https://live.paloaltonetworks.com/t5/general-topics/what-is-destination-user-field-in-traffic-and-threat-logs/m-p/119085#M45743 <P>I can see destination user field in traffic and threat logs getting poulated.</P><P>How this data is collected.</P><P>&nbsp;</P> Thu, 13 Oct 2016 14:55:26 GMT Roby_Sreejith 2016-10-13T14:55:26Z https://live.paloaltonetworks.com/t5/general-topics/what-is-destination-user-field-in-traffic-and-threat-logs/m-p/119085#M45743 <P>I can see destination user field in traffic and threat logs getting poulated.</P><P>How this data is collected.</P><P>&nbsp;</P> Thu, 13 Oct 2016 14:55:26 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-destination-user-field-in-traffic-and-threat-logs/m-p/119085#M45743 Roby_Sreejith 2016-10-13T14:55:26Z https://live.paloaltonetworks.com/t5/general-topics/what-is-destination-user-field-in-traffic-and-threat-logs/m-p/119127#M45771 <P>The same as source user, through user-IP mapping</P> <P>&nbsp;</P> <P>If a user is identified by UserID (agent, captive portal ,....) a user-ip mapping is created on the firewall, anything coming from- or going to that IP can then be matched to the currently active user.</P> <P>&nbsp;</P> <P>This could come in handy when for example a patch management system pushes updates out to your clients, you'll see which user was associated to the IP at the time the patch was sent out</P> Fri, 14 Oct 2016 09:48:00 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-destination-user-field-in-traffic-and-threat-logs/m-p/119127#M45771 reaper 2016-10-14T09:48:00Z