They were getting merged events where a arcsight event would come through and multiple panorama event (starting with CEF) would get merged one after another ( client info removed )
Mar 4 18:47:25 somehost.com Mar 4 18:48:06 1,2010/03/048:48:06,0004A100609,THREAT,url,46,2010/03/04 18:48:05,10.170.133.122,82.195.186.201,0.0.0.0,0.0.0.0,ProxyAccess-A2,,,web-browsing,xtxs1,Int-FW,Int-FW-Proxy blah....de....blah....informational,0 (<---first event should end here)
CEF:0|Palo Alto|Panorama|||THREAT|Unknown| eventId=1428238 proto=UDP art=1267728483290 rt=1267728481000 shost=somehost.com src=10.97.3.55 sourceZoneURI=/zzz Zones/System Zones/Private Address Space dst=22.11.22.33 blah ....de...blah...dtz=Asia/xyz deviceFacility=IPS (<--- Second event should end here)
CEF:0|Palo Alto|Panorama (<---they continued to get multiple CEF Panorama device events all merged with the above)
... View more