From 1369a56241e51a238f8c444acaefb453aa19252b Mon Sep 17 00:00:00 2001
From: Paul Nguyen <panguyen@paloaltonetworks.com>
Date: Thu, 13 May 2021 08:09:10 -0700
Subject: [PATCH 1/2] fix(addon): Fix source user field and add status field
 alias

---
 Splunk_TA_paloalto/default/props.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Splunk_TA_paloalto/default/props.conf b/Splunk_TA_paloalto/default/props.conf
index 96e03ae7..6955c702 100644
--- a/Splunk_TA_paloalto/default/props.conf
+++ b/Splunk_TA_paloalto/default/props.conf
@@ -48,6 +48,7 @@ FIELDALIAS-fwcloud_dest_location = DestinationLocation as dest_location
 FIELDALIAS-fwcloud_dest_port = DestinationPort as dest_port
 FIELDALIAS-fwcloud_dest_user = DestinationUser as dest_user
 FIELDALIAS-fwcloud_dest_zone = ToZone as dest_zone
+FIELDALIAS-fwcloud_status = EventStatus as status
 EVAL-direction = replace(DirectionOfAttack, " ", "-")
 EVAL-dvc_name = coalesce(DeviceName, LogSourceName)
 EVAL-event_id = coalesce(EventName, EventIDValue)
@@ -79,7 +80,7 @@ FIELDALIAS-fwcloud_src_interface = InboundInterface as src_interface
 EVAL-src_ip = coalesce(SourceAddress, PublicIPv4)
 FIELDALIAS-fwcloud_src_location = SourceLocation as src_location
 FIELDALIAS-fwcloud_src_port = SourcePort as src_port
-FIELDALIAS-fwcloud_src_user = DestinationUser as src_user
+FIELDALIAS-fwcloud_src_user = SourceUser as src_user
 FIELDALIAS-fwcloud_src_zone = FromZone as src_zone
 FIELDALIAS-fwcloud_start_time = SessionStartTime as start_time
 FIELDALIAS-fwcloud_threat_category = ThreatCategory as threat_category

From 7d97e97c2308f4378feb76b86cde3b335e982871 Mon Sep 17 00:00:00 2001
From: Paul Nguyen <panguyen@paloaltonetworks.com>
Date: Thu, 13 May 2021 08:45:52 -0700
Subject: [PATCH 2/2] fix(addon): Fix source user field alias

---
 Splunk_TA_paloalto/default/props.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Splunk_TA_paloalto/default/props.conf b/Splunk_TA_paloalto/default/props.conf
index 6955c702..e9d3b374 100644
--- a/Splunk_TA_paloalto/default/props.conf
+++ b/Splunk_TA_paloalto/default/props.conf
@@ -48,7 +48,6 @@ FIELDALIAS-fwcloud_dest_location = DestinationLocation as dest_location
 FIELDALIAS-fwcloud_dest_port = DestinationPort as dest_port
 FIELDALIAS-fwcloud_dest_user = DestinationUser as dest_user
 FIELDALIAS-fwcloud_dest_zone = ToZone as dest_zone
-FIELDALIAS-fwcloud_status = EventStatus as status
 EVAL-direction = replace(DirectionOfAttack, " ", "-")
 EVAL-dvc_name = coalesce(DeviceName, LogSourceName)
 EVAL-event_id = coalesce(EventName, EventIDValue)