Palo Alto integration with USERID [SIEM Feature]

Hi, everyone

I have been working with Palo Alto and Filebeat over several days. I have looked on Elastic documentation that it currently supports messages of Traffic and Threat types.

Is it considered to parsing User-ID type ? I would like to get it because it provides information about login and logouts of usernames.

Thanks in advance,




You can find the fields that this module populates/handles at Palo Alto Networks module | Filebeat Reference [7.12] | Elastic and panw fields | Filebeat Reference [7.12] | Elastic.
If you think the information you are interested into is not included in the supported fields right now please go ahead and open a Github issue for the team to request adding it.


1 Like

Hi, @ChrsMark

I just created an issue on GitHub.

Thanks :slight_smile: ,


1 Like

Hello @RdrgPorto and @ChrsMark ,

We too are very much interested in extending / improving the Palo Alto datasets... Not only for userid, but also for globalprotect and system logs.

Another important question I've been asking is when we can expect the panw module to go out of beta? The module is imho our most important dataset and it has been in beta since the beginning. I also created multiple issue with the existing threat and traffic data

Please please dedicate some resources into the panw module, so that it finally becomes a supported and trusted dataset which covers all panw event types.

Best regards,


1 Like

Created [Filebeat] Palo Alto integration with GlobalProtect · Issue #24724 · elastic/beats · GitHub

Thank you all!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.