Hi saurabh_tek11, thanks for bumping this. We support network sessions, see eventtype=pan_traffic_start and pan_traffic_end. We could support Authentication to some extent with USERID type logs from the firewall, but the Authentication CIM is not a great fit because it's geared more toward the logs from the actual point of authentication, which the firewall typically is not in enterprise environments. This would be your RADIUS, LDAP, or AD server usually.
I opened a feature request so you can share your use cases for supporting the Authentication CIM. I'm very interested in any feedback, thanks!
https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/33
... View more