPmN0leOFWysuYKfv4AAPC7lZUmWFgHU9QWJpot3BGvrHv08L/p5G78+f7/HwAWirT0V/GhMRgstsuGD9clXUHmbFWurySMhc+nuA4snC2Ac4prQBEpLtd/1DUFO/as315OWT1m+ol966L5xKabPYO2mb/sPruH1SFzlSZP/NTUGu+R6pV1cufeMUYAuMOCwC4iY1gcOEeGAlnkJIFz5cGT98qayySQt5UTlOTZc1c/zdppbIG+MxkZsdiWY01L0mtjYOd/keDLnadTbuuS/rBml7PPdwOIw+e+wQoG1vE+5LUujzJMboF7zjsv1MbKM8gM7iYYHA3qQKKp9Ty+m3xtw4hSOvL+AtSivRTuKg8luYV1Bcl9xsNx7ng2Bdhu4MDNAfz7O7iZpgA3VcS6lB9bEG1Ndj6UYGwLk5SqJM/KYFj3jfTasfjuRHvdYXtfyu2SvUf5dqPa1XD3+suE3CvlHjEP1NCBPaVVPUDXvcp+GdcAiZORjtAfEPhJA8LXMBjENQHb3AMmVwSsbmCTQKYZdt6o3qytnVhrSoHlTKVEewZRT1E8EoPAkitHcHMdBY3AuSM8FFZ4oaqHKEzYoqiM4jq99SHbH+iC8Pm1tRY9oO1qnKPPN1NySPmfxlyV2yH9QGItlH6rqTOYOjGlwuZOy5dflEFXw8Y7baY0NJ4MB945ARrU9Q9Kx2Vex738qbT8pFx4zi2VoFR9Swc56fvK6TdyfeX0iZ4XyJRZV7+Omj/FfI3xePhyG9ofj3xkf/hyu7GdbiPh2TYgF/GZJTmpBEMorDk1EUYjQfnkAqQ4JwejArUSylZ+dAGjzGG9QkejC7AORnMyKjOjPhFpu9qX/QuaxU0YVwxqMFVBTglQkgyrhSIXs5hQ5PsDTPrFkr5VZATNTFXMySUZE422B/DWZkCGXd0li6+8yoMywlFBhkmuzbNCrRNxfDDqW0XbLWmbRaSePa2LvaMjb80n+T1knXVN5gRTQ5rLDtQ50yBx2LGTCFHmz6ALv7wq38ZrKbIuEIqDL1BDWMZ7MJO4IDA+ktkQHD1zCdaeaeS+JBG83xSpsEB76KNtltZfNZ+92JCv5geNJa0uleMK9czXu7XvBeH+o1kUfO2ZClDGM5qO/J488HE7TC9Dysqdu8dIPh5n+Rj/nYBnp0wGPrer8H9wjOkcw0W7B2SxpcutfwW4MO1XTXG7uW4K42/azlFPnWUSDOi9ykzs2GtJNyNGwOllLlDkytCemM8E3nVi5cn9+/c/vrXZU2aEVmR4Zv1seaDXnPzy1CwNksLkFZE+34eWP6AHbqjeG9ErOSmy7ORbWQ5E84zZc3oEfcei1HQFc1pYR2NtM7Vb13vIk1KOHG0aCmsMPe0YR7rKQmN2xlhPYK64mZRBGakEcoBUm1oMK4zfUKzQSZJB01M01mGBfecMztkzZkDCj8iNkebHHD1YISrnKGwF0NRHy+QTzpmwMp0YyjBle6ncB2va50IxtEJhmBdXivMGK5j0DXaL3EPpqCRkYdJf65wEGcthHJxDJq6nCd9QxiQNpXJzir09xnt6Dra9jmWpY/5YcxHfTXw1j4090SJCsCSFH9d+Uc17jUYfsnEZphthjfSX53elJ6dQH3tnOLlENUt3vJpqM2EKb+pqDyhWnM8K4tw+Z+7e1Kzb68n0DLUqUIQm3kS2GSz/CwAA///rDZqq"
+	return "eJzMms1uIzcSgO/zFAXMwTZgOZlscpkFFtCu4cDA2BHimezRKJElNddsskOyrXSwhzzEXvb18iRBkd1Su0WpZVszGB0S64esr4r1x+qZwAM176FCs3oDEFTQtH4nyQunqqCseQ//eAMAcGNlrQkW1sEMtYWpDhZuKayse/BwOpveTn66O3sDsFCkpX8fF03AYLnZll+hqeg9LJ2tq/aTjDB+XcV9YOFsCaGguAeUkeKi/VFfFAzkWb/5OCd1n+gn8q2L4jNKJ51B26W/6K/dwuqRuVqTp/BUVIv3QM3KOjn4bh8jANxiSWAXkZE3h1BggBKDKEhCKJQHT94ray6yQN7WTlCWZ8tc4zSt0YIF+i2QkREr2Gqi6ZF0Kwzs/D8kwsVgdc5sfdLfrRlyjtnuAGJ+3SUsFtCe9y6r9XmUCeQWuGW840KtpTyDzODQwWDvoR5INLM+TG6nH7tjRCkdeX8OatF9xN8qDxW5hXUlyW3G3efcs2wOsFNgx5cH8G9rcD3LAa6ziHU5O3Yg2prl8VBY2AYmG6qSfFAGed8vFK89iV9d0F722L6uyO2TfY3h2z/Vfgz3P39dII+G8kgwHxhDO3TKR/UBcT0a2a/jOiDEyUhH6HcE+IsahI/cGMQ9ATvfg0CuZKz+wWaBTGp2vlC+aaW9MNdUAqt7lQvaIwT1DMUDBRBYhdoRXF/GgEYIhSPcdazwyqg+JMKELcvaqNDkVT9E/QNNwK9/ddKiBbRdTQr0xbpLZpf/YRLqatOk73CshdJfqutkUS90KVbuZf7yT2XQNbC2TucpicaTCcw7J0CDuvmd8ucyb6Iu/1ZaXinH69yjEpTLb/lDztq+dvoLmb52+oWWFxhoaV3zeaL5KvprPI9PP3/g8hdOfGT/9POHtex8GeG13YGcxzWP5KQSATixFpROGI0E5bMbkAoFOTgpUSuhbO1PzuFk6bBZoaOTc7AOTuZk1NKcjAWRtqvtsH9FsbjmdsWgBlOX5JQAJckEtVDkohcTimK7gclfLOnXmoyge1OXc3JZxkyhHQH8YJdAJrimTxavvMqDMsJRSSaQbMUHhVpnzvGTUb/WtFFJ22VEGtGpTfaO9tyaX2R39jrrkuewqEOKywDqmG6QGXYMHCGG+TPo+M1n5VtbLUfWB0Kx8wJ1CMtkC2YaN4SAD2TWBHtnLiztmULuKhJs/ZSkeINu6KPtMh9/9fz+1YJ8Pd8pLCv1UblQo773zTD3veK4f0mbgm98oBKU8QFNL/yeLHi7aaYf2WXl4Nt9JG/3s7yN/52CD06ZJfjCrvj/bBjTG8NFuTvCYkNXWP8Z4Ljbr1Nyu75MifFHbeeoZ84GEgHQe7U0sWK3IZ1aDMYZZS5RFMrQVjAfCbxvxNqT+/OP//tO5kiaEVqRCffW3z/uqDUvvjylrUESd14R6ac7LvkH1MA11ddG9JmMFFkG/lZVB6L5gMvn1Aj6DctK03uY08I6mmi7VMO8PkKeDeXI0bmhsMbQ04qxp6osNC6PeNZTmKuQOmVQRiqBgSHVOhfDCuMTihU6SZJjeobGOixxbM7gnD2iB2TsiCEJSX8W6MEKUTtHrAqgafamySec98LKvGMoE2i55cpjsKZbx8nQCoXcL65UKBIWi/QJu0MeoXRUEQZh8o91XgQZ02FsnNkT227CJ8ropJwq11PszRjv6Rxs8zlWlY7+Y815vJv4eh4Le6ZE8GFJ4j9bu6h0r9Ho2RsfubsR1kh/cXxTenIK9b47w4tTVNq6Z9VcmeEuPOXVEVCsQ3FfUijsc/rudc76cDmdHSFXMQUX8XSyTxvLLLbEgMe+vLRPquKT2lWhRAElVlXMVGZhXdlOwj0Iq3X0qrEHHWvITAP7CtAbEgUa5Us+drnVAl3PvvnkyXX0vvN9jEBttB2MftwbD4NNri+7kI8h5clI35LD6cy6cDaJCtwkBcaGByiCdcYec3oQa1R7d6h9rKKVUyW6Zuiqp+/OONZQSsXvUbc8Hk6/O4e/nR0Ef1z3+IWMtG7tGz1gAoyZAlYFGbipdVBwFQmGaikPlSM/XtmSAsJyOuCVQR3TXT6qknIJgvuFVuZoFNbLV7Uz/92CulS+0th4tmKcgHUJOA0ek1OnjqY2EmQd013vB21gXsBdXVXWca15RF2TB3S0PUqMsfBjXHnFO/75x/82HrrFIGytJcwpSmk9IMndHh9d1qmaUpSR3Veuf8K7e1iRo1axmFI2al1sDHP7zZS7O2P7WqvWIGOZZ3lfqGPWzOl6hMdh3M1/WkdKVbSt7W1vmjwuVc/EHiurtp3zrdNp7yfA0OhE0VzEKr1QjlaoNZxa100T2ov/GSzJkEtNcNcBKyN0LduUk4Vk+jjkQyPIc8wqAyr4vRi+QG5Vn/zkNM20vz3jIzE2dLLjiaZHu8HVItQuM6C/3jTtG5+Fd5zrvj+H7384h2/PQQUoCU1r1n6T32pOEuYN4H4rxcVz0pZrWLBPlWBJcTYd/NogiYU5+Jt3342N9FRJtj7iv2H6mDYEXISYY7mF6Bfkm64gM6bQhON95KNv/FEn49NurDIYhOLA/BCfs2YGlN2RHQJ+3N5hOFoZAA8799748u9gjW7YYZVkxTodPJDBuSYZTVByPaz0cGN/8eavAAAA//+DlbBn"
 }
diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
index faf460a383d..6f073b97284 100644
--- a/x-pack/filebeat/module/panw/panos/_meta/fields.yml
+++ b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
@@ -224,3 +224,51 @@
       type: keyword
       description: >
         Mechanism used to identify the IP/User mappings within a data source.
+
+    - name: datasourcename
+      type: keyword
+      description: >
+        User-ID source that sends the IP (Port)-User Mapping.
+
+    - name: factorno
+      type: keyword
+      description: >
+        Indicates the use of primary authentication (1) or additional factors (2, 3).
+
+    - name: factortype
+      type: keyword
+      description: >
+        Vendor used to authenticate a user when Multi Factor authentication is present.
+
+    - name: factorcompletiontime
+      type: keyword
+      description: >
+        Time the authentication was completed.
+
+    - name: ugflags
+      type: keyword
+      description: |
+        Displays whether the user group that was found during user group mapping. Supported values are:
+        User Group Found—Indicates whether the user could be mapped to a group.
+        Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.
+
+    - name: dg_hier
+      type: keyword
+      description: >
+        A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+        If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+    - name: timeout
+      type: keyword
+      description: >
+        Timeout after which the IP/User Mappings are cleared.
+
+    - name: vsys_id
+      type: keyword
+      description: >
+        A unique identifier for a virtual system on a Palo Alto Networks firewall.
+
+    - name: vsys_name
+      type: keyword
+      description: >
+        The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
index a302a624e55..ce2a88cb251 100644
--- a/x-pack/filebeat/module/panw/panos/config/input.yml
+++ b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -225,6 +225,7 @@ processors:
       overwrite_keys: true
       fail_on_error: false
       mappings:
+        event.action: 4
         panw.panos.virtual_sys: 7
         client.ip: 8
         source.ip: 8
diff --git a/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json
new file mode 100644
index 00000000000..63efead211f
--- /dev/null
+++ b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json
@@ -0,0 +1,304 @@
+[
+    {
+        "@timestamp": "2021-03-24T11:00:49.000-02:00",
+        "client.ip": "10.50.35.36",
+        "client.port": 0,
+        "client.user.name": "2021/03/24 11:00:49",
+        "destination.port": 0,
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.original": "1,2021/03/24 11:00:49,013101001305,USERID,login,2305,2021/03/24 11:00:49,vsys1,10.50.35.36,domain\\john.smith,,0,1,10800,0,0,<data-source-collected>,<data-source-type>,1252774,0x0,0,0,0,0,,FW01,1,,2021/03/24 11:00:49,1,0x80000000,john.smith",
+        "network.type": "ipv4",
+        "observer.hostname": "0",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "013101001305",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "<data-source-collected>",
+        "panw.panos.datasourcetype": "<data-source-type>",
+        "panw.panos.dg_hier": "0",
+        "panw.panos.factorcompletiontime": "FW01",
+        "panw.panos.factorno": "1",
+        "panw.panos.repeatcnt": "1",
+        "panw.panos.sequence_number": 1252774,
+        "panw.panos.sub_type": "login",
+        "panw.panos.timeout": "10800",
+        "panw.panos.type": "USERID",
+        "panw.panos.virtual_sys": "vsys1",
+        "panw.panos.vsys_id": "0",
+        "panw.panos.vsys_name": "0",
+        "related.hosts": [
+            "0"
+        ],
+        "related.ip": [
+            "10.50.35.36"
+        ],
+        "related.user": [
+            "2021/03/24 11:00:49",
+            "john.smith"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "10.50.35.36",
+        "source.ip": "10.50.35.36",
+        "source.port": 0,
+        "source.user.domain": "domain",
+        "source.user.name": "john.smith",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-24T10:59:45.000-02:00",
+        "client.ip": "10.55.18.7",
+        "client.port": 0,
+        "client.user.name": "2021/03/24 10:59:45",
+        "destination.port": 0,
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 240,
+        "log.original": "1,2021/03/24 10:59:45,013101001305,USERID,logout,2305,2021/03/24 10:59:45,vsys1,10.55.18.7,domain\\john.smith,,0,1,0,0,0,<data-source-collected>,<data-source-type>,1252765,0x0,0,0,0,0,,FW01,1,,2021/03/24 10:59:45,1,0x80000000,john.smith",
+        "network.type": "ipv4",
+        "observer.hostname": "0",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "013101001305",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "<data-source-collected>",
+        "panw.panos.datasourcetype": "<data-source-type>",
+        "panw.panos.dg_hier": "0",
+        "panw.panos.factorcompletiontime": "FW01",
+        "panw.panos.factorno": "1",
+        "panw.panos.repeatcnt": "1",
+        "panw.panos.sequence_number": 1252765,
+        "panw.panos.sub_type": "logout",
+        "panw.panos.timeout": "0",
+        "panw.panos.type": "USERID",
+        "panw.panos.virtual_sys": "vsys1",
+        "panw.panos.vsys_id": "0",
+        "panw.panos.vsys_name": "0",
+        "related.hosts": [
+            "0"
+        ],
+        "related.ip": [
+            "10.55.18.7"
+        ],
+        "related.user": [
+            "2021/03/24 10:59:45",
+            "john.smith"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "10.55.18.7",
+        "source.ip": "10.55.18.7",
+        "source.port": 0,
+        "source.user.domain": "domain",
+        "source.user.name": "john.smith",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2013-03-28T12:53:05.000-02:00",
+        "client.ip": "172.17.128.92",
+        "client.port": 0,
+        "destination.port": 0,
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 476,
+        "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,1,0x0",
+        "network.type": "ipv4",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "001701000225",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "active-directory",
+        "panw.panos.datasourcename": "test",
+        "panw.panos.datasourcetype": "unknown",
+        "panw.panos.repeatcnt": "1",
+        "panw.panos.sequence_number": 1,
+        "panw.panos.sub_type": "login",
+        "panw.panos.timeout": "2700",
+        "panw.panos.type": "USERID",
+        "panw.panos.virtual_sys": "vsys1",
+        "related.ip": [
+            "172.17.128.92"
+        ],
+        "related.user": [
+            "administrator"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "172.17.128.92",
+        "source.ip": "172.17.128.92",
+        "source.port": 0,
+        "source.user.domain": "plano2008r2",
+        "source.user.name": "administrator",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2013-03-28T12:53:05.000-02:00",
+        "client.ip": "172.17.128.92",
+        "client.port": 0,
+        "destination.port": 0,
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 642,
+        "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,2,0x0",
+        "network.type": "ipv4",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "001701000225",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "active-directory",
+        "panw.panos.datasourcename": "test",
+        "panw.panos.datasourcetype": "unknown",
+        "panw.panos.repeatcnt": "1",
+        "panw.panos.sequence_number": 2,
+        "panw.panos.sub_type": "login",
+        "panw.panos.timeout": "2700",
+        "panw.panos.type": "USERID",
+        "panw.panos.virtual_sys": "vsys1",
+        "related.ip": [
+            "172.17.128.92"
+        ],
+        "related.user": [
+            "administrator"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "172.17.128.92",
+        "source.ip": "172.17.128.92",
+        "source.port": 0,
+        "source.user.domain": "plano2008r2",
+        "source.user.name": "administrator",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2013-03-28T12:53:05.000-02:00",
+        "client.ip": "172.17.128.92",
+        "client.port": 0,
+        "destination.port": 0,
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 808,
+        "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,3,0x0",
+        "network.type": "ipv4",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "001701000225",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "active-directory",
+        "panw.panos.datasourcename": "test",
+        "panw.panos.datasourcetype": "unknown",
+        "panw.panos.repeatcnt": "1",
+        "panw.panos.sequence_number": 3,
+        "panw.panos.sub_type": "login",
+        "panw.panos.timeout": "2700",
+        "panw.panos.type": "USERID",
+        "panw.panos.virtual_sys": "vsys1",
+        "related.ip": [
+            "172.17.128.92"
+        ],
+        "related.user": [
+            "administrator"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "172.17.128.92",
+        "source.ip": "172.17.128.92",
+        "source.port": 0,
+        "source.user.domain": "plano2008r2",
+        "source.user.name": "administrator",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2013-03-28T12:53:05.000-02:00",
+        "client.ip": "172.17.128.92",
+        "client.port": 0,
+        "destination.port": 0,
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 974,
+        "log.original": "1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\\administrator,test,0,1,2700,0,0,active-directory,unknown,4,0x0",
+        "network.type": "ipv4",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "001701000225",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "active-directory",
+        "panw.panos.datasourcename": "test",
+        "panw.panos.datasourcetype": "unknown",
+        "panw.panos.repeatcnt": "1",
+        "panw.panos.sequence_number": 4,
+        "panw.panos.sub_type": "login",
+        "panw.panos.timeout": "2700",
+        "panw.panos.type": "USERID",
+        "panw.panos.virtual_sys": "vsys1",
+        "related.ip": [
+            "172.17.128.92"
+        ],
+        "related.user": [
+            "administrator"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "172.17.128.92",
+        "source.ip": "172.17.128.92",
+        "source.port": 0,
+        "source.user.domain": "plano2008r2",
+        "source.user.name": "administrator",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file

From d4267485f98e27443a8ff93e23e919ae9337975e Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Wed, 7 Apr 2021 15:46:58 +0000
Subject: [PATCH 4/9] update fields

---
 filebeat/docs/fields.asciidoc                 | 246 ++++++++++++++++++
 x-pack/filebeat/module/panw/fields.go         |   2 +-
 .../module/panw/panos/_meta/fields.yml        |  22 +-
 .../module/panw/panos/config/input.yml        |  23 +-
 .../module/panw/panos/ingest/userid.yml       |  15 ++
 .../panw/panos/test/userid.log-expected.json  |  42 +--
 6 files changed, 321 insertions(+), 29 deletions(-)

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index 55f4983ccb9..fb108f71084 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -113721,6 +113721,252 @@ Specifies the sub type of the log
 Virtual system instance
 
 
+type: keyword
+
+--
+
+*`panw.panos.client_os_ver`*::
++
+--
+The client device’s OS version.
+
+
+type: keyword
+
+--
+
+*`panw.panos.client_os`*::
++
+--
+The client device’s OS version.
+
+
+type: keyword
+
+--
+
+*`panw.panos.client_ver`*::
++
+--
+The client’s GlobalProtect app version.
+
+
+type: keyword
+
+--
+
+*`panw.panos.stage`*::
++
+--
+A string showing the stage of the connection
+
+
+type: keyword
+
+example: before-login
+
+--
+
+*`panw.panos.actionflags`*::
++
+--
+A bit field indicating if the log was forwarded to Panorama.
+
+
+type: keyword
+
+--
+
+*`panw.panos.error`*::
++
+--
+A string showing that error that has occurred in any event.
+
+
+type: keyword
+
+--
+
+*`panw.panos.error_code`*::
++
+--
+An integer associated with any errors that occurred.
+
+
+type: integer
+
+--
+
+*`panw.panos.repeatcnt`*::
++
+--
+The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred.
+
+
+type: integer
+
+--
+
+*`panw.panos.serial_number`*::
++
+--
+The serial number of the user’s machine or device.
+
+
+type: keyword
+
+--
+
+*`panw.panos.auth_method`*::
++
+--
+A string showing the authentication type
+
+
+type: keyword
+
+example: LDAP
+
+--
+
+*`panw.panos.datasource`*::
++
+--
+Source from which mapping information is collected.
+
+
+type: keyword
+
+--
+
+*`panw.panos.datasourcetype`*::
++
+--
+Mechanism used to identify the IP/User mappings within a data source.
+
+
+type: keyword
+
+--
+
+*`panw.panos.datasourcename`*::
++
+--
+User-ID source that sends the IP (Port)-User Mapping.
+
+
+type: keyword
+
+--
+
+*`panw.panos.factorno`*::
++
+--
+Indicates the use of primary authentication (1) or additional factors (2, 3).
+
+
+type: keyword
+
+--
+
+*`panw.panos.factortype`*::
++
+--
+Vendor used to authenticate a user when Multi Factor authentication is present.
+
+
+type: keyword
+
+--
+
+*`panw.panos.factorcompletiontime`*::
++
+--
+Time the authentication was completed.
+
+
+type: date
+
+--
+
+*`panw.panos.ugflags`*::
++
+--
+Displays whether the user group that was found during user group mapping. Supported values are:
+User Group Found—Indicates whether the user could be mapped to a group.
+Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.
+
+
+type: keyword
+
+--
+
+*`panw.panos.dg_hier_level_1`*::
++
+--
+A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+
+type: keyword
+
+--
+
+*`panw.panos.dg_hier_level_2`*::
++
+--
+A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+
+type: keyword
+
+--
+
+*`panw.panos.dg_hier_level_3`*::
++
+--
+A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+
+type: keyword
+
+--
+
+*`panw.panos.dg_hier_level_4`*::
++
+--
+A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+
+type: keyword
+
+--
+
+*`panw.panos.timeout`*::
++
+--
+Timeout after which the IP/User Mappings are cleared.
+
+
+type: keyword
+
+--
+
+*`panw.panos.vsys_id`*::
++
+--
+A unique identifier for a virtual system on a Palo Alto Networks firewall.
+
+
+type: keyword
+
+--
+
+*`panw.panos.vsys_name`*::
++
+--
+The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
+
+
 type: keyword
 
 --
diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go
index 30f6934b62d..0d6303826bf 100644
--- a/x-pack/filebeat/module/panw/fields.go
+++ b/x-pack/filebeat/module/panw/fields.go
@@ -19,5 +19,5 @@ func init() {
 // AssetPanw returns asset data.
 // This is the base64 encoded gzipped contents of module/panw.
 func AssetPanw() string {
-	return "eJzMms1uIzcSgO/zFAXMwTZgOZlscpkFFtCu4cDA2BHimezRKJElNddsskOyrXSwhzzEXvb18iRBkd1Su0WpZVszGB0S64esr4r1x+qZwAM176FCs3oDEFTQtH4nyQunqqCseQ//eAMAcGNlrQkW1sEMtYWpDhZuKayse/BwOpveTn66O3sDsFCkpX8fF03AYLnZll+hqeg9LJ2tq/aTjDB+XcV9YOFsCaGguAeUkeKi/VFfFAzkWb/5OCd1n+gn8q2L4jNKJ51B26W/6K/dwuqRuVqTp/BUVIv3QM3KOjn4bh8jANxiSWAXkZE3h1BggBKDKEhCKJQHT94ray6yQN7WTlCWZ8tc4zSt0YIF+i2QkREr2Gqi6ZF0Kwzs/D8kwsVgdc5sfdLfrRlyjtnuAGJ+3SUsFtCe9y6r9XmUCeQWuGW840KtpTyDzODQwWDvoR5INLM+TG6nH7tjRCkdeX8OatF9xN8qDxW5hXUlyW3G3efcs2wOsFNgx5cH8G9rcD3LAa6ziHU5O3Yg2prl8VBY2AYmG6qSfFAGed8vFK89iV9d0F722L6uyO2TfY3h2z/Vfgz3P39dII+G8kgwHxhDO3TKR/UBcT0a2a/jOiDEyUhH6HcE+IsahI/cGMQ9ATvfg0CuZKz+wWaBTGp2vlC+aaW9MNdUAqt7lQvaIwT1DMUDBRBYhdoRXF/GgEYIhSPcdazwyqg+JMKELcvaqNDkVT9E/QNNwK9/ddKiBbRdTQr0xbpLZpf/YRLqatOk73CshdJfqutkUS90KVbuZf7yT2XQNbC2TucpicaTCcw7J0CDuvmd8ucyb6Iu/1ZaXinH69yjEpTLb/lDztq+dvoLmb52+oWWFxhoaV3zeaL5KvprPI9PP3/g8hdOfGT/9POHtex8GeG13YGcxzWP5KQSATixFpROGI0E5bMbkAoFOTgpUSuhbO1PzuFk6bBZoaOTc7AOTuZk1NKcjAWRtqvtsH9FsbjmdsWgBlOX5JQAJckEtVDkohcTimK7gclfLOnXmoyge1OXc3JZxkyhHQH8YJdAJrimTxavvMqDMsJRSSaQbMUHhVpnzvGTUb/WtFFJ22VEGtGpTfaO9tyaX2R39jrrkuewqEOKywDqmG6QGXYMHCGG+TPo+M1n5VtbLUfWB0Kx8wJ1CMtkC2YaN4SAD2TWBHtnLiztmULuKhJs/ZSkeINu6KPtMh9/9fz+1YJ8Pd8pLCv1UblQo773zTD3veK4f0mbgm98oBKU8QFNL/yeLHi7aaYf2WXl4Nt9JG/3s7yN/52CD06ZJfjCrvj/bBjTG8NFuTvCYkNXWP8Z4Ljbr1Nyu75MifFHbeeoZ84GEgHQe7U0sWK3IZ1aDMYZZS5RFMrQVjAfCbxvxNqT+/OP//tO5kiaEVqRCffW3z/uqDUvvjylrUESd14R6ac7LvkH1MA11ddG9JmMFFkG/lZVB6L5gMvn1Aj6DctK03uY08I6mmi7VMO8PkKeDeXI0bmhsMbQ04qxp6osNC6PeNZTmKuQOmVQRiqBgSHVOhfDCuMTihU6SZJjeobGOixxbM7gnD2iB2TsiCEJSX8W6MEKUTtHrAqgafamySec98LKvGMoE2i55cpjsKZbx8nQCoXcL65UKBIWi/QJu0MeoXRUEQZh8o91XgQZ02FsnNkT227CJ8ropJwq11PszRjv6Rxs8zlWlY7+Y815vJv4eh4Le6ZE8GFJ4j9bu6h0r9Ho2RsfubsR1kh/cXxTenIK9b47w4tTVNq6Z9VcmeEuPOXVEVCsQ3FfUijsc/rudc76cDmdHSFXMQUX8XSyTxvLLLbEgMe+vLRPquKT2lWhRAElVlXMVGZhXdlOwj0Iq3X0qrEHHWvITAP7CtAbEgUa5Us+drnVAl3PvvnkyXX0vvN9jEBttB2MftwbD4NNri+7kI8h5clI35LD6cy6cDaJCtwkBcaGByiCdcYec3oQa1R7d6h9rKKVUyW6Zuiqp+/OONZQSsXvUbc8Hk6/O4e/nR0Ef1z3+IWMtG7tGz1gAoyZAlYFGbipdVBwFQmGaikPlSM/XtmSAsJyOuCVQR3TXT6qknIJgvuFVuZoFNbLV7Uz/92CulS+0th4tmKcgHUJOA0ek1OnjqY2EmQd013vB21gXsBdXVXWca15RF2TB3S0PUqMsfBjXHnFO/75x/82HrrFIGytJcwpSmk9IMndHh9d1qmaUpSR3Veuf8K7e1iRo1axmFI2al1sDHP7zZS7O2P7WqvWIGOZZ3lfqGPWzOl6hMdh3M1/WkdKVbSt7W1vmjwuVc/EHiurtp3zrdNp7yfA0OhE0VzEKr1QjlaoNZxa100T2ov/GSzJkEtNcNcBKyN0LduUk4Vk+jjkQyPIc8wqAyr4vRi+QG5Vn/zkNM20vz3jIzE2dLLjiaZHu8HVItQuM6C/3jTtG5+Fd5zrvj+H7384h2/PQQUoCU1r1n6T32pOEuYN4H4rxcVz0pZrWLBPlWBJcTYd/NogiYU5+Jt3342N9FRJtj7iv2H6mDYEXISYY7mF6Bfkm64gM6bQhON95KNv/FEn49NurDIYhOLA/BCfs2YGlN2RHQJ+3N5hOFoZAA8799748u9gjW7YYZVkxTodPJDBuSYZTVByPaz0cGN/8eavAAAA//+DlbBn"
+	return "eJzsms1uIzcSgO/zFAXMwTZgOZnJ5DILLOBdYwIDY0eIZ7JHoUSW1FyzyQ7JtqJgD3mIvezr5UkWRXZL7Rallm3ZmIN1mLElNeurYv2x6BHc0vIjVGgWbwCCCppWv0nywqkqKGs+wt/fAABcWVlrgpl1MEZt4VwHC9cUFtbdejgen1+Pfr45eQMwU6Sl/xgfGoHBcr0sv8Kyoo8wd7aumncywvj1Ka4DM2dLCAXFNaCMFGfNl7qioCfP+vXbOam7RN+Tb10Un1E66Qzazv1Z99kNrA6ZqzV5CvdFNXi3tFxYJ3uf7WIEgGssCewsMvLiEAoMUGIQBUkIhfLgyXtlzVkWyNvaCcrybJhrmKYxWrBAvwcyMmIFW4003ZFuhIGd/ptEOOs9nTNbl/QPa/qcQ7bbg5hfNwmLBTT7vc1qXR5lArkZbhjvsFArKQ8gM9h3MNi5qXsSja0Po+vzL+02opSOvD8FNWvf4k+Vh4rczLqS5Cbj9n3uWDYH2Cqw5cM9+Dc1uBznAFdZxLqcHVsQbc38cCgsbA2TDVVJPiiDvO4LxWtH4jcXtBcdtm8rcrtk32L4dne1G8Pd958WyIOhPBDMe8bQFp3yUb1HXA9G9tO49ghxMtIR+i0B/qgG4Qs3BnFNwNb3IJArGau7sVkgk5qdF8o3jbRH5ppKYDVRuaA9QFCPUdxSAIFVqB3B5UUMaIRQOMJt2wpPjOp9IkzYsqyNCsu86vuov6cJ+PXPVlq0gLaLUYG+WHXJ7PI/jkJdrZv0LY41U/qluk4W9UiXYuUe5y//UAbdElbWaT0l0XgygXmnBGhQL/+g/L5Ml1GXfyktPynHz7k7JSiX3/KbnLV97fQLmb52+pGWFxhobt3yeaL5U/TXuB9ff/nM5S8c+cj+9ZfPK9n5MsLPthtyGp+5IyeVCMCJtaC0w2gkKJ9dgFQoyMFRiVoJZWt/dApHc4fLBTo6OgXr4GhKRs3N0VAQabvYDPsnFItLblcMajB1SU4JUJJMUDNFLnoxoSg2G5j8wZJ+q8kImpi6nJLLMmYK7QDgZzsHMsEtu2TxyKs8KCMclWQCyUZ8UKh1Zh+/GvVbTWuVtJ1HpAGdmmTvaMep+VF2Z6+zLnkOi9qnuPSgDukGmWFHzxFimD+Ajn95Vr6V1XJkXSAUWw9Q+7CMNmDO44IQ8JbMimDnzIWlPVDITUWCrZ+SFC/QDn20nefjr55OnizI19OtwrJS75QLNeqJX/Zz3xO2+9e0KPilD1SCMj6g6YTfvQferpvpO3ZZ2ft0F8nb3Sxv47/n4INTZg6+sAv+nw1jOmO4KHdLWKzpCuufAY67/Tolt8uLlBh/0naKeuxsIBEAvVdzEyt2E9KpxWCcQeYSRaEMbQTzgcC7Rqw9ub/+/J9vZQ6kGaEVmTCxfnK3pdY8+vCUlgZJ3HlFpJ9vuOTvUQNXVN8a0TMZKbL0/K2q9kTzAecPqRH0O5aVpo8wpZl1NNJ2rvp5fYA8G8qRo3VDYY2h+xVjR1WZaZwfcK/PYapC6pRBGakEBoZUq1wMC4w3FAt0kiTH9BiNdVji0JzBOXtAD8jYEUMSkn4s0IMVonaOWBVAs9yZJu9xToSVecdQJtB8w5WHYE37HCdDKxRyv7hQoUhYLNIn7BZ5gNJRRRiEyV/rPAoypsPYOLMnNt2ET5TRSTlVrqbY6zHe/TnY+n2sKh39x5rTeDbx9TQW9kyJ4M2SxD82dlHpXKPRszfecXcjrJH+7PCm9OQU6l1nhkenqLR0x6q5MsNdeMqrA6BYh2JSUijsQ/ruVc76fHE+PkCuYgou4mln7zeWWWyJAQ99eGluquJN7aJQooASqypmKjOzrmwm4R6E1Tp61dBFxwoy08A+AfSKRIFG+ZK3XW60QJfj7756ci29b30fI1ATbXujH/bEw2Cjy4s25GNIeTLSN+RwPLYunIyiAldJgaHhAYpgnbGHnB7EGtWcHWofq2jlVIlu2XfV43cnHGsopeLfUTc8Ho7fn8IPJ3vBH9Y9fiUjrVv5RgeYAGOmgEVBBq5qHRR8igR9tZSHypEfrmxJAWE5HfCTQW1xF4lh9xluM9mpknLZgZuFRuBgCNbzJ/Uy/9mAulC+0rj0bMI4/mqzb5o6Jo9O7UxtJMg65rrOF5qoPIObuqqs40Jzh7omD+hoc44YA+Gn+OQnXvGvP/+7ds8NBmFrLWFKUUqz/Unu5uzook6llKKM7Lpy9RVe3cOCHDWKxXyyVutsbZjr7865tTO2q7VqDDKUduaTQpGbxKnr5N1BO7tmjsex3A6BGodKpbQp8E2DmjwvldCkQyyv2rZOuMqpna8Aw6MTxfIsluqZcrRAreHYunak0Jz+T2BOhlzqhNs2WBmha9nknSwk08dJHxpBngNXGVDB78TwBXK/eu8rx2mw/f0Jb42xoZUddzbd7wZXi1C7zJT+ct25r30X3nHC+3AKH348he9PQQUoCU1j1m6n32hOEqZLwN1Wig9PSVsuZMHeV4IlxQF18CuDJBbm4E/evX+Qx71/9bhXj3tRj/vh1eNePe5FPe7Dq8e9etwzexyfAmx9wD8P/pIWBJyFeHzh03n3rHvVnnUZU2jC4RHNnV/6g146n7c3Fr07RuyZH+KfMGXu/tot2wf8sMfy/q1FD7g/FOvcDP4NrNFLdlglWbFWBw9kcKpJRhOUfNSsdH9hf/bm/wEAAP//7NcVIA=="
 }
diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
index 6f073b97284..31dd22d8fe6 100644
--- a/x-pack/filebeat/module/panw/panos/_meta/fields.yml
+++ b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
@@ -241,7 +241,7 @@
         Vendor used to authenticate a user when Multi Factor authentication is present.
 
     - name: factorcompletiontime
-      type: keyword
+      type: date
       description: >
         Time the authentication was completed.
 
@@ -252,7 +252,25 @@
         User Group Found—Indicates whether the user could be mapped to a group.
         Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.
 
-    - name: dg_hier
+    - name: dg_hier_level_1
+      type: keyword
+      description: >
+        A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+        If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+    - name: dg_hier_level_2
+      type: keyword
+      description: >
+        A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+        If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+    - name: dg_hier_level_3
+      type: keyword
+      description: >
+        A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+        If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+    - name: dg_hier_level_4
       type: keyword
       description: >
         A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
index ce2a88cb251..1b7b48aeb13 100644
--- a/x-pack/filebeat/module/panw/panos/config/input.yml
+++ b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -243,16 +243,19 @@ processors:
         panw.panos.datasourcetype: 17
         panw.panos.sequence_number: 18
         panw.panos.actionflags: 19
-        panw.panos.dg_hier: 20
-        panw.panos.vsys_name: 21
-        observer.hostname: 22
-        panw.panos.vsys_id: 23
-        panw.panos.factortype: 24
-        panw.panos.factorcompletiontime: 25
-        panw.panos.factorno: 26
-        panw.panos.ugflags: 27
-        source.user.name: 28
-        client.user.name: 28
+        panw.panos.dg_hier_level_1: 20
+        panw.panos.dg_hier_level_2: 21
+        panw.panos.dg_hier_level_3: 22
+        panw.panos.dg_hier_level_4: 23
+        panw.panos.vsys_name: 24
+        observer.hostname: 25
+        panw.panos.vsys_id: 26
+        panw.panos.factortype: 27
+        panw.panos.factorcompletiontime: 28
+        panw.panos.factorno: 29
+        panw.panos.ugflags: 30
+        source.user.name: 31
+        client.user.name: 31
 
   - drop_fields:
       fields:
diff --git a/x-pack/filebeat/module/panw/panos/ingest/userid.yml b/x-pack/filebeat/module/panw/panos/ingest/userid.yml
index 41ca3846cfb..ce41df745f8 100644
--- a/x-pack/filebeat/module/panw/panos/ingest/userid.yml
+++ b/x-pack/filebeat/module/panw/panos/ingest/userid.yml
@@ -18,6 +18,21 @@ processors:
       field: network.type
       value: 'ipv6'
       if: 'ctx?.network?.type == null && ctx?.source?.ip.contains(":")'
+  - date:
+      if: "ctx?.panw?.panos?.factorcompletiontime != null && ctx.event.timezone == null"
+      field: "panw.panos.factorcompletiontime"
+      target_field: "panw.panos.factorcompletiontime"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+  - date:
+      if: "ctx?.panw?.panos?.factorcompletiontime != null && ctx.event.timezone != null"
+      field: "panw.panos.factorcompletiontime"
+      target_field: "panw.panos.factorcompletiontime"
+      formats:
+        - "yyyy/MM/dd HH:mm:ss"
+      timezone: "{{ event.timezone }}"
+      on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
 
 on_failure:
   - append:
diff --git a/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json
index 63efead211f..73ec57d6820 100644
--- a/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json
@@ -3,8 +3,9 @@
         "@timestamp": "2021-03-24T11:00:49.000-02:00",
         "client.ip": "10.50.35.36",
         "client.port": 0,
-        "client.user.name": "2021/03/24 11:00:49",
+        "client.user.name": "john.smith",
         "destination.port": 0,
+        "event.action": "login",
         "event.code": "0",
         "event.dataset": "panw.panos",
         "event.module": "panw",
@@ -15,7 +16,7 @@
         "log.offset": 0,
         "log.original": "1,2021/03/24 11:00:49,013101001305,USERID,login,2305,2021/03/24 11:00:49,vsys1,10.50.35.36,domain\\john.smith,,0,1,10800,0,0,<data-source-collected>,<data-source-type>,1252774,0x0,0,0,0,0,,FW01,1,,2021/03/24 11:00:49,1,0x80000000,john.smith",
         "network.type": "ipv4",
-        "observer.hostname": "0",
+        "observer.hostname": "FW01",
         "observer.product": "PAN-OS",
         "observer.serial_number": "013101001305",
         "observer.type": "firewall",
@@ -23,25 +24,27 @@
         "panw.panos.actionflags": "0x0",
         "panw.panos.datasource": "<data-source-collected>",
         "panw.panos.datasourcetype": "<data-source-type>",
-        "panw.panos.dg_hier": "0",
-        "panw.panos.factorcompletiontime": "FW01",
+        "panw.panos.dg_hier_level_1": "0",
+        "panw.panos.dg_hier_level_2": "0",
+        "panw.panos.dg_hier_level_3": "0",
+        "panw.panos.dg_hier_level_4": "0",
+        "panw.panos.factorcompletiontime": "2021-03-24T11:00:49.000-02:00",
         "panw.panos.factorno": "1",
         "panw.panos.repeatcnt": "1",
         "panw.panos.sequence_number": 1252774,
         "panw.panos.sub_type": "login",
         "panw.panos.timeout": "10800",
         "panw.panos.type": "USERID",
+        "panw.panos.ugflags": "0x80000000",
         "panw.panos.virtual_sys": "vsys1",
-        "panw.panos.vsys_id": "0",
-        "panw.panos.vsys_name": "0",
+        "panw.panos.vsys_id": "1",
         "related.hosts": [
-            "0"
+            "FW01"
         ],
         "related.ip": [
             "10.50.35.36"
         ],
         "related.user": [
-            "2021/03/24 11:00:49",
             "john.smith"
         ],
         "server.port": 0,
@@ -60,8 +63,9 @@
         "@timestamp": "2021-03-24T10:59:45.000-02:00",
         "client.ip": "10.55.18.7",
         "client.port": 0,
-        "client.user.name": "2021/03/24 10:59:45",
+        "client.user.name": "john.smith",
         "destination.port": 0,
+        "event.action": "logout",
         "event.code": "0",
         "event.dataset": "panw.panos",
         "event.module": "panw",
@@ -72,7 +76,7 @@
         "log.offset": 240,
         "log.original": "1,2021/03/24 10:59:45,013101001305,USERID,logout,2305,2021/03/24 10:59:45,vsys1,10.55.18.7,domain\\john.smith,,0,1,0,0,0,<data-source-collected>,<data-source-type>,1252765,0x0,0,0,0,0,,FW01,1,,2021/03/24 10:59:45,1,0x80000000,john.smith",
         "network.type": "ipv4",
-        "observer.hostname": "0",
+        "observer.hostname": "FW01",
         "observer.product": "PAN-OS",
         "observer.serial_number": "013101001305",
         "observer.type": "firewall",
@@ -80,25 +84,27 @@
         "panw.panos.actionflags": "0x0",
         "panw.panos.datasource": "<data-source-collected>",
         "panw.panos.datasourcetype": "<data-source-type>",
-        "panw.panos.dg_hier": "0",
-        "panw.panos.factorcompletiontime": "FW01",
+        "panw.panos.dg_hier_level_1": "0",
+        "panw.panos.dg_hier_level_2": "0",
+        "panw.panos.dg_hier_level_3": "0",
+        "panw.panos.dg_hier_level_4": "0",
+        "panw.panos.factorcompletiontime": "2021-03-24T10:59:45.000-02:00",
         "panw.panos.factorno": "1",
         "panw.panos.repeatcnt": "1",
         "panw.panos.sequence_number": 1252765,
         "panw.panos.sub_type": "logout",
         "panw.panos.timeout": "0",
         "panw.panos.type": "USERID",
+        "panw.panos.ugflags": "0x80000000",
         "panw.panos.virtual_sys": "vsys1",
-        "panw.panos.vsys_id": "0",
-        "panw.panos.vsys_name": "0",
+        "panw.panos.vsys_id": "1",
         "related.hosts": [
-            "0"
+            "FW01"
         ],
         "related.ip": [
             "10.55.18.7"
         ],
         "related.user": [
-            "2021/03/24 10:59:45",
             "john.smith"
         ],
         "server.port": 0,
@@ -118,6 +124,7 @@
         "client.ip": "172.17.128.92",
         "client.port": 0,
         "destination.port": 0,
+        "event.action": "login",
         "event.code": "0",
         "event.dataset": "panw.panos",
         "event.module": "panw",
@@ -165,6 +172,7 @@
         "client.ip": "172.17.128.92",
         "client.port": 0,
         "destination.port": 0,
+        "event.action": "login",
         "event.code": "0",
         "event.dataset": "panw.panos",
         "event.module": "panw",
@@ -212,6 +220,7 @@
         "client.ip": "172.17.128.92",
         "client.port": 0,
         "destination.port": 0,
+        "event.action": "login",
         "event.code": "0",
         "event.dataset": "panw.panos",
         "event.module": "panw",
@@ -259,6 +268,7 @@
         "client.ip": "172.17.128.92",
         "client.port": 0,
         "destination.port": 0,
+        "event.action": "login",
         "event.code": "0",
         "event.dataset": "panw.panos",
         "event.module": "panw",

From 5db554a7a305bd71946e905d0ab13ea1e7be7d1e Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Wed, 7 Apr 2021 16:54:58 +0000
Subject: [PATCH 5/9] update fields

---
 filebeat/docs/fields.asciidoc                 |  20 ++
 x-pack/filebeat/module/panw/fields.go         |   2 +-
 .../module/panw/panos/_meta/fields.yml        |  10 +
 .../panw/panos/ingest/globalprotect.yml       |   1 -
 .../module/panw/panos/test/global_protect.log |   3 +
 .../test/global_protect.log-expected.json     | 190 ++++++++++++++++++
 6 files changed, 224 insertions(+), 2 deletions(-)

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index fb108f71084..b89757fe62e 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -113967,6 +113967,26 @@ type: keyword
 The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
 
 
+type: keyword
+
+--
+
+*`panw.panos.description`*::
++
+--
+Additional information for any event that has occurred.
+
+
+type: keyword
+
+--
+
+*`panw.panos.tunnel_type`*::
++
+--
+The type of tunnel (either SSLVPN or IPSec).
+
+
 type: keyword
 
 --
diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go
index 0d6303826bf..106a46013e9 100644
--- a/x-pack/filebeat/module/panw/fields.go
+++ b/x-pack/filebeat/module/panw/fields.go
@@ -19,5 +19,5 @@ func init() {
 // AssetPanw returns asset data.
 // This is the base64 encoded gzipped contents of module/panw.
 func AssetPanw() string {
-	return "eJzsms1uIzcSgO/zFAXMwTZgOZnJ5DILLOBdYwIDY0eIZ7JHoUSW1FyzyQ7JtqJgD3mIvezr5UkWRXZL7Rallm3ZmIN1mLElNeurYv2x6BHc0vIjVGgWbwCCCppWv0nywqkqKGs+wt/fAABcWVlrgpl1MEZt4VwHC9cUFtbdejgen1+Pfr45eQMwU6Sl/xgfGoHBcr0sv8Kyoo8wd7aumncywvj1Ka4DM2dLCAXFNaCMFGfNl7qioCfP+vXbOam7RN+Tb10Un1E66Qzazv1Z99kNrA6ZqzV5CvdFNXi3tFxYJ3uf7WIEgGssCewsMvLiEAoMUGIQBUkIhfLgyXtlzVkWyNvaCcrybJhrmKYxWrBAvwcyMmIFW4003ZFuhIGd/ptEOOs9nTNbl/QPa/qcQ7bbg5hfNwmLBTT7vc1qXR5lArkZbhjvsFArKQ8gM9h3MNi5qXsSja0Po+vzL+02opSOvD8FNWvf4k+Vh4rczLqS5Cbj9n3uWDYH2Cqw5cM9+Dc1uBznAFdZxLqcHVsQbc38cCgsbA2TDVVJPiiDvO4LxWtH4jcXtBcdtm8rcrtk32L4dne1G8Pd958WyIOhPBDMe8bQFp3yUb1HXA9G9tO49ghxMtIR+i0B/qgG4Qs3BnFNwNb3IJArGau7sVkgk5qdF8o3jbRH5ppKYDVRuaA9QFCPUdxSAIFVqB3B5UUMaIRQOMJt2wpPjOp9IkzYsqyNCsu86vuov6cJ+PXPVlq0gLaLUYG+WHXJ7PI/jkJdrZv0LY41U/qluk4W9UiXYuUe5y//UAbdElbWaT0l0XgygXmnBGhQL/+g/L5Ml1GXfyktPynHz7k7JSiX3/KbnLV97fQLmb52+pGWFxhobt3yeaL5U/TXuB9ff/nM5S8c+cj+9ZfPK9n5MsLPthtyGp+5IyeVCMCJtaC0w2gkKJ9dgFQoyMFRiVoJZWt/dApHc4fLBTo6OgXr4GhKRs3N0VAQabvYDPsnFItLblcMajB1SU4JUJJMUDNFLnoxoSg2G5j8wZJ+q8kImpi6nJLLMmYK7QDgZzsHMsEtu2TxyKs8KCMclWQCyUZ8UKh1Zh+/GvVbTWuVtJ1HpAGdmmTvaMep+VF2Z6+zLnkOi9qnuPSgDukGmWFHzxFimD+Ajn95Vr6V1XJkXSAUWw9Q+7CMNmDO44IQ8JbMimDnzIWlPVDITUWCrZ+SFC/QDn20nefjr55OnizI19OtwrJS75QLNeqJX/Zz3xO2+9e0KPilD1SCMj6g6YTfvQferpvpO3ZZ2ft0F8nb3Sxv47/n4INTZg6+sAv+nw1jOmO4KHdLWKzpCuufAY67/Tolt8uLlBh/0naKeuxsIBEAvVdzEyt2E9KpxWCcQeYSRaEMbQTzgcC7Rqw9ub/+/J9vZQ6kGaEVmTCxfnK3pdY8+vCUlgZJ3HlFpJ9vuOTvUQNXVN8a0TMZKbL0/K2q9kTzAecPqRH0O5aVpo8wpZl1NNJ2rvp5fYA8G8qRo3VDYY2h+xVjR1WZaZwfcK/PYapC6pRBGakEBoZUq1wMC4w3FAt0kiTH9BiNdVji0JzBOXtAD8jYEUMSkn4s0IMVonaOWBVAs9yZJu9xToSVecdQJtB8w5WHYE37HCdDKxRyv7hQoUhYLNIn7BZ5gNJRRRiEyV/rPAoypsPYOLMnNt2ET5TRSTlVrqbY6zHe/TnY+n2sKh39x5rTeDbx9TQW9kyJ4M2SxD82dlHpXKPRszfecXcjrJH+7PCm9OQU6l1nhkenqLR0x6q5MsNdeMqrA6BYh2JSUijsQ/ruVc76fHE+PkCuYgou4mln7zeWWWyJAQ99eGluquJN7aJQooASqypmKjOzrmwm4R6E1Tp61dBFxwoy08A+AfSKRIFG+ZK3XW60QJfj7756ci29b30fI1ATbXujH/bEw2Cjy4s25GNIeTLSN+RwPLYunIyiAldJgaHhAYpgnbGHnB7EGtWcHWofq2jlVIlu2XfV43cnHGsopeLfUTc8Ho7fn8IPJ3vBH9Y9fiUjrVv5RgeYAGOmgEVBBq5qHRR8igR9tZSHypEfrmxJAWE5HfCTQW1xF4lh9xluM9mpknLZgZuFRuBgCNbzJ/Uy/9mAulC+0rj0bMI4/mqzb5o6Jo9O7UxtJMg65rrOF5qoPIObuqqs40Jzh7omD+hoc44YA+Gn+OQnXvGvP/+7ds8NBmFrLWFKUUqz/Unu5uzook6llKKM7Lpy9RVe3cOCHDWKxXyyVutsbZjr7865tTO2q7VqDDKUduaTQpGbxKnr5N1BO7tmjsex3A6BGodKpbQp8E2DmjwvldCkQyyv2rZOuMqpna8Aw6MTxfIsluqZcrRAreHYunak0Jz+T2BOhlzqhNs2WBmha9nknSwk08dJHxpBngNXGVDB78TwBXK/eu8rx2mw/f0Jb42xoZUddzbd7wZXi1C7zJT+ct25r30X3nHC+3AKH348he9PQQUoCU1j1m6n32hOEqZLwN1Wig9PSVsuZMHeV4IlxQF18CuDJBbm4E/evX+Qx71/9bhXj3tRj/vh1eNePe5FPe7Dq8e9etwzexyfAmx9wD8P/pIWBJyFeHzh03n3rHvVnnUZU2jC4RHNnV/6g146n7c3Fr07RuyZH+KfMGXu/tot2wf8sMfy/q1FD7g/FOvcDP4NrNFLdlglWbFWBw9kcKpJRhOUfNSsdH9hf/bm/wEAAP//7NcVIA=="
+	return "eJzsms1uIzcSgO/zFAXMwTZgOZnJ5OIFFvCu4cCA7QjxzOxRKJElNddsskOyrSjYQx5iL/t68ySLIrultkSpZVs25mAdkrGkZn2sfxY1gDuan0KFZvYOIKigafGXJC+cqoKy5hT+/g4A4NrKWhNMrIMhagtnOli4oTCz7s7D4fDsZvDr7dE7gIkiLf1pfGgABsvlsvwK84pOYepsXTXvZITx6yKuAxNnSwgFxTWgjBQnzZe6omBFnvXLt3NSt4l+IN+6KD6z6bRn0HbqT7rPrmF1yFytyVN4KKrBu6P5zDq58tk2RgC4wZLATiIjLw6hwAAlBlGQhFAoD568V9acZIG8rZ2gLM+auvppGqUFC/RHICMjVrDVQNM96UYY2PG/SYSTladzauuS/mnNKmef7nYg5tdtwmIBjb03aa3Lo0wgN8E15e0XaiHlEWQGVx0Mthp1R6Kh9WFwc/a5NSNK6cj7Y1CT9i3+VHmoyE2sK0muM262c0ezOcB2Axs+3IF/fQeXwxzgIotYl9NjC6Ktme4PhYUtYbKhKskHZZDXfaV47Uj87oL2vMP2fUVul+x7DN+uVbsx3H3/eYHcG8o9wbxjDG3YUz6qd4jr3sh+HtcOIU5GOkK/IcCf1CB85sYgrgnY+h4EciVjdQ2bBTKp2XmlfNNIe2KuqQRWI5UL2j0E9RDFHQUQWIXaEVyex4BGCIUj3GRWeGZU7xJhwpZlbVSY57e+y/Z3VAG//tlKixrQdjYo0BeLLpld/udBqKtlk77BsSZKv1bXyaKe6FK8uaf5yz+UQTeHhXZaT0k0nkxg3jEBGtTzPylvl/E87uVfSssL5fg5d68E5fJb3shZ3ddOv5Lqa6efqHmBgabWzV8mmi+iv0Z7fPntistfOPCR/ctvVwvZ+TLCz7YGOY7P3JOTSgTgxFpQsjAaCcpnFyAVCnJwUKJWQtnaHxzDwdThfIaODo7BOjgYk1FTc9AXRNrO1sP+GcXiktsVgxpMXZJTApQkE9REkYteTCiK9QYmf7Ck32sygkamLsfksoyZQtsDeGWnQCa4eZcsHnmVB2WEo5JMINmIDwq1ztjxi1G/17TckrbTiNSzpybZO9pyan6S3tnrrEuew6J2KS4rUPt0g8ywY8URYpg/go7/eFG+hdZyZF0gFBsPULuwDNZgzuKCEPCOzIJg68yFpT1SyG1FgrWfkhQv0A59tJ3m468ej54tyNfjjcKyUu+VCzXqkZ+v5r5nmPtrWhT83AcqQRkf0HTC78ED75fN9D27rFz5dBvJ++0s7+N/z8AHp8wUfGFn/H9WjOmM4aLcDWGxpCusfwE47vbrlNwuz1Ni/EXbMeqhs4FEAPReTU2s2E1IpxaDcXqZSxSFMrQWzHsC7yqx9uS+/fU/38rsSTNCKzJhZP3ofkOtefLhKS0Nkrjziki/3nLJ36EGLqi+N6IXUlJkWfG3qtoRzQecPqZG0B9YVppOYUwT62ig7VSt5vUe8mwoR47WDYU1hh5WjC1VZaJxukdbn8FYhdQpgzJSCQwMqRa5GGYYbyhm6CRJjukhGuuwxL45g3N2jx6Q0SOGJCT9s0APVojaOeKtAJr51jT5gHMkrMw7hjKBpmuu3Adr2uc4GVqhkPvFmQpFwmKRPmG3yD2UjirCIEz+WudJkDEdxsaZPbHpJnyijE7KqXIxxV6O8R7OwZbvY1Xp6D/WHMezia/HsbBnSgQbSxL/s9GLSucajZ698Z67G2GN9Cf7V6Unp1BvOzM8OUWlpTtazZUZ7sJTXu0BxToUo5JCYR/Tdy9y1tX52XAPuYopuIgnyz5sLLPYEgPu+/DS3FTFm9pZoUQBJVZVzFRmYl3ZTMI9CKt19Kq+i44FZKaBfQboNYkCjfIlm12utUCXwx++eHItvW99HyNQE207o+/3xMNgg8vzNuRjSHky0jfkcDi0LhwN4gau0wb6hgcognXG7nN6EGtUc3aofayilVMluvmqqx5+OOJYQykV/4264fFw+PEYfjraCX6/7vGVjLRu4RsdYAKMmQJmBRm4rnVQcBEJVrelPFSOfH9lSxsQltMBPxnUBneRGLaf4daTnSoplx24WWgE9oZgPX1WL/OfNahz5SuNc88qjOOvNvumqWPy6NTO1EaCrGOu63yhicoTuK2ryjouNPeoa/KAjtbniDEQfolPXvCK3/7679I91xiErbWEMUUpjfmT3PXZ0XmdSilFGdl15eIrvLqHGTlqNhbzyXJbJ0vF3Pxwxq2dsd1dq0YhfWlnOioUuVGcuo4+7LWza+Z4HMvtEKhxqFRKmwLfNKjJ81IJTXuI5VXb1gkXObXzFWB4dKKYn8RSPVGOZqg1HFrXjhSa0/8RTMmQS51w2wYrI3Qtm7yThWT6OOlDI8hz4CoDKvitGL5A7lcffOUwDbZ/PGLTGBta2dGy6X43uFqE2mWm9JfLzn3pu/CBE96nY/j08zH8eAwqQEloGrV2O/1m5yRhPAfcrqX48Ji05UIW7MNNsKQ4oA5+oZDEwhz8yYePj/K4j28e9+Zxr+pxP7153JvHvarHfXrzuDePe2GP41OArff48+DPaUHASYjHFz6dd8+61+1ZlzGFJuwf0dz7ud/rpfNZe2OxcseIK+qH+BOmzN1fa7JdwPd7LF+9tVgBXh2KdW4G/wbW6Dk7rJK8sXYPHsjgWJOMKij5qFnp1YV9/y9FW+o9mml5VO/OdaKl2nHu+rS3z+FrY0jnLiqfaZXFrWUUAIfNjy5ub6++Dm/AOrgc3pI4Onn3/wAAAP//5NRrdA=="
 }
diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
index 31dd22d8fe6..52447deea03 100644
--- a/x-pack/filebeat/module/panw/panos/_meta/fields.yml
+++ b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
@@ -290,3 +290,13 @@
       type: keyword
       description: >
         The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
+
+    - name: description
+      type: keyword
+      description: >
+        Additional information for any event that has occurred.
+
+    - name: tunnel_type
+      type: keyword
+      description: >
+        The type of tunnel (either SSLVPN or IPSec).
diff --git a/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml b/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml
index 713be3ba954..66edbd302f2 100644
--- a/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml
+++ b/x-pack/filebeat/module/panw/panos/ingest/globalprotect.yml
@@ -12,7 +12,6 @@ processors:
   - grok:
       field: _temp_.srcuser
       ignore_missing: true
-      ignore_failure: true
       patterns:
         - '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}'
         - '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}'
diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log b/x-pack/filebeat/module/panw/panos/test/global_protect.log
index 08ae3bde65d..16196e53b9c 100644
--- a/x-pack/filebeat/module/panw/panos/test/global_protect.log
+++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log
@@ -1,2 +1,5 @@
 1,2021/03/24 11:30:00,013101001305,GLOBALPROTECT,0,2305,2021/03/24 11:30:00,vsys1,portal-prelogin,before-login,,,,BE,,11.134.5.168,0.0.0.0,10.52.36.15,0.0.0.0,09300bcc-23-4900-8de9-32695452fa,,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,GlobalProtect Portal,69200719497738,0x0
 1,2021/03/24 11:29:49,013101001308,GLOBALPROTECT,0,2305,2021/03/24 11:29:49,vsys1,gateway-config-release,configuration,,,domain\user,BE,CP935,83.14.113.11,0.0.0.0,10.20.13.217,0.0.0.0,e0957c11-93-437a-9e23-9f0c24059898,5J9VN53,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,GlobalProtect_GW,6919501582016786,0x0
+1,2021/04/07 17:41:30,013101305,GLOBALPROTECT,0,2305,2021/04/07 17:41:30,vsys1,gateway-hip-check,host-info,,,domain\user1,,HOST82878,7.2.2.193,0.0.0.0,12.30.0.210,0.0.0.0,523e8b-7efa-4397-a4d5-824dfa4d8a,F1SM2,5.2.4,,"",1,,,"HIP report is not needed",success,,0,,0,GlobalProtect_GW,6920071768563516860,0x0
+1,2021/04/07 17:41:29,013101308,GLOBALPROTECT,0,2305,2021/04/07 17:41:29,vsys1,gateway-getconfig,configuration,,IPSec,pre-logon,BE,HOST73486,7.2.2.171,0.0.0.0,1.40.2.67,0.0.0.0,7d01b5-f538-4fa3-a2a2-83980d1325,5C261FNR,5.2.4,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"Config name: , Client region: BE.",success,,0,,0,GlobalProtect_GW,6944137135219737,0x0
+1,2021/04/07 17:41:28,0131001309,GLOBALPROTECT,0,2305,2021/04/07 17:41:28,vsys1,gateway-tunnel-latency,tunnel,,,,userlterso,HOSTP92413,7.2.17.120,0.0.0.0,0.0.0.0,0.0.0.0,2ba9f01-b83b-4902-a1fb-1748c0365,GJG98Y2,5.2.4,,"",1,,,"Pre-tunnel latency: 67ms, Post-tunnel latency: 47ms",success,,0,,0,GlobalProtect_GW,6920071768563516847,0x0
diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
index 78d762a2a36..5f47a1ef5d5 100644
--- a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
@@ -109,5 +109,195 @@
             "pan-os",
             "forwarded"
         ]
+    },
+    {
+        "@timestamp": "2021-04-07T17:41:30.000-02:00",
+        "client.address": "12.30.0.210",
+        "client.ip": "12.30.0.210",
+        "client.nat.ip": "7.2.2.193",
+        "event.code": "gateway-hip-check",
+        "event.dataset": "panw.panos",
+        "event.duration": 0,
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "host.id": "523e8b-7efa-4397-a4d5-824dfa4d8a",
+        "host.ip": "12.30.0.210",
+        "host.name": "HOST82878",
+        "input.type": "log",
+        "log.offset": 640,
+        "log.original": "1,2021/04/07 17:41:30,013101305,GLOBALPROTECT,0,2305,2021/04/07 17:41:30,vsys1,gateway-hip-check,host-info,,,domain\\user1,,HOST82878,7.2.2.193,0.0.0.0,12.30.0.210,0.0.0.0,523e8b-7efa-4397-a4d5-824dfa4d8a,F1SM2,5.2.4,,\"\",1,,,\"HIP report is not needed\",success,,0,,0,GlobalProtect_GW,6920071768563516860,0x0",
+        "network.type": "ipv4",
+        "observer.hostname": "GlobalProtect_GW",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "013101305",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.client_ver": "5.2.4",
+        "panw.panos.description": "HIP report is not needed",
+        "panw.panos.error_code": "0",
+        "panw.panos.repeatcnt": "1",
+        "panw.panos.sequence_number": 6920071768563516860,
+        "panw.panos.serial_number": "F1SM2",
+        "panw.panos.source.nat.ip": "7.2.2.193",
+        "panw.panos.stage": "host-info",
+        "panw.panos.sub_type": "0",
+        "panw.panos.type": "GLOBALPROTECT",
+        "panw.panos.virtual_sys": "vsys1",
+        "related.hosts": [
+            "GlobalProtect_GW"
+        ],
+        "related.ip": [
+            "12.30.0.210",
+            "7.2.2.193"
+        ],
+        "related.user": [
+            "user1"
+        ],
+        "service.type": "panw",
+        "source.address": "12.30.0.210",
+        "source.as.number": 7018,
+        "source.as.organization.name": "AT&T Services, Inc.",
+        "source.geo.city_name": "Greenwood",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 39.5992,
+        "source.geo.location.lon": -86.13,
+        "source.geo.region_iso_code": "US-IN",
+        "source.geo.region_name": "Indiana",
+        "source.ip": "12.30.0.210",
+        "source.nat.ip": "7.2.2.193",
+        "source.user.domain": "domain",
+        "source.user.name": "user1",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-04-07T17:41:29.000-02:00",
+        "client.address": "1.40.2.67",
+        "client.ip": "1.40.2.67",
+        "client.nat.ip": "7.2.2.171",
+        "event.code": "gateway-getconfig",
+        "event.dataset": "panw.panos",
+        "event.duration": 0,
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "host.id": "7d01b5-f538-4fa3-a2a2-83980d1325",
+        "host.ip": "1.40.2.67",
+        "host.name": "HOST73486",
+        "input.type": "log",
+        "log.offset": 946,
+        "log.original": "1,2021/04/07 17:41:29,013101308,GLOBALPROTECT,0,2305,2021/04/07 17:41:29,vsys1,gateway-getconfig,configuration,,IPSec,pre-logon,BE,HOST73486,7.2.2.171,0.0.0.0,1.40.2.67,0.0.0.0,7d01b5-f538-4fa3-a2a2-83980d1325,5C261FNR,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"Config name: , Client region: BE.\",success,,0,,0,GlobalProtect_GW,6944137135219737,0x0",
+        "network.type": "ipv4",
+        "observer.hostname": "GlobalProtect_GW",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "013101308",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.client_os": "Windows",
+        "panw.panos.client_os_ver": "Microsoft Windows 10 Pro , 64-bit",
+        "panw.panos.client_ver": "5.2.4",
+        "panw.panos.description": "Config name: , Client region: BE.",
+        "panw.panos.error_code": "0",
+        "panw.panos.repeatcnt": "1",
+        "panw.panos.sequence_number": 6944137135219737,
+        "panw.panos.serial_number": "5C261FNR",
+        "panw.panos.source.nat.ip": "7.2.2.171",
+        "panw.panos.stage": "configuration",
+        "panw.panos.sub_type": "0",
+        "panw.panos.tunnel_type": "IPSec",
+        "panw.panos.type": "GLOBALPROTECT",
+        "panw.panos.virtual_sys": "vsys1",
+        "related.hosts": [
+            "GlobalProtect_GW"
+        ],
+        "related.ip": [
+            "1.40.2.67",
+            "7.2.2.171"
+        ],
+        "related.user": [
+            "pre-logon"
+        ],
+        "service.type": "panw",
+        "source.address": "1.40.2.67",
+        "source.as.number": 4804,
+        "source.as.organization.name": "Microplex PTY LTD",
+        "source.geo.city_name": "Seven Hills",
+        "source.geo.continent_name": "Oceania",
+        "source.geo.country_iso_code": "AU",
+        "source.geo.country_name": "Australia",
+        "source.geo.location.lat": -33.777,
+        "source.geo.location.lon": 150.9373,
+        "source.geo.name": "BE",
+        "source.geo.region_iso_code": "AU-NSW",
+        "source.geo.region_name": "New South Wales",
+        "source.ip": "1.40.2.67",
+        "source.nat.ip": "7.2.2.171",
+        "source.user.name": "pre-logon",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-04-07T17:41:28.000-02:00",
+        "client.address": "0.0.0.0",
+        "client.ip": "0.0.0.0",
+        "client.nat.ip": "7.2.17.120",
+        "event.code": "gateway-tunnel-latency",
+        "event.dataset": "panw.panos",
+        "event.duration": 0,
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "host.id": "2ba9f01-b83b-4902-a1fb-1748c0365",
+        "host.ip": "0.0.0.0",
+        "host.name": "HOSTP92413",
+        "input.type": "log",
+        "log.offset": 1307,
+        "log.original": "1,2021/04/07 17:41:28,0131001309,GLOBALPROTECT,0,2305,2021/04/07 17:41:28,vsys1,gateway-tunnel-latency,tunnel,,,,userlterso,HOSTP92413,7.2.17.120,0.0.0.0,0.0.0.0,0.0.0.0,2ba9f01-b83b-4902-a1fb-1748c0365,GJG98Y2,5.2.4,,\"\",1,,,\"Pre-tunnel latency: 67ms, Post-tunnel latency: 47ms\",success,,0,,0,GlobalProtect_GW,6920071768563516847,0x0",
+        "network.type": "ipv4",
+        "observer.hostname": "GlobalProtect_GW",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "0131001309",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.client_ver": "5.2.4",
+        "panw.panos.description": "Pre-tunnel latency: 67ms, Post-tunnel latency: 47ms",
+        "panw.panos.error_code": "0",
+        "panw.panos.repeatcnt": "1",
+        "panw.panos.sequence_number": 6920071768563516847,
+        "panw.panos.serial_number": "GJG98Y2",
+        "panw.panos.source.nat.ip": "7.2.17.120",
+        "panw.panos.stage": "tunnel",
+        "panw.panos.sub_type": "0",
+        "panw.panos.type": "GLOBALPROTECT",
+        "panw.panos.virtual_sys": "vsys1",
+        "related.hosts": [
+            "GlobalProtect_GW"
+        ],
+        "related.ip": [
+            "0.0.0.0",
+            "7.2.17.120"
+        ],
+        "service.type": "panw",
+        "source.address": "0.0.0.0",
+        "source.geo.name": "userlterso",
+        "source.ip": "0.0.0.0",
+        "source.nat.ip": "7.2.17.120",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ]
     }
 ]
\ No newline at end of file

From e5eb00cc14f224d6b7117e1964e0e5f41e62190e Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Wed, 7 Apr 2021 21:30:11 +0000
Subject: [PATCH 6/9] copy source.user to user

---
 .../module/panw/panos/ingest/pipeline.yml     |   5 +
 .../test/global_protect.log-expected.json     |  11 +-
 .../test/pan_inc_other.log-expected.json      |   3 +-
 .../test/pan_inc_threat.log-expected.json     | 192 ++++++++----
 .../test/pan_inc_traffic.log-expected.json    | 291 ++++++++++++------
 .../panw/panos/test/userid.log-expected.json  |  24 +-
 6 files changed, 355 insertions(+), 171 deletions(-)

diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
index 52dd703132e..9736eb1c957 100644
--- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -453,6 +453,11 @@ processors:
         ANY: '.*'
       if: 'ctx?.file?.name != null && ctx?.file?.name != ""'
 
+  - set:
+      field: user
+      copy_from: source.user
+      if: "ctx?.source?.user != null"
+
   - append:
       field: related.user
       allow_duplicates: false
diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
index 5f47a1ef5d5..283535c18f6 100644
--- a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
@@ -108,7 +108,9 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.domain": "domain",
+        "user.name": "user"
     },
     {
         "@timestamp": "2021-04-07T17:41:30.000-02:00",
@@ -175,7 +177,9 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.domain": "domain",
+        "user.name": "user1"
     },
     {
         "@timestamp": "2021-04-07T17:41:29.000-02:00",
@@ -245,7 +249,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "pre-logon"
     },
     {
         "@timestamp": "2021-04-07T17:41:28.000-02:00",
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json
index bf6ff1e9006..55a3bf88192 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json
@@ -824,6 +824,7 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     }
 ]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
index c5f32daf182..116e5c60805 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
@@ -97,7 +97,8 @@
         "url.domain": "lorexx.cn",
         "url.extension": "exe",
         "url.original": "lorexx.cn/loader.exe",
-        "url.path": "/loader.exe"
+        "url.path": "/loader.exe",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:56.000-02:00",
@@ -198,7 +199,8 @@
         "url.extension": "php",
         "url.original": "lsiu.info/evo/count.php?o=2",
         "url.path": "/evo/count.php",
-        "url.query": "o=2"
+        "url.query": "o=2",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:56.000-02:00",
@@ -299,7 +301,8 @@
         "url.extension": "php",
         "url.original": "lsiu.info/evo/count.php?o=5",
         "url.path": "/evo/count.php",
-        "url.query": "o=5"
+        "url.query": "o=5",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:57.000-02:00",
@@ -400,7 +403,8 @@
         "url.extension": "php",
         "url.original": "lsiu.info/evo/count.php?o=7",
         "url.path": "/evo/count.php",
-        "url.query": "o=7"
+        "url.query": "o=7",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:57.000-02:00",
@@ -501,7 +505,8 @@
         "url.extension": "php",
         "url.original": "lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122",
         "url.path": "/evo/exploits/x18.php",
-        "url.query": "o=2&t=1241403746&i=1365814122"
+        "url.query": "o=2&t=1241403746&i=1365814122",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:57.000-02:00",
@@ -602,7 +607,8 @@
         "url.extension": "php",
         "url.original": "lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122",
         "url.path": "/evo/exploits/x19.php",
-        "url.query": "o=2&t=1241403746&i=1365814122"
+        "url.query": "o=2&t=1241403746&i=1365814122",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -702,7 +708,8 @@
         "url.domain": "liteautobestguide.cn",
         "url.extension": "php",
         "url.original": "liteautobestguide.cn/load.php",
-        "url.path": "/load.php"
+        "url.path": "/load.php",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -802,7 +809,8 @@
         "url.domain": "liteautobestguide.cn",
         "url.extension": "php",
         "url.original": "liteautobestguide.cn/index.php",
-        "url.path": "/index.php"
+        "url.path": "/index.php",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:55.000-02:00",
@@ -902,7 +910,8 @@
         "url.domain": "litetopdetect.cn",
         "url.extension": "php",
         "url.original": "litetopdetect.cn/index.php",
-        "url.path": "/index.php"
+        "url.path": "/index.php",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:55.000-02:00",
@@ -1003,7 +1012,8 @@
         "url.extension": "php",
         "url.original": "lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513",
         "url.path": "/fff9999.php",
-        "url.query": "aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513"
+        "url.query": "aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:52.000-02:00",
@@ -1102,7 +1112,8 @@
         ],
         "url.domain": "girlteenxxxfreemov.com",
         "url.original": "girlteenxxxfreemov.com/",
-        "url.path": "/"
+        "url.path": "/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -1202,7 +1213,8 @@
         "url.domain": "imagesrepository.com",
         "url.extension": "php",
         "url.original": "imagesrepository.com/resolution.php",
-        "url.path": "/resolution.php"
+        "url.path": "/resolution.php",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -1303,7 +1315,8 @@
         "url.extension": "php",
         "url.original": "hottestfiles.com/search/search.php?q=xxx",
         "url.path": "/search/search.php",
-        "url.query": "q=xxx"
+        "url.query": "q=xxx",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -1403,7 +1416,8 @@
         "url.extension": "cgi",
         "url.original": "infodist1.com/in.cgi?11&parameter=404",
         "url.path": "/in.cgi",
-        "url.query": "11&parameter=404"
+        "url.query": "11&parameter=404",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:51.000-02:00",
@@ -1503,7 +1517,8 @@
         "url.domain": "cls-softwares.com",
         "url.extension": "php",
         "url.original": "cls-softwares.com/suc.php",
-        "url.path": "/suc.php"
+        "url.path": "/suc.php",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:51.000-02:00",
@@ -1603,7 +1618,8 @@
         "url.domain": "cls-softwares.com",
         "url.extension": "exe",
         "url.original": "cls-softwares.com/softwarefortubeview.40013.exe",
-        "url.path": "/softwarefortubeview.40013.exe"
+        "url.path": "/softwarefortubeview.40013.exe",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:52.000-02:00",
@@ -1700,7 +1716,8 @@
         "url.extension": "php",
         "url.original": "findmorepill.com/klik/search.php?q=xxx",
         "url.path": "/klik/search.php",
-        "url.query": "q=xxx"
+        "url.query": "q=xxx",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:48.000-02:00",
@@ -1799,7 +1816,8 @@
         ],
         "url.domain": "allowedwebsurfing.com",
         "url.original": "allowedwebsurfing.com/",
-        "url.path": "/"
+        "url.path": "/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:49.000-02:00",
@@ -1898,7 +1916,8 @@
         ],
         "url.domain": "antivirus-remote.com",
         "url.original": "antivirus-remote.com/",
-        "url.path": "/"
+        "url.path": "/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:49.000-02:00",
@@ -1998,7 +2017,8 @@
         "url.domain": "bklinkov.ru",
         "url.extension": "cfg",
         "url.original": "bklinkov.ru/hi/start.cfg",
-        "url.path": "/hi/start.cfg"
+        "url.path": "/hi/start.cfg",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -2097,7 +2117,8 @@
         ],
         "url.domain": "blogsexnakedgirlxxx.com",
         "url.original": "blogsexnakedgirlxxx.com/",
-        "url.path": "/"
+        "url.path": "/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -2197,7 +2218,8 @@
         "url.domain": "bklinkov.ru",
         "url.extension": "exe",
         "url.original": "bklinkov.ru/hi/start.exe",
-        "url.path": "/hi/start.exe"
+        "url.path": "/hi/start.exe",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:47.000-02:00",
@@ -2291,7 +2313,8 @@
             "pan-os",
             "forwarded"
         ],
-        "url.original": "-/"
+        "url.original": "-/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:47.000-02:00",
@@ -2385,7 +2408,8 @@
             "pan-os",
             "forwarded"
         ],
-        "url.original": "-/"
+        "url.original": "-/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:47.000-02:00",
@@ -2479,7 +2503,8 @@
             "pan-os",
             "forwarded"
         ],
-        "url.original": "-/"
+        "url.original": "-/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:48.000-02:00",
@@ -2573,7 +2598,8 @@
             "pan-os",
             "forwarded"
         ],
-        "url.original": "-/"
+        "url.original": "-/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:48.000-02:00",
@@ -2667,7 +2693,8 @@
             "pan-os",
             "forwarded"
         ],
-        "url.original": "-/"
+        "url.original": "-/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:45.000-02:00",
@@ -2761,7 +2788,8 @@
             "pan-os",
             "forwarded"
         ],
-        "url.original": "-/"
+        "url.original": "-/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:45.000-02:00",
@@ -2855,7 +2883,8 @@
             "pan-os",
             "forwarded"
         ],
-        "url.original": "-/"
+        "url.original": "-/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:45.000-02:00",
@@ -2949,7 +2978,8 @@
             "pan-os",
             "forwarded"
         ],
-        "url.original": "-/"
+        "url.original": "-/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:46.000-02:00",
@@ -3043,7 +3073,8 @@
             "pan-os",
             "forwarded"
         ],
-        "url.original": "-/"
+        "url.original": "-/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:46.000-02:00",
@@ -3137,7 +3168,8 @@
             "pan-os",
             "forwarded"
         ],
-        "url.original": "-/"
+        "url.original": "-/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:46.000-02:00",
@@ -3231,7 +3263,8 @@
             "pan-os",
             "forwarded"
         ],
-        "url.original": "-/"
+        "url.original": "-/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:43.000-02:00",
@@ -3328,7 +3361,8 @@
         "url.extension": "cgi",
         "url.original": "wantfinest.com/tds/in.cgi?default",
         "url.path": "/tds/in.cgi",
-        "url.query": "default"
+        "url.query": "default",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:38.000-02:00",
@@ -3425,7 +3459,8 @@
         "url.extension": "cgi",
         "url.original": "sameshitasiteverwas.com/traf/tds/in.cgi?2",
         "url.path": "/traf/tds/in.cgi",
-        "url.query": "2"
+        "url.query": "2",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:39.000-02:00",
@@ -3521,7 +3556,8 @@
         "url.domain": "svarkon.ru",
         "url.extension": "exe",
         "url.original": "svarkon.ru/update.exe",
-        "url.path": "/update.exe"
+        "url.path": "/update.exe",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:36.000-02:00",
@@ -3621,7 +3657,8 @@
         "url.extension": "php",
         "url.original": "onlinescanxpp.com/land/eurl/1.php?code=",
         "url.path": "/land/eurl/1.php",
-        "url.query": "code="
+        "url.query": "code=",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:34.000-02:00",
@@ -3717,7 +3754,8 @@
         "url.domain": "nolagtime.com",
         "url.original": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6",
         "url.path": "/conn/",
-        "url.query": "JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6"
+        "url.query": "JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:35.000-02:00",
@@ -3813,7 +3851,8 @@
         "url.domain": "nolagtime.com",
         "url.extension": "txt",
         "url.original": "nolagtime.com/gwc.txt",
-        "url.path": "/gwc.txt"
+        "url.path": "/gwc.txt",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:38:19.000-02:00",
@@ -3912,7 +3951,8 @@
         "url.domain": "karavan.us",
         "url.extension": "php",
         "url.original": "karavan.us/bon/index.php",
-        "url.path": "/bon/index.php"
+        "url.path": "/bon/index.php",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:38:14.000-02:00",
@@ -4009,7 +4049,8 @@
         "url.extension": "php",
         "url.original": "findnolimits.com/go.php?sid=1",
         "url.path": "/go.php",
-        "url.query": "sid=1"
+        "url.query": "sid=1",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:38:12.000-02:00",
@@ -4105,7 +4146,8 @@
         "url.domain": "bizoplata.ru",
         "url.extension": "html",
         "url.original": "bizoplata.ru/moun.html",
-        "url.path": "/moun.html"
+        "url.path": "/moun.html",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:38:12.000-02:00",
@@ -4201,7 +4243,8 @@
         "url.domain": "bizoplata.ru",
         "url.extension": "html",
         "url.original": "bizoplata.ru/palast.html",
-        "url.path": "/palast.html"
+        "url.path": "/palast.html",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:37:28.000-02:00",
@@ -4390,7 +4433,8 @@
         ],
         "url.domain": "www.15min.it",
         "url.original": "www.15min.it/",
-        "url.path": "/"
+        "url.path": "/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:37:27.000-02:00",
@@ -4485,7 +4529,8 @@
         ],
         "url.domain": "tubemov.com",
         "url.original": "tubemov.com/",
-        "url.path": "/"
+        "url.path": "/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:37:25.000-02:00",
@@ -4581,7 +4626,8 @@
         "url.domain": "pagesinxt.com",
         "url.original": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js",
         "url.path": "/",
-        "url.query": "dn=teenstube.us&flrdr=yes&nxte=js"
+        "url.query": "dn=teenstube.us&flrdr=yes&nxte=js",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:37:05.000-02:00",
@@ -4676,7 +4722,8 @@
         ],
         "url.domain": "movfree.com",
         "url.original": "movfree.com/",
-        "url.path": "/"
+        "url.path": "/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:36:51.000-02:00",
@@ -4774,7 +4821,8 @@
         ],
         "url.domain": "gometascan.com",
         "url.original": "gometascan.com/",
-        "url.path": "/"
+        "url.path": "/",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:36:39.000-02:00",
@@ -4873,7 +4921,8 @@
         "url.domain": "antivirus-powerful-scannerv2.com",
         "url.extension": "exe",
         "url.original": "antivirus-powerful-scannerv2.com/download/Install_11-1.exe",
-        "url.path": "/download/Install_11-1.exe"
+        "url.path": "/download/Install_11-1.exe",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:36:38.000-02:00",
@@ -4972,7 +5021,8 @@
         "url.domain": "antivirus-powerful-scannerv2.com",
         "url.original": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N",
         "url.path": "/1/",
-        "url.query": "id=11-1&back==TQzyDTyMUQNMI=N"
+        "url.query": "id=11-1&back==TQzyDTyMUQNMI=N",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:36:27.000-02:00",
@@ -5071,7 +5121,8 @@
         "url.domain": "basdzsdas.com",
         "url.extension": "bin",
         "url.original": "basdzsdas.com/poker/config.bin",
-        "url.path": "/poker/config.bin"
+        "url.path": "/poker/config.bin",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:36:27.000-02:00",
@@ -5170,7 +5221,8 @@
         "url.domain": "basdzsdas.com",
         "url.extension": "bin",
         "url.original": "basdzsdas.com/poker/config.bin",
-        "url.path": "/poker/config.bin"
+        "url.path": "/poker/config.bin",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:19:59.000-02:00",
@@ -5363,7 +5415,8 @@
         "url.domain": "basdzsdas.com",
         "url.extension": "bin",
         "url.original": "basdzsdas.com/poker/config.bin",
-        "url.path": "/poker/config.bin"
+        "url.path": "/poker/config.bin",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:51:29.000-02:00",
@@ -5649,7 +5702,8 @@
         "url.domain": "softsellfast.com",
         "url.extension": "bin",
         "url.original": "softsellfast.com/test/config.bin",
-        "url.path": "/test/config.bin"
+        "url.path": "/test/config.bin",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:45:17.000-02:00",
@@ -5930,7 +5984,8 @@
         "url.domain": "boialex.narod.ru",
         "url.extension": "txt",
         "url.original": "boialex.narod.ru/config.txt",
-        "url.path": "/config.txt"
+        "url.path": "/config.txt",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:42:42.000-02:00",
@@ -6026,7 +6081,8 @@
         "url.domain": "edw-melon.narod.ru",
         "url.extension": "txt",
         "url.original": "edw-melon.narod.ru/config.txt",
-        "url.path": "/config.txt"
+        "url.path": "/config.txt",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:42:51.000-02:00",
@@ -6122,7 +6178,8 @@
         "url.domain": "maximtushin.narod.ru",
         "url.extension": "txt",
         "url.original": "maximtushin.narod.ru/config.txt",
-        "url.path": "/config.txt"
+        "url.path": "/config.txt",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:19:59.000-02:00",
@@ -6315,7 +6372,8 @@
         "url.domain": "marketingsoluchion.biz",
         "url.extension": "bin",
         "url.original": "marketingsoluchion.biz/fkn/config.bin",
-        "url.path": "/fkn/config.bin"
+        "url.path": "/fkn/config.bin",
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-09T08:18:27.000-02:00",
@@ -6409,7 +6467,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "jordy"
     },
     {
         "@timestamp": "2012-04-09T08:18:29.000-02:00",
@@ -6691,7 +6750,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "jordy"
     },
     {
         "@timestamp": "2012-04-09T08:18:37.000-02:00",
@@ -6872,7 +6932,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "picard"
     },
     {
         "@timestamp": "2012-04-09T08:58:18.000-02:00",
@@ -7507,7 +7568,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "picard"
     },
     {
         "@timestamp": "2012-04-09T07:25:04.000-02:00",
@@ -8692,7 +8754,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "picard"
     },
     {
         "@timestamp": "2012-04-09T06:54:35.000-02:00",
@@ -8963,7 +9026,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "jordy"
     },
     {
         "@timestamp": "2012-04-09T03:45:45.000-02:00",
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json
index c90c76236b3..1bed519a0b1 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json
@@ -98,7 +98,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:58.000-02:00",
@@ -196,7 +197,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:58.000-02:00",
@@ -294,7 +296,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:58.000-02:00",
@@ -395,7 +398,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:58.000-02:00",
@@ -496,7 +500,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:58.000-02:00",
@@ -594,7 +599,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:58.000-02:00",
@@ -692,7 +698,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:58.000-02:00",
@@ -793,7 +800,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:58.000-02:00",
@@ -894,7 +902,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:58.000-02:00",
@@ -995,7 +1004,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:57.000-02:00",
@@ -1096,7 +1106,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:57.000-02:00",
@@ -1197,7 +1208,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:57.000-02:00",
@@ -1298,7 +1310,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:57.000-02:00",
@@ -1399,7 +1412,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:57.000-02:00",
@@ -1500,7 +1514,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:57.000-02:00",
@@ -1601,7 +1616,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:56.000-02:00",
@@ -1702,7 +1718,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:56.000-02:00",
@@ -1803,7 +1820,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:56.000-02:00",
@@ -1904,7 +1922,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:56.000-02:00",
@@ -2002,7 +2021,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:56.000-02:00",
@@ -2100,7 +2120,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:56.000-02:00",
@@ -2201,7 +2222,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:56.000-02:00",
@@ -2299,7 +2321,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:56.000-02:00",
@@ -2400,7 +2423,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:56.000-02:00",
@@ -2501,7 +2525,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:55.000-02:00",
@@ -2602,7 +2627,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:55.000-02:00",
@@ -2700,7 +2726,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:55.000-02:00",
@@ -2798,7 +2825,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:55.000-02:00",
@@ -2899,7 +2927,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:55.000-02:00",
@@ -3000,7 +3029,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:55.000-02:00",
@@ -3098,7 +3128,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:55.000-02:00",
@@ -3199,7 +3230,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -3300,7 +3332,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -3398,7 +3431,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -3496,7 +3530,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -3597,7 +3632,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -3698,7 +3734,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -3796,7 +3833,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -3894,7 +3932,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -4084,7 +4123,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -4280,7 +4320,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -4381,7 +4422,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:54.000-02:00",
@@ -4574,7 +4616,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -4672,7 +4715,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -4773,7 +4817,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -4871,7 +4916,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -4969,7 +5015,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -5067,7 +5114,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -5165,7 +5213,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -5263,7 +5312,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -5364,7 +5414,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -5465,7 +5516,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:53.000-02:00",
@@ -5563,7 +5615,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:52.000-02:00",
@@ -5664,7 +5717,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:52.000-02:00",
@@ -5762,7 +5816,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:52.000-02:00",
@@ -5860,7 +5915,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:52.000-02:00",
@@ -5961,7 +6017,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:52.000-02:00",
@@ -6062,7 +6119,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:52.000-02:00",
@@ -6160,7 +6218,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:52.000-02:00",
@@ -6258,7 +6317,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:52.000-02:00",
@@ -6356,7 +6416,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:52.000-02:00",
@@ -6454,7 +6515,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:51.000-02:00",
@@ -6552,7 +6614,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:51.000-02:00",
@@ -6650,7 +6713,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:51.000-02:00",
@@ -6751,7 +6815,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:51.000-02:00",
@@ -6849,7 +6914,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -6950,7 +7016,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -7048,7 +7115,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -7146,7 +7214,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -7247,7 +7316,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -7345,7 +7415,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -7443,7 +7514,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -7541,7 +7613,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -7642,7 +7715,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -7733,7 +7807,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -7834,7 +7909,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -7935,7 +8011,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -8026,7 +8103,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:50.000-02:00",
@@ -8117,7 +8195,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:49.000-02:00",
@@ -8218,7 +8297,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:49.000-02:00",
@@ -8316,7 +8396,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:49.000-02:00",
@@ -8414,7 +8495,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:49.000-02:00",
@@ -8515,7 +8597,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:49.000-02:00",
@@ -8613,7 +8696,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:49.000-02:00",
@@ -8704,7 +8788,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:49.000-02:00",
@@ -8802,7 +8887,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:48.000-02:00",
@@ -8903,7 +8989,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:48.000-02:00",
@@ -9001,7 +9088,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:48.000-02:00",
@@ -9099,7 +9187,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:48.000-02:00",
@@ -9197,7 +9286,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:48.000-02:00",
@@ -9298,7 +9388,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:47.000-02:00",
@@ -9399,7 +9490,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:47.000-02:00",
@@ -9500,7 +9592,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:47.000-02:00",
@@ -9591,7 +9684,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:47.000-02:00",
@@ -9692,7 +9786,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:47.000-02:00",
@@ -9793,7 +9888,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     },
     {
         "@timestamp": "2012-04-10T04:39:46.000-02:00",
@@ -9894,6 +9990,7 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.name": "crusher"
     }
 ]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json
index 73ec57d6820..233963b1185 100644
--- a/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json
@@ -57,7 +57,9 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.domain": "domain",
+        "user.name": "john.smith"
     },
     {
         "@timestamp": "2021-03-24T10:59:45.000-02:00",
@@ -117,7 +119,9 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.domain": "domain",
+        "user.name": "john.smith"
     },
     {
         "@timestamp": "2013-03-28T12:53:05.000-02:00",
@@ -165,7 +169,9 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.domain": "plano2008r2",
+        "user.name": "administrator"
     },
     {
         "@timestamp": "2013-03-28T12:53:05.000-02:00",
@@ -213,7 +219,9 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.domain": "plano2008r2",
+        "user.name": "administrator"
     },
     {
         "@timestamp": "2013-03-28T12:53:05.000-02:00",
@@ -261,7 +269,9 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.domain": "plano2008r2",
+        "user.name": "administrator"
     },
     {
         "@timestamp": "2013-03-28T12:53:05.000-02:00",
@@ -309,6 +319,8 @@
         "tags": [
             "pan-os",
             "forwarded"
-        ]
+        ],
+        "user.domain": "plano2008r2",
+        "user.name": "administrator"
     }
 ]
\ No newline at end of file

From 24cb1e7c837a48792cb0c90ec113caf7f93e3dc9 Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Thu, 8 Apr 2021 12:33:23 +0000
Subject: [PATCH 7/9] additional logs

---
 filebeat/docs/fields.asciidoc                 |  19 +-
 x-pack/filebeat/module/panw/fields.go         |   2 +-
 .../module/panw/panos/_meta/fields.yml        |  44 +-
 .../module/panw/panos/config/input.yml        |  12 +-
 .../module/panw/panos/ingest/pipeline.yml     |   3 +
 .../test/global_protect.log-expected.json     |  22 +-
 .../module/panw/panos/test/userid.log         |   7 +
 .../panw/panos/test/userid.log-expected.json  | 472 +++++++++++++++++-
 8 files changed, 516 insertions(+), 65 deletions(-)

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index b89757fe62e..f4b00dda1e6 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -113865,7 +113865,7 @@ type: keyword
 Indicates the use of primary authentication (1) or additional factors (2, 3).
 
 
-type: keyword
+type: integer
 
 --
 
@@ -113901,7 +113901,14 @@ type: keyword
 
 --
 
-*`panw.panos.dg_hier_level_1`*::
+[float]
+=== device_group_hierarchy
+
+A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+
+
+
+*`panw.panos.device_group_hierarchy.level_1`*::
 +
 --
 A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
@@ -113911,7 +113918,7 @@ type: keyword
 
 --
 
-*`panw.panos.dg_hier_level_2`*::
+*`panw.panos.device_group_hierarchy.level_2`*::
 +
 --
 A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
@@ -113921,7 +113928,7 @@ type: keyword
 
 --
 
-*`panw.panos.dg_hier_level_3`*::
+*`panw.panos.device_group_hierarchy.level_3`*::
 +
 --
 A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
@@ -113931,7 +113938,7 @@ type: keyword
 
 --
 
-*`panw.panos.dg_hier_level_4`*::
+*`panw.panos.device_group_hierarchy.level_4`*::
 +
 --
 A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
@@ -113947,7 +113954,7 @@ type: keyword
 Timeout after which the IP/User Mappings are cleared.
 
 
-type: keyword
+type: integer
 
 --
 
diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go
index 106a46013e9..d67ef330d59 100644
--- a/x-pack/filebeat/module/panw/fields.go
+++ b/x-pack/filebeat/module/panw/fields.go
@@ -19,5 +19,5 @@ func init() {
 // AssetPanw returns asset data.
 // This is the base64 encoded gzipped contents of module/panw.
 func AssetPanw() string {
-	return "eJzsms1uIzcSgO/zFAXMwTZgOZnJ5OIFFvCu4cCA7QjxzOxRKJElNddsskOyrSjYQx5iL/t68ySLIrultkSpZVs25mAdkrGkZn2sfxY1gDuan0KFZvYOIKigafGXJC+cqoKy5hT+/g4A4NrKWhNMrIMhagtnOli4oTCz7s7D4fDsZvDr7dE7gIkiLf1pfGgABsvlsvwK84pOYepsXTXvZITx6yKuAxNnSwgFxTWgjBQnzZe6omBFnvXLt3NSt4l+IN+6KD6z6bRn0HbqT7rPrmF1yFytyVN4KKrBu6P5zDq58tk2RgC4wZLATiIjLw6hwAAlBlGQhFAoD568V9acZIG8rZ2gLM+auvppGqUFC/RHICMjVrDVQNM96UYY2PG/SYSTladzauuS/mnNKmef7nYg5tdtwmIBjb03aa3Lo0wgN8E15e0XaiHlEWQGVx0Mthp1R6Kh9WFwc/a5NSNK6cj7Y1CT9i3+VHmoyE2sK0muM262c0ezOcB2Axs+3IF/fQeXwxzgIotYl9NjC6Ktme4PhYUtYbKhKskHZZDXfaV47Uj87oL2vMP2fUVul+x7DN+uVbsx3H3/eYHcG8o9wbxjDG3YUz6qd4jr3sh+HtcOIU5GOkK/IcCf1CB85sYgrgnY+h4EciVjdQ2bBTKp2XmlfNNIe2KuqQRWI5UL2j0E9RDFHQUQWIXaEVyex4BGCIUj3GRWeGZU7xJhwpZlbVSY57e+y/Z3VAG//tlKixrQdjYo0BeLLpld/udBqKtlk77BsSZKv1bXyaKe6FK8uaf5yz+UQTeHhXZaT0k0nkxg3jEBGtTzPylvl/E87uVfSssL5fg5d68E5fJb3shZ3ddOv5Lqa6efqHmBgabWzV8mmi+iv0Z7fPntistfOPCR/ctvVwvZ+TLCz7YGOY7P3JOTSgTgxFpQsjAaCcpnFyAVCnJwUKJWQtnaHxzDwdThfIaODo7BOjgYk1FTc9AXRNrO1sP+GcXiktsVgxpMXZJTApQkE9REkYteTCiK9QYmf7Ck32sygkamLsfksoyZQtsDeGWnQCa4eZcsHnmVB2WEo5JMINmIDwq1ztjxi1G/17TckrbTiNSzpybZO9pyan6S3tnrrEuew6J2KS4rUPt0g8ywY8URYpg/go7/eFG+hdZyZF0gFBsPULuwDNZgzuKCEPCOzIJg68yFpT1SyG1FgrWfkhQv0A59tJ3m468ej54tyNfjjcKyUu+VCzXqkZ+v5r5nmPtrWhT83AcqQRkf0HTC78ED75fN9D27rFz5dBvJ++0s7+N/z8AHp8wUfGFn/H9WjOmM4aLcDWGxpCusfwE47vbrlNwuz1Ni/EXbMeqhs4FEAPReTU2s2E1IpxaDcXqZSxSFMrQWzHsC7yqx9uS+/fU/38rsSTNCKzJhZP3ofkOtefLhKS0Nkrjziki/3nLJ36EGLqi+N6IXUlJkWfG3qtoRzQecPqZG0B9YVppOYUwT62ig7VSt5vUe8mwoR47WDYU1hh5WjC1VZaJxukdbn8FYhdQpgzJSCQwMqRa5GGYYbyhm6CRJjukhGuuwxL45g3N2jx6Q0SOGJCT9s0APVojaOeKtAJr51jT5gHMkrMw7hjKBpmuu3Adr2uc4GVqhkPvFmQpFwmKRPmG3yD2UjirCIEz+WudJkDEdxsaZPbHpJnyijE7KqXIxxV6O8R7OwZbvY1Xp6D/WHMezia/HsbBnSgQbSxL/s9GLSucajZ698Z67G2GN9Cf7V6Unp1BvOzM8OUWlpTtazZUZ7sJTXu0BxToUo5JCYR/Tdy9y1tX52XAPuYopuIgnyz5sLLPYEgPu+/DS3FTFm9pZoUQBJVZVzFRmYl3ZTMI9CKt19Kq+i44FZKaBfQboNYkCjfIlm12utUCXwx++eHItvW99HyNQE207o+/3xMNgg8vzNuRjSHky0jfkcDi0LhwN4gau0wb6hgcognXG7nN6EGtUc3aofayilVMluvmqqx5+OOJYQykV/4264fFw+PEYfjraCX6/7vGVjLRu4RsdYAKMmQJmBRm4rnVQcBEJVrelPFSOfH9lSxsQltMBPxnUBneRGLaf4daTnSoplx24WWgE9oZgPX1WL/OfNahz5SuNc88qjOOvNvumqWPy6NTO1EaCrGOu63yhicoTuK2ryjouNPeoa/KAjtbniDEQfolPXvCK3/7679I91xiErbWEMUUpjfmT3PXZ0XmdSilFGdl15eIrvLqHGTlqNhbzyXJbJ0vF3Pxwxq2dsd1dq0YhfWlnOioUuVGcuo4+7LWza+Z4HMvtEKhxqFRKmwLfNKjJ81IJTXuI5VXb1gkXObXzFWB4dKKYn8RSPVGOZqg1HFrXjhSa0/8RTMmQS51w2wYrI3Qtm7yThWT6OOlDI8hz4CoDKvitGL5A7lcffOUwDbZ/PGLTGBta2dGy6X43uFqE2mWm9JfLzn3pu/CBE96nY/j08zH8eAwqQEloGrV2O/1m5yRhPAfcrqX48Ji05UIW7MNNsKQ4oA5+oZDEwhz8yYePj/K4j28e9+Zxr+pxP7153JvHvarHfXrzuDePe2GP41OArff48+DPaUHASYjHFz6dd8+61+1ZlzGFJuwf0dz7ud/rpfNZe2OxcseIK+qH+BOmzN1fa7JdwPd7LF+9tVgBXh2KdW4G/wbW6Dk7rJK8sXYPHsjgWJOMKij5qFnp1YV9/y9FW+o9mml5VO/OdaKl2nHu+rS3z+FrY0jnLiqfaZXFrWUUAIfNjy5ub6++Dm/AOrgc3pI4Onn3/wAAAP//5NRrdA=="
+	return "eJzsWs1uIzcSvs9TFDAH24DlZCaTyyywgHYNBwZsR4gzs0ehRJbUXLPJDsm2omAPeYi97OvlSRYku1utFqWW5R5nAliHGUstsr6q+uqHRY3ggVYfoUC1fAPghJPUvONkmRGFE1p9hL+/AQC41byUBHNtYIJSw1g6DXfklto8WDidjO9GP96fvQGYC5LcfgyLRqAwX2/rX25V0EdYGF0W1ScJYf51FfaBudE5uIzCHpAHFBfVl9qioCNP2/XHKan7RG/I1yaITygddQapF/aivXYLVguZKSVZcpuiKngPtFpqwzvP9mEEgDvMCfQ8YPSbg8vQQY6OZcTBZcKCJWuFVhdJQFaXhlESz5a5+tFURnMa6FdHigdYThcjSY8kK2GgZ/8m5i46q1NmayP9Tasuzj7bHYDYv+4jLC+g8vcuq7XxCOXIzHHLeMOCaqQ8AZnCLsFgr1MPRDTR1o3uxj/XbkTODVl7DmJef+SfCgsFmbk2OfFtjLv93LJsCmCtwI6HB+Df1uB6kgLYZBFtUnasgUitFsNB8cLWYJKhysk6odDv+0Lx2pL41QXtZQvb1xW5bWRfY/i2vdqO4fbnzwvk3lDuCeYDY2iHTumoPiCueyP7ebgOCHFS3BDaHQF+VIPws28Mwp6ANffAkck9rLZjk4BUbHZeKN9U0o7MNQXDYipSQTtAUE+QPZADhoUrDcH1ZQhoBJcZwl1uhWdG9SERxnSel0q4VVr1Q9Q/0AT+9c9aWrCA1MtRhjZrumRP+e9HrizWTfoOYs2FfKmu04s6klJeueP48g+h0KygsU7NlIjGknIe74wAFcrVb5T2y2wVdPmXkPxKGL/OPApGqfyWdnLS9qWRL2T60sgjLc/Q0UKb1ZeJ5qvA1+CPTz/d+PLnTmzA/umnm0Z2uoz4tbVDzsOaRzJcMAc+sWYUPYyKg7DJDUi4jAyc5CgFE7q0J+dwsjC4WqKhk3PQBk5mpMRCnfQFkdTL7bB/RrG49u2KQgmqzMkIBoKTcmIuyAQWE7Jsu4FJHyzpl5IUo6kq8xmZJMZEoe0BeKMXQMqZVRtZOPIKC0IxQzkpR7wS7wRKmfDjJyV+KWmtktSLAKlHpyrZG9pzaj7K7p512kTmeFGHFJcOqCFpkBh2dIgQwvwJ6PybL4qvsVoKWRsQsp0HqEOwjLbAjMOG4PCBVINg78zFS3uikPuCmLd+TFJ+g3roI/UiHX/lbPpsQbac7RSWlPoojCtRTu2qm/ue4e7PcVOwK+soB6GsQ9UKv40Fb9fN9KOnLO883Yfk7X4sb8O/Y7DOCLUAm+ml/98bRrXGcEHujrBYo8u0/QLgfLdfxuR2fRkT4w9Sz1BOjHbEHKC1YqFCxa5COrYYHk4v5hxZJhRtBfNAwNtGLC2ZP37/n61l9qQZJgUpN9V2+rij1hx9eIpbAyffeQVIP977kn9ADWxQfW2IvpCRApYO34riQGjW4eIpNYJ+xbyQ9BFmNNeGRlIvRDev9yBPhnLAUdOQaaVos2LsqSpziYsBfT2GmXCxUwahuGDoPEjR5GJYYrihWKLhxH1MT1Bpgzn2zRmM0QMyIGFHdFFI/DNDC5qx0hjyqgCq1d40uYFzyjRPE0MoR4stKveBVfU6nww1E+j7xaVwWYTlRdoIu4bcg9JQQeiYSl/rHAUypMPQOHsmVt2EjSgDSX2qbKbY6zHe5hxs/TkWhQz80eo8nE1sOQuFPVEivLM4+T8ru4h4rpFoPRsffXfDtOL2YnhTWjIC5b4zw9EpKm7dsmqqzPguPObVHqBYumyak8v0U/ruJmfdXI4nA+Qqj8IX8ejZzcYyCZujw6EPL9VNVbipXWaCZZBjUYRMpeba5NUk3ALTUgZW9V10NCATDewzgN4Sy1AJm3u3860W6HryzSdLpkZva+5jAFRF28HQhz3xeGCj68s65ENIWVLcVsjhdKKNOxsFBW6jAn3DA2ROG6WHS1rXsUZVZ4fShipaGJGjWXWpevruzMcaci78e5QVHgun78/hu7ODwA9Lj8+kuDYNN1qACTBkClhmpOC2lE7AVUDQVUtYKAzZ/soWFWDapwO/0okddOHo9p/htpOdyCmVHXyzUAnsDcFy8axe5j9boC6FLSSurDdhGH/V2TdOHSOjYztTKg68DLmu9YUqKi/gviwKbXyheURZkgU0tD1HDIHwQ1h55Xf84/f/rum5hYHpUnKYUZBSuT/K3Z4dXZaxlFKQkdyXN1/xu1tYkqFKsZBP1mpdrA1z983Yt3ZKt7UWlUF6r4Z9yZqGNdNMkEHDsu7s9Ogh77gZ5vmAridBFatiPa2qfNWlRvpFUFFgqLFS10xsEmvrK9Dgvgj1ei4MLVFKONWmnitUI4AzWJAiE9vhuhcWismSV8knCdKjD+M+VIysj16hQDi7F4bN0DetG185jdPtb8+8f5R2tezg3njJ60zJXGkSo/rrdfu+JjC881nvwzl8+P4cvj0H4SAnVJVZ2+1+pTlxmK0A91spLJ6R1L6aOb2phJcUptTONgaJWDwO/+Td+6dO7YNdpu+2ng8ytH+l4ZA0/OtSsYd971/Z98q+P419372y75V9fxr7Pryy75V9L8S+5jZT5KTLIWefcUPAuQtHbsGyjfnMbT2f8TCZJOwfKz7alR30hxLj+patcy+OHfND+Nld4r66dtkhwIcdJXVv2jqAu4Pc1m3230ArufKEFdwrVutggRTOJPFggryUThSyu7Ht/3VzjXpAN63HS+1ZZPBUfQWxfUPRR/hSKZKpy/VneqW5aQ8C4LT6odD9/c3nyR1oA9eTe2JnF2/+HwAA//+7KjoN"
 }
diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
index 52447deea03..c9319a94aa4 100644
--- a/x-pack/filebeat/module/panw/panos/_meta/fields.yml
+++ b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
@@ -231,7 +231,7 @@
         User-ID source that sends the IP (Port)-User Mapping.
 
     - name: factorno
-      type: keyword
+      type: integer
       description: >
         Indicates the use of primary authentication (1) or additional factors (2, 3).
 
@@ -252,32 +252,38 @@
         User Group Found—Indicates whether the user could be mapped to a group.
         Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.
 
-    - name: dg_hier_level_1
-      type: keyword
+    - name: device_group_hierarchy
+      type: group
       description: >
         A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
         If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+      fields:
+        - name: level_1
+          type: keyword
+          description: >
+            A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+            If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
 
-    - name: dg_hier_level_2
-      type: keyword
-      description: >
-        A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
-        If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+        - name: level_2
+          type: keyword
+          description: >
+            A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+            If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
 
-    - name: dg_hier_level_3
-      type: keyword
-      description: >
-        A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
-        If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+        - name: level_3
+          type: keyword
+          description: >
+            A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+            If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
 
-    - name: dg_hier_level_4
-      type: keyword
-      description: >
-        A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
-        If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
+        - name: level_4
+          type: keyword
+          description: >
+            A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
+            If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
 
     - name: timeout
-      type: keyword
+      type: integer
       description: >
         Timeout after which the IP/User Mappings are cleared.
 
diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
index 1b7b48aeb13..ee31557afb0 100644
--- a/x-pack/filebeat/module/panw/panos/config/input.yml
+++ b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -201,8 +201,8 @@ processors:
         host.id: 19
         panw.panos.serial_number: 20
         panw.panos.client_ver: 21
-        panw.panos.client_os: 22
-        panw.panos.client_os_ver: 23
+        host.os.family: 22
+        host.os.full: 23
         panw.panos.repeatcnt: 24
         event.reason: 25
         panw.panos.error: 26
@@ -243,10 +243,10 @@ processors:
         panw.panos.datasourcetype: 17
         panw.panos.sequence_number: 18
         panw.panos.actionflags: 19
-        panw.panos.dg_hier_level_1: 20
-        panw.panos.dg_hier_level_2: 21
-        panw.panos.dg_hier_level_3: 22
-        panw.panos.dg_hier_level_4: 23
+        panw.panos.device_group_hierarchy.level_1: 20
+        panw.panos.device_group_hierarchy.level_2: 21
+        panw.panos.device_group_hierarchy.level_3: 22
+        panw.panos.device_group_hierarchy.level_4: 23
         panw.panos.vsys_name: 24
         observer.hostname: 25
         panw.panos.vsys_id: 26
diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
index 9736eb1c957..eac85130a74 100644
--- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -88,6 +88,9 @@ processors:
   - convert: { type: long, ignore_missing: true, field: destination.nat.port }
   - convert: { type: long, ignore_missing: true, field: client.nat.port }
   - convert: { type: long, ignore_missing: true, field: server.nat.port }
+  - convert: { type: integer, ignore_missing: true, field: panw.panos.factorno }
+  - convert: { type: integer, ignore_missing: true, field: panw.panos.repeatcnt }
+  - convert: { type: integer, ignore_missing: true, field: panw.panos.timeout }
 
   - community_id:
       ignore_missing: true
diff --git a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
index 283535c18f6..9ba98f30ccb 100644
--- a/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/global_protect.log-expected.json
@@ -13,6 +13,8 @@
         "fileset.name": "panos",
         "host.id": "09300bcc-23-4900-8de9-32695452fa",
         "host.ip": "10.52.36.15",
+        "host.os.family": "Windows",
+        "host.os.full": "Microsoft Windows 10 Pro , 64-bit",
         "input.type": "log",
         "log.offset": 0,
         "log.original": "1,2021/03/24 11:30:00,013101001305,GLOBALPROTECT,0,2305,2021/03/24 11:30:00,vsys1,portal-prelogin,before-login,,,,BE,,11.134.5.168,0.0.0.0,10.52.36.15,0.0.0.0,09300bcc-23-4900-8de9-32695452fa,,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,,0,GlobalProtect Portal,69200719497738,0x0",
@@ -23,11 +25,9 @@
         "observer.type": "firewall",
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.actionflags": "0x0",
-        "panw.panos.client_os": "Windows",
-        "panw.panos.client_os_ver": "Microsoft Windows 10 Pro , 64-bit",
         "panw.panos.client_ver": "5.2.4",
         "panw.panos.error_code": "0",
-        "panw.panos.repeatcnt": "1",
+        "panw.panos.repeatcnt": 1,
         "panw.panos.sequence_number": 69200719497738,
         "panw.panos.source.nat.ip": "11.134.5.168",
         "panw.panos.stage": "before-login",
@@ -66,6 +66,8 @@
         "host.id": "e0957c11-93-437a-9e23-9f0c24059898",
         "host.ip": "10.20.13.217",
         "host.name": "CP935",
+        "host.os.family": "Windows",
+        "host.os.full": "Microsoft Windows 10 Pro , 64-bit",
         "input.type": "log",
         "log.offset": 304,
         "log.original": "1,2021/03/24 11:29:49,013101001308,GLOBALPROTECT,0,2305,2021/03/24 11:29:49,vsys1,gateway-config-release,configuration,,,domain\\user,BE,CP935,83.14.113.11,0.0.0.0,10.20.13.217,0.0.0.0,e0957c11-93-437a-9e23-9f0c24059898,5J9VN53,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,,0,GlobalProtect_GW,6919501582016786,0x0",
@@ -76,11 +78,9 @@
         "observer.type": "firewall",
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.actionflags": "0x0",
-        "panw.panos.client_os": "Windows",
-        "panw.panos.client_os_ver": "Microsoft Windows 10 Pro , 64-bit",
         "panw.panos.client_ver": "5.2.4",
         "panw.panos.error_code": "0",
-        "panw.panos.repeatcnt": "1",
+        "panw.panos.repeatcnt": 1,
         "panw.panos.sequence_number": 6919501582016786,
         "panw.panos.serial_number": "5J9VN53",
         "panw.panos.source.nat.ip": "83.14.113.11",
@@ -140,7 +140,7 @@
         "panw.panos.client_ver": "5.2.4",
         "panw.panos.description": "HIP report is not needed",
         "panw.panos.error_code": "0",
-        "panw.panos.repeatcnt": "1",
+        "panw.panos.repeatcnt": 1,
         "panw.panos.sequence_number": 6920071768563516860,
         "panw.panos.serial_number": "F1SM2",
         "panw.panos.source.nat.ip": "7.2.2.193",
@@ -196,6 +196,8 @@
         "host.id": "7d01b5-f538-4fa3-a2a2-83980d1325",
         "host.ip": "1.40.2.67",
         "host.name": "HOST73486",
+        "host.os.family": "Windows",
+        "host.os.full": "Microsoft Windows 10 Pro , 64-bit",
         "input.type": "log",
         "log.offset": 946,
         "log.original": "1,2021/04/07 17:41:29,013101308,GLOBALPROTECT,0,2305,2021/04/07 17:41:29,vsys1,gateway-getconfig,configuration,,IPSec,pre-logon,BE,HOST73486,7.2.2.171,0.0.0.0,1.40.2.67,0.0.0.0,7d01b5-f538-4fa3-a2a2-83980d1325,5C261FNR,5.2.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"Config name: , Client region: BE.\",success,,0,,0,GlobalProtect_GW,6944137135219737,0x0",
@@ -206,12 +208,10 @@
         "observer.type": "firewall",
         "observer.vendor": "Palo Alto Networks",
         "panw.panos.actionflags": "0x0",
-        "panw.panos.client_os": "Windows",
-        "panw.panos.client_os_ver": "Microsoft Windows 10 Pro , 64-bit",
         "panw.panos.client_ver": "5.2.4",
         "panw.panos.description": "Config name: , Client region: BE.",
         "panw.panos.error_code": "0",
-        "panw.panos.repeatcnt": "1",
+        "panw.panos.repeatcnt": 1,
         "panw.panos.sequence_number": 6944137135219737,
         "panw.panos.serial_number": "5C261FNR",
         "panw.panos.source.nat.ip": "7.2.2.171",
@@ -280,7 +280,7 @@
         "panw.panos.client_ver": "5.2.4",
         "panw.panos.description": "Pre-tunnel latency: 67ms, Post-tunnel latency: 47ms",
         "panw.panos.error_code": "0",
-        "panw.panos.repeatcnt": "1",
+        "panw.panos.repeatcnt": 1,
         "panw.panos.sequence_number": 6920071768563516847,
         "panw.panos.serial_number": "GJG98Y2",
         "panw.panos.source.nat.ip": "7.2.17.120",
diff --git a/x-pack/filebeat/module/panw/panos/test/userid.log b/x-pack/filebeat/module/panw/panos/test/userid.log
index c86223c9c45..aaba9e04584 100644
--- a/x-pack/filebeat/module/panw/panos/test/userid.log
+++ b/x-pack/filebeat/module/panw/panos/test/userid.log
@@ -4,3 +4,10 @@
 1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,2,0x0
 1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,3,0x0
 1,2013/03/28 12:53:05,001701000225,USERID,login,12,2013/03/28 12:53:05,vsys1,172.17.128.92,plano2008r2\administrator,test,0,1,2700,0,0,active-directory,unknown,4,0x0
+1,2021/04/05 14:52:16,<serial-number>,USERID,login,2305,2021/04/05 14:52:16,vsys1,10.68.2.9,domain\admin,,0,1,10800,0,0,vpn-client,globalprotect,1277996,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:52:16,1,0x80000000,admin
+1,2021/04/05 14:52:33,<serial-number>,USERID,logout,2305,2021/04/05 14:52:33,vsys1,10.68.2.9,domain\admin,,0,1,0,0,0,vpn-client,globalprotect,1277997,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:52:34,1,0x80000000,admin
+1,2021/04/05 14:53:10,<serial-number>,USERID,login,2305,2021/04/05 14:53:10,vsys1,10.68.2.9,subdomain\admin,,0,1,10800,0,0,vpn-client,globalprotect,1277998,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:11,1,0x80000000,admin
+1,2021/04/05 14:53:31,<serial-number>,USERID,login,2305,2021/04/05 14:53:31,vsys1,10.68.2.9,admin,,0,1,10800,0,0,vpn-client,globalprotect,1277999,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:31,1,0x80000000,admin
+1,2021/04/05 14:53:31,<serial-number>,USERID,login,2305,2021/04/05 14:53:31,vsys1,10.68.2.9,user,,0,1,10800,0,0,vpn-client,globalprotect,1278000,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:31,1,0x80000000,user
+1,2021/04/05 14:53:49,<serial-number>,USERID,login,2305,2021/04/05 14:53:49,vsys1,10.68.2.9,admin,,0,1,10800,0,0,vpn-client,globalprotect,1278001,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:49,1,0x80000000,admin
+1,2021/04/05 14:53:52,<serial-number>,USERID,logout,2305,2021/04/05 14:53:52,vsys1,10.68.2.9,domain\admin,,0,1,0,0,0,vpn-client,globalprotect,1278002,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:52,1,0x80000000,admin
diff --git a/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json
index 233963b1185..0e263afea5f 100644
--- a/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/userid.log-expected.json
@@ -24,16 +24,16 @@
         "panw.panos.actionflags": "0x0",
         "panw.panos.datasource": "<data-source-collected>",
         "panw.panos.datasourcetype": "<data-source-type>",
-        "panw.panos.dg_hier_level_1": "0",
-        "panw.panos.dg_hier_level_2": "0",
-        "panw.panos.dg_hier_level_3": "0",
-        "panw.panos.dg_hier_level_4": "0",
+        "panw.panos.device_group_hierarchy.level_1": "0",
+        "panw.panos.device_group_hierarchy.level_2": "0",
+        "panw.panos.device_group_hierarchy.level_3": "0",
+        "panw.panos.device_group_hierarchy.level_4": "0",
         "panw.panos.factorcompletiontime": "2021-03-24T11:00:49.000-02:00",
-        "panw.panos.factorno": "1",
-        "panw.panos.repeatcnt": "1",
+        "panw.panos.factorno": 1,
+        "panw.panos.repeatcnt": 1,
         "panw.panos.sequence_number": 1252774,
         "panw.panos.sub_type": "login",
-        "panw.panos.timeout": "10800",
+        "panw.panos.timeout": 10800,
         "panw.panos.type": "USERID",
         "panw.panos.ugflags": "0x80000000",
         "panw.panos.virtual_sys": "vsys1",
@@ -86,16 +86,16 @@
         "panw.panos.actionflags": "0x0",
         "panw.panos.datasource": "<data-source-collected>",
         "panw.panos.datasourcetype": "<data-source-type>",
-        "panw.panos.dg_hier_level_1": "0",
-        "panw.panos.dg_hier_level_2": "0",
-        "panw.panos.dg_hier_level_3": "0",
-        "panw.panos.dg_hier_level_4": "0",
+        "panw.panos.device_group_hierarchy.level_1": "0",
+        "panw.panos.device_group_hierarchy.level_2": "0",
+        "panw.panos.device_group_hierarchy.level_3": "0",
+        "panw.panos.device_group_hierarchy.level_4": "0",
         "panw.panos.factorcompletiontime": "2021-03-24T10:59:45.000-02:00",
-        "panw.panos.factorno": "1",
-        "panw.panos.repeatcnt": "1",
+        "panw.panos.factorno": 1,
+        "panw.panos.repeatcnt": 1,
         "panw.panos.sequence_number": 1252765,
         "panw.panos.sub_type": "logout",
-        "panw.panos.timeout": "0",
+        "panw.panos.timeout": 0,
         "panw.panos.type": "USERID",
         "panw.panos.ugflags": "0x80000000",
         "panw.panos.virtual_sys": "vsys1",
@@ -147,10 +147,10 @@
         "panw.panos.datasource": "active-directory",
         "panw.panos.datasourcename": "test",
         "panw.panos.datasourcetype": "unknown",
-        "panw.panos.repeatcnt": "1",
+        "panw.panos.repeatcnt": 1,
         "panw.panos.sequence_number": 1,
         "panw.panos.sub_type": "login",
-        "panw.panos.timeout": "2700",
+        "panw.panos.timeout": 2700,
         "panw.panos.type": "USERID",
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
@@ -197,10 +197,10 @@
         "panw.panos.datasource": "active-directory",
         "panw.panos.datasourcename": "test",
         "panw.panos.datasourcetype": "unknown",
-        "panw.panos.repeatcnt": "1",
+        "panw.panos.repeatcnt": 1,
         "panw.panos.sequence_number": 2,
         "panw.panos.sub_type": "login",
-        "panw.panos.timeout": "2700",
+        "panw.panos.timeout": 2700,
         "panw.panos.type": "USERID",
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
@@ -247,10 +247,10 @@
         "panw.panos.datasource": "active-directory",
         "panw.panos.datasourcename": "test",
         "panw.panos.datasourcetype": "unknown",
-        "panw.panos.repeatcnt": "1",
+        "panw.panos.repeatcnt": 1,
         "panw.panos.sequence_number": 3,
         "panw.panos.sub_type": "login",
-        "panw.panos.timeout": "2700",
+        "panw.panos.timeout": 2700,
         "panw.panos.type": "USERID",
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
@@ -297,10 +297,10 @@
         "panw.panos.datasource": "active-directory",
         "panw.panos.datasourcename": "test",
         "panw.panos.datasourcetype": "unknown",
-        "panw.panos.repeatcnt": "1",
+        "panw.panos.repeatcnt": 1,
         "panw.panos.sequence_number": 4,
         "panw.panos.sub_type": "login",
-        "panw.panos.timeout": "2700",
+        "panw.panos.timeout": 2700,
         "panw.panos.type": "USERID",
         "panw.panos.virtual_sys": "vsys1",
         "related.ip": [
@@ -322,5 +322,433 @@
         ],
         "user.domain": "plano2008r2",
         "user.name": "administrator"
+    },
+    {
+        "@timestamp": "2021-04-05T14:52:16.000-02:00",
+        "client.ip": "10.68.2.9",
+        "client.port": 0,
+        "client.user.name": "admin",
+        "destination.port": 0,
+        "event.action": "login",
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 1140,
+        "log.original": "1,2021/04/05 14:52:16,<serial-number>,USERID,login,2305,2021/04/05 14:52:16,vsys1,10.68.2.9,domain\\admin,,0,1,10800,0,0,vpn-client,globalprotect,1277996,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:52:16,1,0x80000000,admin",
+        "network.type": "ipv4",
+        "observer.hostname": "CORE-FW",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "<serial-number>",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "vpn-client",
+        "panw.panos.datasourcetype": "globalprotect",
+        "panw.panos.device_group_hierarchy.level_1": "0",
+        "panw.panos.device_group_hierarchy.level_2": "0",
+        "panw.panos.device_group_hierarchy.level_3": "0",
+        "panw.panos.device_group_hierarchy.level_4": "0",
+        "panw.panos.factorcompletiontime": "2021-04-05T14:52:16.000-02:00",
+        "panw.panos.factorno": 1,
+        "panw.panos.repeatcnt": 1,
+        "panw.panos.sequence_number": 1277996,
+        "panw.panos.sub_type": "login",
+        "panw.panos.timeout": 10800,
+        "panw.panos.type": "USERID",
+        "panw.panos.ugflags": "0x80000000",
+        "panw.panos.virtual_sys": "vsys1",
+        "panw.panos.vsys_id": "1",
+        "related.hosts": [
+            "CORE-FW"
+        ],
+        "related.ip": [
+            "10.68.2.9"
+        ],
+        "related.user": [
+            "admin"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "10.68.2.9",
+        "source.ip": "10.68.2.9",
+        "source.port": 0,
+        "source.user.domain": "domain",
+        "source.user.name": "admin",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ],
+        "user.domain": "domain",
+        "user.name": "admin"
+    },
+    {
+        "@timestamp": "2021-04-05T14:52:33.000-02:00",
+        "client.ip": "10.68.2.9",
+        "client.port": 0,
+        "client.user.name": "admin",
+        "destination.port": 0,
+        "event.action": "logout",
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 1356,
+        "log.original": "1,2021/04/05 14:52:33,<serial-number>,USERID,logout,2305,2021/04/05 14:52:33,vsys1,10.68.2.9,domain\\admin,,0,1,0,0,0,vpn-client,globalprotect,1277997,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:52:34,1,0x80000000,admin",
+        "network.type": "ipv4",
+        "observer.hostname": "CORE-FW",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "<serial-number>",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "vpn-client",
+        "panw.panos.datasourcetype": "globalprotect",
+        "panw.panos.device_group_hierarchy.level_1": "0",
+        "panw.panos.device_group_hierarchy.level_2": "0",
+        "panw.panos.device_group_hierarchy.level_3": "0",
+        "panw.panos.device_group_hierarchy.level_4": "0",
+        "panw.panos.factorcompletiontime": "2021-04-05T14:52:34.000-02:00",
+        "panw.panos.factorno": 1,
+        "panw.panos.repeatcnt": 1,
+        "panw.panos.sequence_number": 1277997,
+        "panw.panos.sub_type": "logout",
+        "panw.panos.timeout": 0,
+        "panw.panos.type": "USERID",
+        "panw.panos.ugflags": "0x80000000",
+        "panw.panos.virtual_sys": "vsys1",
+        "panw.panos.vsys_id": "1",
+        "related.hosts": [
+            "CORE-FW"
+        ],
+        "related.ip": [
+            "10.68.2.9"
+        ],
+        "related.user": [
+            "admin"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "10.68.2.9",
+        "source.ip": "10.68.2.9",
+        "source.port": 0,
+        "source.user.domain": "domain",
+        "source.user.name": "admin",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ],
+        "user.domain": "domain",
+        "user.name": "admin"
+    },
+    {
+        "@timestamp": "2021-04-05T14:53:10.000-02:00",
+        "client.ip": "10.68.2.9",
+        "client.port": 0,
+        "client.user.name": "admin",
+        "destination.port": 0,
+        "event.action": "login",
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 1569,
+        "log.original": "1,2021/04/05 14:53:10,<serial-number>,USERID,login,2305,2021/04/05 14:53:10,vsys1,10.68.2.9,subdomain\\admin,,0,1,10800,0,0,vpn-client,globalprotect,1277998,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:11,1,0x80000000,admin",
+        "network.type": "ipv4",
+        "observer.hostname": "CORE-FW",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "<serial-number>",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "vpn-client",
+        "panw.panos.datasourcetype": "globalprotect",
+        "panw.panos.device_group_hierarchy.level_1": "0",
+        "panw.panos.device_group_hierarchy.level_2": "0",
+        "panw.panos.device_group_hierarchy.level_3": "0",
+        "panw.panos.device_group_hierarchy.level_4": "0",
+        "panw.panos.factorcompletiontime": "2021-04-05T14:53:11.000-02:00",
+        "panw.panos.factorno": 1,
+        "panw.panos.repeatcnt": 1,
+        "panw.panos.sequence_number": 1277998,
+        "panw.panos.sub_type": "login",
+        "panw.panos.timeout": 10800,
+        "panw.panos.type": "USERID",
+        "panw.panos.ugflags": "0x80000000",
+        "panw.panos.virtual_sys": "vsys1",
+        "panw.panos.vsys_id": "1",
+        "related.hosts": [
+            "CORE-FW"
+        ],
+        "related.ip": [
+            "10.68.2.9"
+        ],
+        "related.user": [
+            "admin"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "10.68.2.9",
+        "source.ip": "10.68.2.9",
+        "source.port": 0,
+        "source.user.domain": "subdomain",
+        "source.user.name": "admin",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ],
+        "user.domain": "subdomain",
+        "user.name": "admin"
+    },
+    {
+        "@timestamp": "2021-04-05T14:53:31.000-02:00",
+        "client.ip": "10.68.2.9",
+        "client.port": 0,
+        "client.user.name": "admin",
+        "destination.port": 0,
+        "event.action": "login",
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 1788,
+        "log.original": "1,2021/04/05 14:53:31,<serial-number>,USERID,login,2305,2021/04/05 14:53:31,vsys1,10.68.2.9,admin,,0,1,10800,0,0,vpn-client,globalprotect,1277999,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:31,1,0x80000000,admin",
+        "network.type": "ipv4",
+        "observer.hostname": "CORE-FW",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "<serial-number>",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "vpn-client",
+        "panw.panos.datasourcetype": "globalprotect",
+        "panw.panos.device_group_hierarchy.level_1": "0",
+        "panw.panos.device_group_hierarchy.level_2": "0",
+        "panw.panos.device_group_hierarchy.level_3": "0",
+        "panw.panos.device_group_hierarchy.level_4": "0",
+        "panw.panos.factorcompletiontime": "2021-04-05T14:53:31.000-02:00",
+        "panw.panos.factorno": 1,
+        "panw.panos.repeatcnt": 1,
+        "panw.panos.sequence_number": 1277999,
+        "panw.panos.sub_type": "login",
+        "panw.panos.timeout": 10800,
+        "panw.panos.type": "USERID",
+        "panw.panos.ugflags": "0x80000000",
+        "panw.panos.virtual_sys": "vsys1",
+        "panw.panos.vsys_id": "1",
+        "related.hosts": [
+            "CORE-FW"
+        ],
+        "related.ip": [
+            "10.68.2.9"
+        ],
+        "related.user": [
+            "admin"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "10.68.2.9",
+        "source.ip": "10.68.2.9",
+        "source.port": 0,
+        "source.user.name": "admin",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ],
+        "user.name": "admin"
+    },
+    {
+        "@timestamp": "2021-04-05T14:53:31.000-02:00",
+        "client.ip": "10.68.2.9",
+        "client.port": 0,
+        "client.user.name": "user",
+        "destination.port": 0,
+        "event.action": "login",
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 1997,
+        "log.original": "1,2021/04/05 14:53:31,<serial-number>,USERID,login,2305,2021/04/05 14:53:31,vsys1,10.68.2.9,user,,0,1,10800,0,0,vpn-client,globalprotect,1278000,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:31,1,0x80000000,user",
+        "network.type": "ipv4",
+        "observer.hostname": "CORE-FW",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "<serial-number>",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "vpn-client",
+        "panw.panos.datasourcetype": "globalprotect",
+        "panw.panos.device_group_hierarchy.level_1": "0",
+        "panw.panos.device_group_hierarchy.level_2": "0",
+        "panw.panos.device_group_hierarchy.level_3": "0",
+        "panw.panos.device_group_hierarchy.level_4": "0",
+        "panw.panos.factorcompletiontime": "2021-04-05T14:53:31.000-02:00",
+        "panw.panos.factorno": 1,
+        "panw.panos.repeatcnt": 1,
+        "panw.panos.sequence_number": 1278000,
+        "panw.panos.sub_type": "login",
+        "panw.panos.timeout": 10800,
+        "panw.panos.type": "USERID",
+        "panw.panos.ugflags": "0x80000000",
+        "panw.panos.virtual_sys": "vsys1",
+        "panw.panos.vsys_id": "1",
+        "related.hosts": [
+            "CORE-FW"
+        ],
+        "related.ip": [
+            "10.68.2.9"
+        ],
+        "related.user": [
+            "user"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "10.68.2.9",
+        "source.ip": "10.68.2.9",
+        "source.port": 0,
+        "source.user.name": "user",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ],
+        "user.name": "user"
+    },
+    {
+        "@timestamp": "2021-04-05T14:53:49.000-02:00",
+        "client.ip": "10.68.2.9",
+        "client.port": 0,
+        "client.user.name": "admin",
+        "destination.port": 0,
+        "event.action": "login",
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 2204,
+        "log.original": "1,2021/04/05 14:53:49,<serial-number>,USERID,login,2305,2021/04/05 14:53:49,vsys1,10.68.2.9,admin,,0,1,10800,0,0,vpn-client,globalprotect,1278001,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:49,1,0x80000000,admin",
+        "network.type": "ipv4",
+        "observer.hostname": "CORE-FW",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "<serial-number>",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "vpn-client",
+        "panw.panos.datasourcetype": "globalprotect",
+        "panw.panos.device_group_hierarchy.level_1": "0",
+        "panw.panos.device_group_hierarchy.level_2": "0",
+        "panw.panos.device_group_hierarchy.level_3": "0",
+        "panw.panos.device_group_hierarchy.level_4": "0",
+        "panw.panos.factorcompletiontime": "2021-04-05T14:53:49.000-02:00",
+        "panw.panos.factorno": 1,
+        "panw.panos.repeatcnt": 1,
+        "panw.panos.sequence_number": 1278001,
+        "panw.panos.sub_type": "login",
+        "panw.panos.timeout": 10800,
+        "panw.panos.type": "USERID",
+        "panw.panos.ugflags": "0x80000000",
+        "panw.panos.virtual_sys": "vsys1",
+        "panw.panos.vsys_id": "1",
+        "related.hosts": [
+            "CORE-FW"
+        ],
+        "related.ip": [
+            "10.68.2.9"
+        ],
+        "related.user": [
+            "admin"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "10.68.2.9",
+        "source.ip": "10.68.2.9",
+        "source.port": 0,
+        "source.user.name": "admin",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ],
+        "user.name": "admin"
+    },
+    {
+        "@timestamp": "2021-04-05T14:53:52.000-02:00",
+        "client.ip": "10.68.2.9",
+        "client.port": 0,
+        "client.user.name": "admin",
+        "destination.port": 0,
+        "event.action": "logout",
+        "event.code": "0",
+        "event.dataset": "panw.panos",
+        "event.module": "panw",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "panos",
+        "input.type": "log",
+        "log.offset": 2413,
+        "log.original": "1,2021/04/05 14:53:52,<serial-number>,USERID,logout,2305,2021/04/05 14:53:52,vsys1,10.68.2.9,domain\\admin,,0,1,0,0,0,vpn-client,globalprotect,1278002,0x0,0,0,0,0,,CORE-FW,1,,2021/04/05 14:53:52,1,0x80000000,admin",
+        "network.type": "ipv4",
+        "observer.hostname": "CORE-FW",
+        "observer.product": "PAN-OS",
+        "observer.serial_number": "<serial-number>",
+        "observer.type": "firewall",
+        "observer.vendor": "Palo Alto Networks",
+        "panw.panos.actionflags": "0x0",
+        "panw.panos.datasource": "vpn-client",
+        "panw.panos.datasourcetype": "globalprotect",
+        "panw.panos.device_group_hierarchy.level_1": "0",
+        "panw.panos.device_group_hierarchy.level_2": "0",
+        "panw.panos.device_group_hierarchy.level_3": "0",
+        "panw.panos.device_group_hierarchy.level_4": "0",
+        "panw.panos.factorcompletiontime": "2021-04-05T14:53:52.000-02:00",
+        "panw.panos.factorno": 1,
+        "panw.panos.repeatcnt": 1,
+        "panw.panos.sequence_number": 1278002,
+        "panw.panos.sub_type": "logout",
+        "panw.panos.timeout": 0,
+        "panw.panos.type": "USERID",
+        "panw.panos.ugflags": "0x80000000",
+        "panw.panos.virtual_sys": "vsys1",
+        "panw.panos.vsys_id": "1",
+        "related.hosts": [
+            "CORE-FW"
+        ],
+        "related.ip": [
+            "10.68.2.9"
+        ],
+        "related.user": [
+            "admin"
+        ],
+        "server.port": 0,
+        "service.type": "panw",
+        "source.address": "10.68.2.9",
+        "source.ip": "10.68.2.9",
+        "source.port": 0,
+        "source.user.domain": "domain",
+        "source.user.name": "admin",
+        "tags": [
+            "pan-os",
+            "forwarded"
+        ],
+        "user.domain": "domain",
+        "user.name": "admin"
     }
 ]
\ No newline at end of file

From 6c443fddf83ce35c083eddbc66ad1f37cba5aba0 Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Tue, 11 May 2021 21:40:28 +0000
Subject: [PATCH 8/9] comments from @adriansr

---
 .../filebeat/module/panw/panos/_meta/fields.yml   | 15 ---------------
 .../module/panw/panos/ingest/pipeline.yml         |  5 -----
 2 files changed, 20 deletions(-)

diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
index c9319a94aa4..5d684649862 100644
--- a/x-pack/filebeat/module/panw/panos/_meta/fields.yml
+++ b/x-pack/filebeat/module/panw/panos/_meta/fields.yml
@@ -148,21 +148,6 @@
       description: >
         Virtual system instance
 
-    # - name: eventid
-    #   type: keyword
-    #   description: >
-    #     A string showing the name of the event.
-
-    # - name: hostid
-    #   type: keyword
-    #   description: >
-    #     The unique ID that GlobalProtect assigns to identify the host.
-
-    # - name: machinename
-    #   type: keyword
-    #   description: >
-    #     The name of the user’s machine.
-
     - name: client_os_ver
       type: keyword
       description: >
diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
index eac85130a74..60845882733 100644
--- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -183,14 +183,9 @@ processors:
       allow_duplicates: false
       value: denied
       if: "ctx?.panw?.panos?.action != null && ['deny', 'drop', 'reset-client', 'reset-server', 'reset-both', 'block-url', 'block-ip', 'random-drop', 'sinkhole', 'block'].contains(ctx.panw.panos.action)"
-  - set:
-      field: event.outcome
-      value: failure
-      if: "ctx?.event?.type != null && ctx?.event?.type.contains('denied')"
   - set:
       field: event.outcome
       value: success
-      if: ctx?.event?.outcome == null
 
   # event.action for traffic logs.
   - set:

From 657e6de9591ae135b5c6d19e158b1b3815690bcd Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Tue, 11 May 2021 22:51:54 +0000
Subject: [PATCH 9/9] update generated data

---
 x-pack/filebeat/module/panw/fields.go         |   2 +-
 .../test/pan_inc_threat.log-expected.json     | 104 ++++++------
 .../panw/panos/test/threat.log-expected.json  | 152 +++++++++---------
 3 files changed, 129 insertions(+), 129 deletions(-)

diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go
index d67ef330d59..ad5e151b5d6 100644
--- a/x-pack/filebeat/module/panw/fields.go
+++ b/x-pack/filebeat/module/panw/fields.go
@@ -19,5 +19,5 @@ func init() {
 // AssetPanw returns asset data.
 // This is the base64 encoded gzipped contents of module/panw.
 func AssetPanw() string {
-	return "eJzsWs1uIzcSvs9TFDAH24DlZCaTyyywgHYNBwZsR4gzs0ehRJbUXLPJDsm2omAPeYi97OvlSRYku1utFqWW5R5nAliHGUstsr6q+uqHRY3ggVYfoUC1fAPghJPUvONkmRGFE1p9hL+/AQC41byUBHNtYIJSw1g6DXfklto8WDidjO9GP96fvQGYC5LcfgyLRqAwX2/rX25V0EdYGF0W1ScJYf51FfaBudE5uIzCHpAHFBfVl9qioCNP2/XHKan7RG/I1yaITygddQapF/aivXYLVguZKSVZcpuiKngPtFpqwzvP9mEEgDvMCfQ8YPSbg8vQQY6OZcTBZcKCJWuFVhdJQFaXhlESz5a5+tFURnMa6FdHigdYThcjSY8kK2GgZ/8m5i46q1NmayP9Tasuzj7bHYDYv+4jLC+g8vcuq7XxCOXIzHHLeMOCaqQ8AZnCLsFgr1MPRDTR1o3uxj/XbkTODVl7DmJef+SfCgsFmbk2OfFtjLv93LJsCmCtwI6HB+Df1uB6kgLYZBFtUnasgUitFsNB8cLWYJKhysk6odDv+0Lx2pL41QXtZQvb1xW5bWRfY/i2vdqO4fbnzwvk3lDuCeYDY2iHTumoPiCueyP7ebgOCHFS3BDaHQF+VIPws28Mwp6ANffAkck9rLZjk4BUbHZeKN9U0o7MNQXDYipSQTtAUE+QPZADhoUrDcH1ZQhoBJcZwl1uhWdG9SERxnSel0q4VVr1Q9Q/0AT+9c9aWrCA1MtRhjZrumRP+e9HrizWTfoOYs2FfKmu04s6klJeueP48g+h0KygsU7NlIjGknIe74wAFcrVb5T2y2wVdPmXkPxKGL/OPApGqfyWdnLS9qWRL2T60sgjLc/Q0UKb1ZeJ5qvA1+CPTz/d+PLnTmzA/umnm0Z2uoz4tbVDzsOaRzJcMAc+sWYUPYyKg7DJDUi4jAyc5CgFE7q0J+dwsjC4WqKhk3PQBk5mpMRCnfQFkdTL7bB/RrG49u2KQgmqzMkIBoKTcmIuyAQWE7Jsu4FJHyzpl5IUo6kq8xmZJMZEoe0BeKMXQMqZVRtZOPIKC0IxQzkpR7wS7wRKmfDjJyV+KWmtktSLAKlHpyrZG9pzaj7K7p512kTmeFGHFJcOqCFpkBh2dIgQwvwJ6PybL4qvsVoKWRsQsp0HqEOwjLbAjMOG4PCBVINg78zFS3uikPuCmLd+TFJ+g3roI/UiHX/lbPpsQbac7RSWlPoojCtRTu2qm/ue4e7PcVOwK+soB6GsQ9UKv40Fb9fN9KOnLO883Yfk7X4sb8O/Y7DOCLUAm+ml/98bRrXGcEHujrBYo8u0/QLgfLdfxuR2fRkT4w9Sz1BOjHbEHKC1YqFCxa5COrYYHk4v5hxZJhRtBfNAwNtGLC2ZP37/n61l9qQZJgUpN9V2+rij1hx9eIpbAyffeQVIP977kn9ADWxQfW2IvpCRApYO34riQGjW4eIpNYJ+xbyQ9BFmNNeGRlIvRDev9yBPhnLAUdOQaaVos2LsqSpziYsBfT2GmXCxUwahuGDoPEjR5GJYYrihWKLhxH1MT1Bpgzn2zRmM0QMyIGFHdFFI/DNDC5qx0hjyqgCq1d40uYFzyjRPE0MoR4stKveBVfU6nww1E+j7xaVwWYTlRdoIu4bcg9JQQeiYSl/rHAUypMPQOHsmVt2EjSgDSX2qbKbY6zHe5hxs/TkWhQz80eo8nE1sOQuFPVEivLM4+T8ru4h4rpFoPRsffXfDtOL2YnhTWjIC5b4zw9EpKm7dsmqqzPguPObVHqBYumyak8v0U/ruJmfdXI4nA+Qqj8IX8ejZzcYyCZujw6EPL9VNVbipXWaCZZBjUYRMpeba5NUk3ALTUgZW9V10NCATDewzgN4Sy1AJm3u3860W6HryzSdLpkZva+5jAFRF28HQhz3xeGCj68s65ENIWVLcVsjhdKKNOxsFBW6jAn3DA2ROG6WHS1rXsUZVZ4fShipaGJGjWXWpevruzMcaci78e5QVHgun78/hu7ODwA9Lj8+kuDYNN1qACTBkClhmpOC2lE7AVUDQVUtYKAzZ/soWFWDapwO/0okddOHo9p/htpOdyCmVHXyzUAnsDcFy8axe5j9boC6FLSSurDdhGH/V2TdOHSOjYztTKg68DLmu9YUqKi/gviwKbXyheURZkgU0tD1HDIHwQ1h55Xf84/f/rum5hYHpUnKYUZBSuT/K3Z4dXZaxlFKQkdyXN1/xu1tYkqFKsZBP1mpdrA1z983Yt3ZKt7UWlUF6r4Z9yZqGNdNMkEHDsu7s9Ogh77gZ5vmAridBFatiPa2qfNWlRvpFUFFgqLFS10xsEmvrK9Dgvgj1ei4MLVFKONWmnitUI4AzWJAiE9vhuhcWismSV8knCdKjD+M+VIysj16hQDi7F4bN0DetG185jdPtb8+8f5R2tezg3njJ60zJXGkSo/rrdfu+JjC881nvwzl8+P4cvj0H4SAnVJVZ2+1+pTlxmK0A91spLJ6R1L6aOb2phJcUptTONgaJWDwO/+Td+6dO7YNdpu+2ng8ytH+l4ZA0/OtSsYd971/Z98q+P419372y75V9fxr7Pryy75V9L8S+5jZT5KTLIWefcUPAuQtHbsGyjfnMbT2f8TCZJOwfKz7alR30hxLj+patcy+OHfND+Nld4r66dtkhwIcdJXVv2jqAu4Pc1m3230ArufKEFdwrVutggRTOJPFggryUThSyu7Ht/3VzjXpAN63HS+1ZZPBUfQWxfUPRR/hSKZKpy/VneqW5aQ8C4LT6odD9/c3nyR1oA9eTe2JnF2/+HwAA//+7KjoN"
+	return "eJzsWs1uIzcSvs9T1M02YDmZyeTiBRbQruHAgO0IcWb2KJTYJTXXbLJDsq0o2EMeYi/7enmSRZHdrbZEqWVJ40wA62JLarK+qvrqh0UN4JEWl1Cinr8D8NIrat9l5ISVpZdGX8Lf3wEA3JmsUgRTY2GEysBQeQP35OfGPjo4HQ3vBz8+nL0DmEpSmbsMiwagsVhuyy+/KOkSZtZUZf1JQhi/rsM+MLWmAJ9T2AOKgOKifqgrClbkGbf8OCV1m+hn8o0N4hNKR51BmZm76K5dg9VBZitFjvxzUTW8R1rMjc1WvtuGEQDusSAw04CRNwefo4cCvcgpA59LB46ck0ZfJAE5U1lBSTxr5upHUxvNG6BfPekswPKmHCh6IlULAzP5Nwl/sbI6ZbYu0t+MXsXZZ7sdEPPrIcJiAbW/N1mti0dqT3aKa8Y7LqhWyguQaVwlGGx16o6IRsb5wf3w58aNmGWWnDsHOW0+4m+lg5Ls1NiCsnWMm/3csWwKYKPAhi93wL+uwc0oBbDNIsam7NgAUUbPjgeFhS3BJEM1I+elRt73leK1I/GrC9qrDravK3K7yL7G8O16tRvD3c8PC+TeUO4J5h1jaINO6ajeIa57I/swXDuEOOnMEroNAb5Xg/AzNwZhT8CGe+DJFgyr69gkIB2bnVfKN7W0PXNNKbAcy1TQHiGoRygeyYPA0leW4OYqBDSCzy3hJrfCgVG9S4QJUxSVln6RVn0X9Xc0Ab/+2UgLFlBmPsjR5W2XzJT/fuCrctmkbyDWVKrX6jpZ1J6UYuX248s/pEa7gNY6DVMiGkfaM94JAWpUi98o7ZfJIujyL6mya2l5nX2SglL5Le3kpO0rq17J9JVVe1peoKeZsYsvE83Xga/BH59+uuXy509cwP7pp9tWdrqM8NrGIedhzRPZTAoPnFhzih5GnYF0yQ1I+pwsnBSopJCmcifncDKzuJijpZNzMBZOJqTlTJ/0BZEy8/WwP6BY3HC7olGBrgqyUoDMSHs5lWQDiwlFvt7ApA+W9EtFWtBYV8WEbBJjotD2ALw1MyDt7aKLLBx5pQOphaWCtKesFu8lKpXw4yctf6loqZIyswCpR6c62Vvacmrey+7MOmMjc1jULsVlBdQxaZAYdqwQIYT5C9Dxmy+Kr7VaClkXEIqNB6hdsAzWwAzDhuDxkXSLYOvMhaW9UMhDSYKtH5MUb9AMfZSZpeOvmowPFuSqyUZhSalP0voK1dgtVnPfAe7+HDcFt3CeCpDaedSd8EsiEUqS9mPjxk8bss/e7XTcGjLiWvzH7/9z8OMDF4EdsmKL6mtD9IWMFLD8oMwE1cgaT8IDluWO0JzH2UuyBv2KRanoEiY0NZYGyszkaqT3IB+C81bqGbjczPlviALG0YSAMFrT8xyyJc9MFc6O6OshTKSPvRNInUmBnkHKNjphjmFmPUebUcZ92Qi1sVhg38nTWnNEBiTsiD4Kif/m6MAIUVlLrAqgXgA9ke49IfMWY2GyNDGk9jRbo3IfWN2sA3TOCMkHY5hLn0dYLNJF2A3kHpSWSkIvdHrQvxdIjqnYSjET6/riIspAUi6A7VxzOdh5PhlZfo5lqQJ/jD4P3aqrJiHVBz2fhyw7KyP+t7aLjJ2uQsdsfOJ6J4zO3MXxTenISlTbusi9U1TcumNV1qlyZEPWKlDkUhP3ZTGv9gDFyufjgnxuXtKJtTnr9mo4OkKuYhTcqUXPPm81krAz9Hjsdra+uwh3d/NcihwKLMuQqfTU2KKejToQRqnAqr7Rdwsy0dIcAPSORI5auoLdHtJl3efGc/fN6JtPjmyD3jXcxwCojradoR+3B2Zgg5urJuRDSDnSmauRw+nIWH82CArcRQX6jpMovLHaHC9p3cQaVXeTlQtVtLSyQLtYperp+zOONcwyye9R1XgcnH44h+/OdgJ/XHp8Jp0Z23KjA5gAQ6aAeU4a7irlJVwHBKtqSQelJddf2aICwnA64JVebqBLhn57V7+e7GRBqezAzUItsDcEq9lBvcx/1kBdSVcqXDg2YRiINNk3zqEio2M7U+kMsirkus4DdVRewENVlsZyoXlCVZEDtLQ+WQqB8ENYec07/vH7f5f0XMMgTKUymFCQUrs/yl2fJlxVsZRSkJHcN2sf4d0dzMlSrVjIJ0u1LpaGuf9myK2dNl2tZW2Q3stCLlnjsGacS7JoRb46Tdt77Ddsxzsc0M1soGZVrKd1la+71Ei/CCoKDDVWmYaJbWLtPAIt7otQr6fS0hyVglNjm5NmfSg8gxlpsrEdbnphqYWqsjr5JEEy+jAA4vOk4+iVGqR3W2G4HLlpffbIaZx3fnvG/tHGN7KDe+O1n7eV8JVNDG9vlu37ksDwnrPex3P4+P05fHsO0kNBqGuzdtv9WnPKYLIA3G6lsHhCynA18+a5EiwpzC29aw0SsTAO/ub9h5fOcYNdxu/Xvj/KGPeNhsek4V+Xij3s+/DGvjf2/Wns++6NfW/s+9PY9/GNfW/seyX2tfdbsiBTHXP2GTcEnPpw5JYifzafuWvmMwxTKML+seKTW7ijXp0PoYqXyis3pbhifgg/xErcYDYu2wX4cUdJYbTc+R35CuDVQW7nfvNvYLRaMGFlxoo1OjggjRNFWTBBUSkvS7W6sev/vWuD+ohuWo6XurPI4KnmCmL9hqKP8JXWpFLXrQd6pb17DQLgtP7pyMPD7efRPRgLN6MHEmcX7/4fAAD//9P+vRI="
 }
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
index 116e5c60805..0ef46712191 100644
--- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json
@@ -1346,7 +1346,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1646,7 +1646,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3291,7 +3291,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3389,7 +3389,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3487,7 +3487,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3587,7 +3587,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3685,7 +3685,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3782,7 +3782,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3882,7 +3882,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3979,7 +3979,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4077,7 +4077,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4174,7 +4174,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4365,7 +4365,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4461,7 +4461,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4557,7 +4557,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4654,7 +4654,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4753,7 +4753,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4852,7 +4852,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4952,7 +4952,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5052,7 +5052,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5152,7 +5152,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5242,7 +5242,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5346,7 +5346,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5436,7 +5436,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5530,7 +5530,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5633,7 +5633,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5723,7 +5723,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5814,7 +5814,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5915,7 +5915,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6012,7 +6012,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6109,7 +6109,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6199,7 +6199,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6303,7 +6303,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6953,7 +6953,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7043,7 +7043,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7137,7 +7137,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7227,7 +7227,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7317,7 +7317,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7407,7 +7407,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7589,7 +7589,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7951,7 +7951,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8045,7 +8045,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8135,7 +8135,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8319,7 +8319,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8593,7 +8593,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8775,7 +8775,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -8865,7 +8865,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -9047,7 +9047,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -9137,7 +9137,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -9227,7 +9227,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -9317,7 +9317,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -9498,7 +9498,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
index 4ffdc338032..ef9975180c1 100644
--- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
@@ -27,7 +27,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -132,7 +132,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -237,7 +237,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -342,7 +342,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -447,7 +447,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -552,7 +552,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -657,7 +657,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -762,7 +762,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -867,7 +867,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -972,7 +972,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1077,7 +1077,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1182,7 +1182,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1287,7 +1287,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1392,7 +1392,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1497,7 +1497,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1602,7 +1602,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1707,7 +1707,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1812,7 +1812,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -1917,7 +1917,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2022,7 +2022,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2127,7 +2127,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2232,7 +2232,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2337,7 +2337,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2442,7 +2442,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2547,7 +2547,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2652,7 +2652,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2757,7 +2757,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2862,7 +2862,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -2967,7 +2967,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3072,7 +3072,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3177,7 +3177,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3282,7 +3282,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3387,7 +3387,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3492,7 +3492,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3597,7 +3597,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3702,7 +3702,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3810,7 +3810,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -3918,7 +3918,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4026,7 +4026,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4134,7 +4134,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4242,7 +4242,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4350,7 +4350,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4458,7 +4458,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4566,7 +4566,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4674,7 +4674,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4782,7 +4782,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4890,7 +4890,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -4998,7 +4998,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5106,7 +5106,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5214,7 +5214,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5319,7 +5319,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5424,7 +5424,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5529,7 +5529,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5634,7 +5634,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5739,7 +5739,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5844,7 +5844,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -5949,7 +5949,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6054,7 +6054,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6159,7 +6159,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6264,7 +6264,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6372,7 +6372,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6480,7 +6480,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6588,7 +6588,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6696,7 +6696,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6804,7 +6804,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -6912,7 +6912,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7020,7 +7020,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7128,7 +7128,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7236,7 +7236,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7344,7 +7344,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7452,7 +7452,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7560,7 +7560,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7668,7 +7668,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7776,7 +7776,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7884,7 +7884,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [
@@ -7992,7 +7992,7 @@
         "event.dataset": "panw.panos",
         "event.kind": "alert",
         "event.module": "panw",
-        "event.outcome": "failure",
+        "event.outcome": "success",
         "event.severity": 5,
         "event.timezone": "-02:00",
         "event.type": [