From 11881caac202563c1b09824a073db8586225905c Mon Sep 17 00:00:00 2001
From: Andrew Kroh <andrew.kroh@elastic.co>
Date: Thu, 23 Jul 2020 12:44:47 -0400
Subject: [PATCH] Update Filebeat module golden log files (#20168) (#20196)

The Elasticsearch user_agent processor was updated in https://github.com/elastic/elasticsearch/pull/59697

(cherry picked from commit 323896142ea9e4cff297c91b0f1cfa8cec3e5ec6)
---
 .../access/test/test-vhost.log-expected.json  |   2 +-
 .../apache/access/test/test.log-expected.json |   2 +-
 .../test/ubuntu-2.2.22.log-expected.json      |  16 +-
 .../test/test-ipv6zone.log-expected.json      |   2 +-
 .../iis/access/test/test.log-expected.json    |   2 +-
 .../access/test/access.log-expected.json      |  24 +-
 .../test/test-with-host.log-expected.json     |   6 +-
 .../nginx/access/test/test.log-expected.json  |   6 +-
 .../test/test.log-expected.json               |  28 +-
 .../protect/test/generated.log-expected.json  |   4 +-
 .../bigipapm/test/generated.log-expected.json |   4 +-
 .../firepass/test/generated.log-expected.json |  12 +-
 .../test/generated.log-expected.json          | 180 +++----
 .../audit-log-entries.json.log-expected.json  |   6 +-
 .../test/generated.log-expected.json          | 500 +++++++++---------
 .../test/generated.log-expected.json          |  12 +-
 .../test/04-sharepoint.log-expected.json      |   8 +-
 .../06-sharepointfileop.log-expected.json     |  22 +-
 .../test/14-sp-sharing-op.log-expected.json   |  10 +-
 .../15-azuread-sts-logon.log-expected.json    | 138 ++---
 .../okta-system-test.json.log-expected.json   |   6 +-
 .../firewall/test/generated.log-expected.json |  56 +-
 .../squid/log/test/access1.log-expected.json  | 336 ++++++------
 .../eve/test/eve-small.log-expected.json      |   4 +-
 .../log/test/generated.log-expected.json      |  46 +-
 .../zia/test/generated.log-expected.json      | 442 ++++++++--------
 .../zscaler/zia/test/test.log-expected.json   |   4 +-
 27 files changed, 939 insertions(+), 939 deletions(-)

diff --git a/filebeat/module/apache/access/test/test-vhost.log-expected.json b/filebeat/module/apache/access/test/test-vhost.log-expected.json
index d61237c3c8dd..b332788ad2b0 100644
--- a/filebeat/module/apache/access/test/test-vhost.log-expected.json
+++ b/filebeat/module/apache/access/test/test-vhost.log-expected.json
@@ -19,7 +19,7 @@
         "source.ip": "192.168.33.2",
         "url.original": "/hello",
         "user.name": "-",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
         "user_agent.os.full": "Mac OS X 10.12",
diff --git a/filebeat/module/apache/access/test/test.log-expected.json b/filebeat/module/apache/access/test/test.log-expected.json
index 7b15274997ad..ebe888475861 100644
--- a/filebeat/module/apache/access/test/test.log-expected.json
+++ b/filebeat/module/apache/access/test/test.log-expected.json
@@ -39,7 +39,7 @@
         "source.ip": "192.168.33.1",
         "url.original": "/hello",
         "user.name": "-",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
         "user_agent.os.full": "Mac OS X 10.12",
diff --git a/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json
index cdf664d927e2..e9680e5b7fbc 100644
--- a/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json
+++ b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json
@@ -45,7 +45,7 @@
         "source.ip": "192.168.33.1",
         "url.original": "/",
         "user.name": "-",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.12.0",
@@ -73,7 +73,7 @@
         "source.ip": "192.168.33.1",
         "url.original": "/favicon.ico",
         "user.name": "-",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.12.0",
@@ -101,7 +101,7 @@
         "source.ip": "192.168.33.1",
         "url.original": "/",
         "user.name": "-",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
         "user_agent.os.full": "Mac OS X 10.12",
@@ -129,7 +129,7 @@
         "source.ip": "192.168.33.1",
         "url.original": "/favicon.ico",
         "user.name": "-",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
         "user_agent.os.full": "Mac OS X 10.12",
@@ -157,7 +157,7 @@
         "source.ip": "192.168.33.1",
         "url.original": "/favicon.ico",
         "user.name": "-",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
         "user_agent.os.full": "Mac OS X 10.12",
@@ -185,7 +185,7 @@
         "source.ip": "192.168.33.1",
         "url.original": "/test",
         "user.name": "-",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
         "user_agent.os.full": "Mac OS X 10.12",
@@ -213,7 +213,7 @@
         "source.ip": "192.168.33.1",
         "url.original": "/hello",
         "user.name": "-",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
         "user_agent.os.full": "Mac OS X 10.12",
@@ -241,7 +241,7 @@
         "source.ip": "192.168.33.1",
         "url.original": "/crap",
         "user.name": "-",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
         "user_agent.os.full": "Mac OS X 10.12",
diff --git a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json
index 448779366cea..c3f4a4932dac 100644
--- a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json
+++ b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json
@@ -37,7 +37,7 @@
         "source.address": "::1%0",
         "source.ip": "::1",
         "url.path": "/",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.14.0",
diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json
index 909bffb0e627..adb56a2eadd7 100644
--- a/filebeat/module/iis/access/test/test.log-expected.json
+++ b/filebeat/module/iis/access/test/test.log-expected.json
@@ -133,7 +133,7 @@
         "source.geo.region_name": "Land Berlin",
         "source.ip": "85.181.35.98",
         "url.path": "/",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.14.0",
diff --git a/filebeat/module/nginx/access/test/access.log-expected.json b/filebeat/module/nginx/access/test/access.log-expected.json
index 38ced3a64acb..92519cc1e811 100644
--- a/filebeat/module/nginx/access/test/access.log-expected.json
+++ b/filebeat/module/nginx/access/test/access.log-expected.json
@@ -38,7 +38,7 @@
         "source.geo.region_name": "Rheinland-Pfalz",
         "source.ip": "77.179.66.156",
         "url.original": "/",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.12.0",
@@ -86,7 +86,7 @@
         "source.geo.region_name": "Rheinland-Pfalz",
         "source.ip": "77.179.66.156",
         "url.original": "/favicon.ico",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.12.0",
@@ -133,7 +133,7 @@
         "source.geo.region_name": "Rheinland-Pfalz",
         "source.ip": "77.179.66.156",
         "url.original": "/adsasd",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.12.0",
@@ -180,7 +180,7 @@
         "source.geo.region_name": "Rheinland-Pfalz",
         "source.ip": "77.179.66.156",
         "url.original": "/",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.12.0",
@@ -228,7 +228,7 @@
         "source.geo.region_name": "Rheinland-Pfalz",
         "source.ip": "77.179.66.156",
         "url.original": "/favicon.ico",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.12.0",
@@ -275,7 +275,7 @@
         "source.geo.region_name": "Rheinland-Pfalz",
         "source.ip": "77.179.66.156",
         "url.original": "/test",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.12.0",
@@ -322,7 +322,7 @@
         "source.geo.region_name": "Rheinland-Pfalz",
         "source.ip": "77.179.66.156",
         "url.original": "/test",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.12.0",
@@ -369,7 +369,7 @@
         "source.geo.region_name": "Rheinland-Pfalz",
         "source.ip": "77.179.66.156",
         "url.original": "/test1",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.12.0",
@@ -407,7 +407,7 @@
         "source.address": "127.0.0.1",
         "source.ip": "127.0.0.1",
         "url.original": "/test1",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.12.0",
@@ -445,7 +445,7 @@
         "source.address": "127.0.0.1",
         "source.ip": "127.0.0.1",
         "url.original": "/",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0",
         "user_agent.os.full": "Mac OS X 10.12",
@@ -483,7 +483,7 @@
         "source.address": "127.0.0.1",
         "source.ip": "127.0.0.1",
         "url.original": "/",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0",
         "user_agent.os.full": "Mac OS X 10.12",
@@ -521,7 +521,7 @@
         "source.address": "127.0.0.1",
         "source.ip": "127.0.0.1",
         "url.original": "/taga",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0",
         "user_agent.os.full": "Mac OS X 10.12",
diff --git a/filebeat/module/nginx/access/test/test-with-host.log-expected.json b/filebeat/module/nginx/access/test/test-with-host.log-expected.json
index 426b08eafd8e..a19686951847 100644
--- a/filebeat/module/nginx/access/test/test-with-host.log-expected.json
+++ b/filebeat/module/nginx/access/test/test-with-host.log-expected.json
@@ -32,7 +32,7 @@
         "source.address": "10.0.0.2",
         "source.ip": "10.0.0.2",
         "url.original": "/ocelot",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0",
         "user_agent.os.full": "Mac OS X 10.12",
@@ -121,7 +121,7 @@
         "source.geo.region_name": "Land Berlin",
         "source.ip": "85.181.35.98",
         "url.original": "/ocelot",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0",
         "user_agent.os.full": "Mac OS X 10.12",
@@ -170,7 +170,7 @@
         "source.geo.region_name": "Land Berlin",
         "source.ip": "85.181.35.98",
         "url.original": "/ocelot",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.14.0",
diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json
index 47d88c36eada..75caf6cf9f8a 100644
--- a/filebeat/module/nginx/access/test/test.log-expected.json
+++ b/filebeat/module/nginx/access/test/test.log-expected.json
@@ -31,7 +31,7 @@
         "source.address": "10.0.0.2",
         "source.ip": "10.0.0.2",
         "url.original": "/ocelot",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0",
         "user_agent.os.full": "Mac OS X 10.12",
@@ -118,7 +118,7 @@
         "source.geo.region_name": "Land Berlin",
         "source.ip": "85.181.35.98",
         "url.original": "/ocelot",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0",
         "user_agent.os.full": "Mac OS X 10.12",
@@ -165,7 +165,7 @@
         "source.geo.region_name": "Land Berlin",
         "source.ip": "85.181.35.98",
         "url.original": "/ocelot",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.14.0",
diff --git a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json
index 6a22bb503ca5..4bf393a59064 100644
--- a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json
+++ b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json
@@ -336,7 +336,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/products/42",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.14.6",
@@ -385,7 +385,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/favicon.ico",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.14.6",
@@ -433,7 +433,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/v2",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.14.6",
@@ -482,7 +482,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/favicon.ico",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.14.6",
@@ -530,7 +530,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/products/42",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Safari",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15",
         "user_agent.os.full": "Mac OS X 10.14.6",
@@ -579,7 +579,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/favicon.ico",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Safari",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15",
         "user_agent.os.full": "Mac OS X 10.14.6",
@@ -627,7 +627,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/products/42",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Safari",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15",
         "user_agent.os.full": "Mac OS X 10.14.6",
@@ -675,7 +675,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Safari",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15",
         "user_agent.os.full": "Mac OS X 10.14.6",
@@ -724,7 +724,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/favicon.ico",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Safari",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15",
         "user_agent.os.full": "Mac OS X 10.14.6",
@@ -772,7 +772,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/v2",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Safari",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15",
         "user_agent.os.full": "Mac OS X 10.14.6",
@@ -821,7 +821,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/favicon.ico",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Safari",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15",
         "user_agent.os.full": "Mac OS X 10.14.6",
@@ -914,7 +914,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/v2",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -962,7 +962,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/favicon.ico",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -1010,7 +1010,7 @@
         "source.address": "192.168.64.1",
         "source.ip": "192.168.64.1",
         "url.original": "/v2/some",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json
index abf3264f09f9..21a794b1d4cf 100644
--- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json
@@ -3161,7 +3161,7 @@
         "user.name": "stenatus"
     },
     {
-        "@timestamp": "2019-07-24T10:58:48.000Z",
+        "@timestamp": "2020-07-24T10:58:48.000Z",
         "event.action": "Alert",
         "event.code": "CylancePROTECT",
         "event.dataset": "cylance.protect",
@@ -3186,7 +3186,7 @@
         "rsa.network.alias_host": [
             "squ2213.www.test"
         ],
-        "rsa.time.event_time": "2019-07-24T10:58:48.000Z",
+        "rsa.time.event_time": "2020-07-24T10:58:48.000Z",
         "service.type": "cylance",
         "tags": [
             "cylance.protect",
diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json
index b06452aca740..b3f74874b99b 100644
--- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json
@@ -1556,8 +1556,8 @@
         "observer.vendor": "F5",
         "process.pid": 1973,
         "related.ip": [
-            "10.47.99.72",
-            "10.187.64.126"
+            "10.187.64.126",
+            "10.47.99.72"
         ],
         "rsa.internal.messageid": "01490500",
         "rsa.misc.category": "oremipsu",
diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json
index e783667b4924..6c58cc63ba7e 100644
--- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json
@@ -405,8 +405,8 @@
         "observer.type": "VPN",
         "observer.vendor": "F5",
         "related.ip": [
-            "10.18.220.102",
-            "10.230.12.79"
+            "10.230.12.79",
+            "10.18.220.102"
         ],
         "rsa.db.index": "obeataev",
         "rsa.internal.messageid": "kernel",
@@ -835,8 +835,8 @@
         "observer.type": "VPN",
         "observer.vendor": "F5",
         "related.ip": [
-            "10.117.146.33",
-            "10.46.158.31"
+            "10.46.158.31",
+            "10.117.146.33"
         ],
         "rsa.db.index": "dun",
         "rsa.internal.messageid": "kernel",
@@ -2303,8 +2303,8 @@
         "observer.type": "VPN",
         "observer.vendor": "F5",
         "related.ip": [
-            "10.65.175.9",
-            "10.225.181.30"
+            "10.225.181.30",
+            "10.65.175.9"
         ],
         "rsa.db.index": "uia",
         "rsa.internal.messageid": "kernel",
diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json
index e2670bf5b87d..3b9dc0716ec7 100644
--- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json
@@ -186,8 +186,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 5712,
         "related.ip": [
-            "10.134.137.177",
-            "10.202.204.154"
+            "10.202.204.154",
+            "10.134.137.177"
         ],
         "related.user": [
             "orsitame"
@@ -241,8 +241,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 6557,
         "related.ip": [
-            "10.245.142.250",
-            "10.70.0.60"
+            "10.70.0.60",
+            "10.245.142.250"
         ],
         "related.user": [
             "eos"
@@ -296,8 +296,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 2061,
         "related.ip": [
-            "10.200.188.142",
-            "10.202.72.124"
+            "10.202.72.124",
+            "10.200.188.142"
         ],
         "related.user": [
             "iusmodt"
@@ -406,8 +406,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 5037,
         "related.ip": [
-            "10.66.108.11",
-            "10.198.136.50"
+            "10.198.136.50",
+            "10.66.108.11"
         ],
         "related.user": [
             "uptatev"
@@ -461,8 +461,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 776,
         "related.ip": [
-            "10.178.244.31",
-            "10.69.20.77"
+            "10.69.20.77",
+            "10.178.244.31"
         ],
         "related.user": [
             "umdolor"
@@ -626,8 +626,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 2703,
         "related.ip": [
-            "10.57.40.29",
-            "10.210.213.18"
+            "10.210.213.18",
+            "10.57.40.29"
         ],
         "related.user": [
             "onse"
@@ -736,8 +736,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 7668,
         "related.ip": [
-            "10.72.58.135",
-            "10.109.232.112"
+            "10.109.232.112",
+            "10.72.58.135"
         ],
         "related.user": [
             "xea"
@@ -846,8 +846,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 7183,
         "related.ip": [
-            "10.76.72.111",
-            "10.70.95.74"
+            "10.70.95.74",
+            "10.76.72.111"
         ],
         "related.user": [
             "ivelits"
@@ -901,8 +901,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 6907,
         "related.ip": [
-            "10.19.201.13",
-            "10.73.69.75"
+            "10.73.69.75",
+            "10.19.201.13"
         ],
         "related.user": [
             "tat"
@@ -1011,8 +1011,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 1531,
         "related.ip": [
-            "10.135.233.146",
-            "10.25.192.202"
+            "10.25.192.202",
+            "10.135.233.146"
         ],
         "related.user": [
             "emeumfu"
@@ -1066,8 +1066,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 6051,
         "related.ip": [
-            "10.104.134.200",
-            "10.121.219.204"
+            "10.121.219.204",
+            "10.104.134.200"
         ],
         "related.user": [
             "uptat"
@@ -1176,8 +1176,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 5200,
         "related.ip": [
-            "10.161.57.8",
-            "10.141.44.153"
+            "10.141.44.153",
+            "10.161.57.8"
         ],
         "related.user": [
             "quisnos"
@@ -1231,8 +1231,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 3365,
         "related.ip": [
-            "10.6.167.7",
-            "10.153.111.103"
+            "10.153.111.103",
+            "10.6.167.7"
         ],
         "related.user": [
             "eumfug"
@@ -1286,8 +1286,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 1835,
         "related.ip": [
-            "10.134.148.219",
-            "10.248.204.182"
+            "10.248.204.182",
+            "10.134.148.219"
         ],
         "related.user": [
             "uioffi"
@@ -1506,8 +1506,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 2328,
         "related.ip": [
-            "10.168.90.81",
-            "10.101.57.120"
+            "10.101.57.120",
+            "10.168.90.81"
         ],
         "related.user": [
             "eporr"
@@ -1561,8 +1561,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 1156,
         "related.ip": [
-            "10.14.211.43",
-            "10.130.14.60"
+            "10.130.14.60",
+            "10.14.211.43"
         ],
         "related.user": [
             "litse"
@@ -1616,8 +1616,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 6003,
         "related.ip": [
-            "10.60.129.15",
-            "10.248.101.25"
+            "10.248.101.25",
+            "10.60.129.15"
         ],
         "related.user": [
             "evolup"
@@ -1781,8 +1781,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 6932,
         "related.ip": [
-            "10.75.99.127",
-            "10.195.2.130"
+            "10.195.2.130",
+            "10.75.99.127"
         ],
         "related.user": [
             "inibusB"
@@ -1836,8 +1836,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 6945,
         "related.ip": [
-            "10.245.104.182",
-            "10.201.238.90"
+            "10.201.238.90",
+            "10.245.104.182"
         ],
         "related.user": [
             "ovol"
@@ -1946,8 +1946,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 4153,
         "related.ip": [
-            "10.184.18.202",
-            "10.4.157.1"
+            "10.4.157.1",
+            "10.184.18.202"
         ],
         "related.user": [
             "oditem"
@@ -2001,8 +2001,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 1693,
         "related.ip": [
-            "10.113.95.59",
-            "10.255.39.252"
+            "10.255.39.252",
+            "10.113.95.59"
         ],
         "related.user": [
             "persp"
@@ -2221,8 +2221,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 55,
         "related.ip": [
-            "10.9.12.248",
-            "10.9.18.237"
+            "10.9.18.237",
+            "10.9.12.248"
         ],
         "related.user": [
             "uradi"
@@ -2276,8 +2276,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 228,
         "related.ip": [
-            "10.41.123.102",
-            "10.83.130.226"
+            "10.83.130.226",
+            "10.41.123.102"
         ],
         "related.user": [
             "tenim"
@@ -2331,8 +2331,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 4253,
         "related.ip": [
-            "10.175.112.197",
-            "10.80.152.108"
+            "10.80.152.108",
+            "10.175.112.197"
         ],
         "related.user": [
             "tametcon"
@@ -2386,8 +2386,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 2200,
         "related.ip": [
-            "10.142.25.100",
-            "10.134.18.114"
+            "10.134.18.114",
+            "10.142.25.100"
         ],
         "related.user": [
             "osqui"
@@ -2991,8 +2991,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 276,
         "related.ip": [
-            "10.50.233.155",
-            "10.60.142.127"
+            "10.60.142.127",
+            "10.50.233.155"
         ],
         "related.user": [
             "atv"
@@ -3101,8 +3101,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 3453,
         "related.ip": [
-            "10.6.38.163",
-            "10.31.237.225"
+            "10.31.237.225",
+            "10.6.38.163"
         ],
         "related.user": [
             "olup"
@@ -3156,8 +3156,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 2302,
         "related.ip": [
-            "10.226.5.189",
-            "10.125.165.144"
+            "10.125.165.144",
+            "10.226.5.189"
         ],
         "related.user": [
             "mvolu"
@@ -3321,8 +3321,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 1586,
         "related.ip": [
-            "10.123.199.198",
-            "10.17.87.79"
+            "10.17.87.79",
+            "10.123.199.198"
         ],
         "related.user": [
             "ratvolu"
@@ -3376,8 +3376,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 5137,
         "related.ip": [
-            "10.38.86.177",
-            "10.115.68.40"
+            "10.115.68.40",
+            "10.38.86.177"
         ],
         "related.user": [
             "mpo"
@@ -3541,8 +3541,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 5398,
         "related.ip": [
-            "10.1.96.93",
-            "10.54.73.158"
+            "10.54.73.158",
+            "10.1.96.93"
         ],
         "related.user": [
             "lloinven"
@@ -3651,8 +3651,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 6064,
         "related.ip": [
-            "10.77.229.168",
-            "10.181.247.224"
+            "10.181.247.224",
+            "10.77.229.168"
         ],
         "related.user": [
             "adol"
@@ -3871,8 +3871,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 4984,
         "related.ip": [
-            "10.77.78.180",
-            "10.97.236.123"
+            "10.97.236.123",
+            "10.77.78.180"
         ],
         "related.user": [
             "nisi"
@@ -4256,8 +4256,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 7128,
         "related.ip": [
-            "10.76.125.70",
-            "10.54.23.133"
+            "10.54.23.133",
+            "10.76.125.70"
         ],
         "related.user": [
             "oloreeu"
@@ -4311,8 +4311,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 2780,
         "related.ip": [
-            "10.189.42.62",
-            "10.36.110.69"
+            "10.36.110.69",
+            "10.189.42.62"
         ],
         "related.user": [
             "eque"
@@ -4366,8 +4366,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 3284,
         "related.ip": [
-            "10.183.202.82",
-            "10.47.179.68"
+            "10.47.179.68",
+            "10.183.202.82"
         ],
         "related.user": [
             "umfugi"
@@ -4531,8 +4531,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 3990,
         "related.ip": [
-            "10.30.246.132",
-            "10.208.18.210"
+            "10.208.18.210",
+            "10.30.246.132"
         ],
         "related.user": [
             "veniam"
@@ -4586,8 +4586,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 4337,
         "related.ip": [
-            "10.106.249.91",
-            "10.19.119.17"
+            "10.19.119.17",
+            "10.106.249.91"
         ],
         "related.user": [
             "lit"
@@ -4641,8 +4641,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 5275,
         "related.ip": [
-            "10.29.109.126",
-            "10.181.41.154"
+            "10.181.41.154",
+            "10.29.109.126"
         ],
         "related.user": [
             "labo"
@@ -4806,8 +4806,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 226,
         "related.ip": [
-            "10.103.189.199",
-            "10.29.120.226"
+            "10.29.120.226",
+            "10.103.189.199"
         ],
         "related.user": [
             "emu"
@@ -4916,8 +4916,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 5647,
         "related.ip": [
-            "10.91.2.135",
-            "10.126.245.73"
+            "10.126.245.73",
+            "10.91.2.135"
         ],
         "related.user": [
             "olore"
@@ -4971,8 +4971,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 2313,
         "related.ip": [
-            "10.183.243.246",
-            "10.137.85.123"
+            "10.137.85.123",
+            "10.183.243.246"
         ],
         "related.user": [
             "cid"
@@ -5246,8 +5246,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 4855,
         "related.ip": [
-            "10.143.53.214",
-            "10.87.144.208"
+            "10.87.144.208",
+            "10.143.53.214"
         ],
         "related.user": [
             "psumq"
@@ -5356,8 +5356,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 4493,
         "related.ip": [
-            "10.194.67.223",
-            "10.161.64.168"
+            "10.161.64.168",
+            "10.194.67.223"
         ],
         "related.user": [
             "tion"
@@ -5411,8 +5411,8 @@
         "observer.vendor": "Fortinet",
         "process.pid": 6094,
         "related.ip": [
-            "10.120.148.241",
-            "10.100.154.220"
+            "10.100.154.220",
+            "10.120.148.241"
         ],
         "related.user": [
             "rsitam"
diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json
index 18754e2db958..8e5b00aeef89 100644
--- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json
+++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json
@@ -79,7 +79,7 @@
             "forwarded"
         ],
         "user.email": "xxx@xxx.xxx",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)",
         "user_agent.os.full": "Mac OS X 10.15",
@@ -136,7 +136,7 @@
             "forwarded"
         ],
         "user.email": "xxx@xxx.xxx",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)",
         "user_agent.os.full": "Mac OS X 10.15",
@@ -188,7 +188,7 @@
             "forwarded"
         ],
         "user.email": "xxx@xxx.xxx",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)",
         "user_agent.os.full": "Mac OS X 10.15",
diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json
index 4ab905ff64fc..555b06cb1da7 100644
--- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json
@@ -20,13 +20,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.81.122.126",
-            "10.70.155.35"
+            "10.70.155.35",
+            "10.81.122.126"
         ],
         "related.user": [
             "magn",
-            "aqui",
-            "tatno"
+            "tatno",
+            "aqui"
         ],
         "rsa.counters.dclass_c1": 5910,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -106,13 +106,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.58.116.231",
-            "10.159.182.171"
+            "10.159.182.171",
+            "10.58.116.231"
         ],
         "related.user": [
             "qua",
-            "temUten",
-            "uradi"
+            "uradi",
+            "temUten"
         ],
         "rsa.counters.dclass_c1": 3626,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -161,13 +161,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.232.27.250",
-            "10.18.124.28"
+            "10.18.124.28",
+            "10.232.27.250"
         ],
         "related.user": [
-            "mquidol",
+            "lapariat",
             "modocons",
-            "lapariat"
+            "mquidol"
         ],
         "rsa.counters.dclass_c1": 6564,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -227,8 +227,8 @@
         ],
         "related.user": [
             "oluptas",
-            "occae",
-            "intoc"
+            "intoc",
+            "occae"
         ],
         "rsa.counters.event_counter": 7243,
         "rsa.db.database": "tNequepo",
@@ -352,12 +352,12 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.129.149.43",
-            "10.211.105.204"
+            "10.211.105.204",
+            "10.129.149.43"
         ],
         "related.user": [
-            "labor",
             "orema",
+            "labor",
             "eveli"
         ],
         "rsa.counters.dclass_c1": 6855,
@@ -415,9 +415,9 @@
             "10.112.250.193"
         ],
         "related.user": [
-            "ipsumdol",
             "ide",
-            "Exc"
+            "Exc",
+            "ipsumdol"
         ],
         "rsa.counters.dclass_c1": 6852,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -469,13 +469,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.192.34.76",
-            "10.251.20.13"
+            "10.251.20.13",
+            "10.192.34.76"
         ],
         "related.user": [
-            "iquipe",
+            "ovol",
             "tnonpro",
-            "ovol"
+            "iquipe"
         ],
         "rsa.counters.dclass_c1": 3645,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -528,9 +528,9 @@
             "10.59.138.212"
         ],
         "related.user": [
-            "archite",
+            "boree",
             "idunt",
-            "boree"
+            "archite"
         ],
         "rsa.counters.dclass_c1": 248,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -583,13 +583,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.168.159.13",
-            "10.230.173.4"
+            "10.230.173.4",
+            "10.168.159.13"
         ],
         "related.user": [
-            "isnostr",
+            "atemq",
             "inci",
-            "atemq"
+            "isnostr"
         ],
         "rsa.counters.dclass_c1": 6135,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -646,9 +646,9 @@
             "10.49.167.57"
         ],
         "related.user": [
-            "ccaeca",
+            "tali",
             "sau",
-            "tali"
+            "ccaeca"
         ],
         "rsa.counters.dclass_c1": 6818,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -708,16 +708,16 @@
         ],
         "related.user": [
             "lorsita",
-            "llamco",
-            "dolore"
+            "dolore",
+            "llamco"
         ],
         "rsa.counters.event_counter": 4603,
         "rsa.db.database": "uptate",
         "rsa.internal.event_desc": "aquae",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "accept",
-            "quasia"
+            "quasia",
+            "accept"
         ],
         "rsa.misc.category": "boreetdo",
         "rsa.misc.disposition": "aturve",
@@ -774,9 +774,9 @@
             "10.204.128.215"
         ],
         "related.user": [
-            "paquioff",
             "nci",
-            "rum"
+            "rum",
+            "paquioff"
         ],
         "rsa.counters.event_counter": 332,
         "rsa.db.database": "isau",
@@ -833,13 +833,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.200.68.129",
-            "10.34.148.166"
+            "10.34.148.166",
+            "10.200.68.129"
         ],
         "related.user": [
-            "miu",
             "icabo",
-            "untutlab"
+            "untutlab",
+            "miu"
         ],
         "rsa.counters.dclass_c1": 5427,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -893,8 +893,8 @@
         ],
         "related.user": [
             "siu",
-            "conse",
-            "licabo"
+            "licabo",
+            "conse"
         ],
         "rsa.counters.dclass_c1": 6356,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -952,8 +952,8 @@
         ],
         "related.user": [
             "dipisci",
-            "olori",
-            "velite"
+            "velite",
+            "olori"
         ],
         "rsa.counters.dclass_c1": 7717,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1006,13 +1006,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.233.120.207",
-            "10.190.10.219"
+            "10.190.10.219",
+            "10.233.120.207"
         ],
         "related.user": [
             "item",
-            "accusant",
-            "quamnih"
+            "quamnih",
+            "accusant"
         ],
         "rsa.counters.dclass_c1": 3278,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1093,13 +1093,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.248.184.200",
-            "10.100.98.56"
+            "10.100.98.56",
+            "10.248.184.200"
         ],
         "related.user": [
-            "proident",
+            "boru",
             "ritati",
-            "boru"
+            "proident"
         ],
         "rsa.counters.dclass_c1": 5923,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1152,13 +1152,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.197.6.245",
-            "10.82.28.220"
+            "10.82.28.220",
+            "10.197.6.245"
         ],
         "related.user": [
             "aecatcup",
-            "oluptat",
-            "dtempo"
+            "dtempo",
+            "oluptat"
         ],
         "rsa.counters.dclass_c1": 3071,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1211,8 +1211,8 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.167.252.183",
-            "10.6.27.103"
+            "10.6.27.103",
+            "10.167.252.183"
         ],
         "related.user": [
             "redol",
@@ -1276,8 +1276,8 @@
             "10.88.45.111"
         ],
         "related.user": [
-            "iameaque",
             "undeomni",
+            "iameaque",
             "lmole"
         ],
         "rsa.counters.event_counter": 6344,
@@ -1341,9 +1341,9 @@
             "10.29.119.245"
         ],
         "related.user": [
-            "scipitl",
             "taliqui",
-            "edolorin"
+            "edolorin",
+            "scipitl"
         ],
         "rsa.counters.dclass_c1": 5140,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1411,8 +1411,8 @@
         "rsa.internal.event_desc": "liquid",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "vitaed",
-            "allow"
+            "allow",
+            "vitaed"
         ],
         "rsa.misc.category": "enim",
         "rsa.misc.disposition": "Finibus",
@@ -1463,13 +1463,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.105.190.170",
-            "10.182.152.242"
+            "10.182.152.242",
+            "10.105.190.170"
         ],
         "related.user": [
-            "litan",
             "mquisn",
-            "doeiu"
+            "doeiu",
+            "litan"
         ],
         "rsa.counters.dclass_c1": 3474,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1528,9 +1528,9 @@
             "10.123.166.197"
         ],
         "related.user": [
-            "liquam",
             "emUte",
-            "min"
+            "min",
+            "liquam"
         ],
         "rsa.counters.event_counter": 7102,
         "rsa.db.database": "oluptat",
@@ -1588,13 +1588,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.201.168.116",
-            "10.72.75.207"
+            "10.72.75.207",
+            "10.201.168.116"
         ],
         "related.user": [
-            "urau",
             "eufug",
-            "eFini"
+            "eFini",
+            "urau"
         ],
         "rsa.counters.dclass_c1": 3348,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1651,8 +1651,8 @@
             "10.58.133.175"
         ],
         "related.user": [
-            "nde",
             "mfu",
+            "nde",
             "oco"
         ],
         "rsa.counters.dclass_c1": 3795,
@@ -1706,13 +1706,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.70.29.203",
-            "10.169.50.59"
+            "10.169.50.59",
+            "10.70.29.203"
         ],
         "related.user": [
-            "pta",
             "veniamq",
-            "mquisnos"
+            "mquisnos",
+            "pta"
         ],
         "rsa.counters.dclass_c1": 2358,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1765,13 +1765,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.137.85.123",
-            "10.165.182.111"
+            "10.165.182.111",
+            "10.137.85.123"
         ],
         "related.user": [
-            "ames",
+            "Bonorum",
             "sis",
-            "Bonorum"
+            "ames"
         ],
         "rsa.counters.dclass_c1": 6401,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1854,13 +1854,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.173.178.109",
-            "10.64.184.196"
+            "10.64.184.196",
+            "10.173.178.109"
         ],
         "related.user": [
             "uian",
-            "tam",
-            "nesci"
+            "nesci",
+            "tam"
         ],
         "rsa.counters.event_counter": 4493,
         "rsa.db.database": "sin",
@@ -1923,8 +1923,8 @@
             "10.90.50.149"
         ],
         "related.user": [
-            "aUtenima",
             "olupta",
+            "aUtenima",
             "olu"
         ],
         "rsa.counters.dclass_c1": 1127,
@@ -1982,9 +1982,9 @@
             "10.18.150.82"
         ],
         "related.user": [
+            "luptat",
             "mtota",
-            "qua",
-            "luptat"
+            "qua"
         ],
         "rsa.counters.dclass_c1": 6112,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2068,9 +2068,9 @@
             "10.151.240.35"
         ],
         "related.user": [
-            "lam",
+            "ama",
             "ametcons",
-            "ama"
+            "lam"
         ],
         "rsa.counters.dclass_c1": 4325,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2124,8 +2124,8 @@
         ],
         "related.user": [
             "quisn",
-            "ese",
-            "quasi"
+            "quasi",
+            "ese"
         ],
         "rsa.counters.dclass_c1": 3970,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2180,21 +2180,21 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.213.165.165",
-            "10.254.10.98"
+            "10.254.10.98",
+            "10.213.165.165"
         ],
         "related.user": [
-            "ttenb",
+            "eufugia",
             "civeli",
-            "eufugia"
+            "ttenb"
         ],
         "rsa.counters.event_counter": 7365,
         "rsa.db.database": "utlabore",
         "rsa.internal.event_desc": "culpaq",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "cancel",
-            "uptasn"
+            "uptasn",
+            "cancel"
         ],
         "rsa.misc.category": "quamq",
         "rsa.misc.disposition": "usan",
@@ -2340,13 +2340,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.45.69.152",
-            "10.29.138.31"
+            "10.29.138.31",
+            "10.45.69.152"
         ],
         "related.user": [
             "volupta",
-            "umq",
-            "tsunt"
+            "tsunt",
+            "umq"
         ],
         "rsa.counters.dclass_c1": 744,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2403,9 +2403,9 @@
             "10.152.213.228"
         ],
         "related.user": [
+            "itationu",
             "ptatev",
-            "velillum",
-            "itationu"
+            "velillum"
         ],
         "rsa.counters.dclass_c1": 7245,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2486,13 +2486,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.208.33.55",
-            "10.248.102.129"
+            "10.248.102.129",
+            "10.208.33.55"
         ],
         "related.user": [
-            "ulapari",
+            "mremaper",
             "inimv",
-            "mremaper"
+            "ulapari"
         ],
         "rsa.counters.dclass_c1": 6433,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2545,13 +2545,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.203.164.132",
-            "10.109.230.216"
+            "10.109.230.216",
+            "10.203.164.132"
         ],
         "related.user": [
-            "ectobea",
             "ibus",
-            "mporin"
+            "mporin",
+            "ectobea"
         ],
         "rsa.counters.dclass_c1": 547,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2604,8 +2604,8 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.117.81.75",
-            "10.151.203.60"
+            "10.151.203.60",
+            "10.117.81.75"
         ],
         "related.user": [
             "iconsequ",
@@ -2663,13 +2663,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.224.217.153",
-            "10.45.152.205"
+            "10.45.152.205",
+            "10.224.217.153"
         ],
         "related.user": [
-            "utlabo",
             "eriti",
-            "imav"
+            "imav",
+            "utlabo"
         ],
         "rsa.counters.dclass_c1": 922,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2723,21 +2723,21 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.60.164.100",
-            "10.1.193.187"
+            "10.1.193.187",
+            "10.60.164.100"
         ],
         "related.user": [
-            "adipis",
+            "hite",
             "ugi",
-            "hite"
+            "adipis"
         ],
         "rsa.counters.event_counter": 508,
         "rsa.db.database": "abo",
         "rsa.internal.event_desc": "epteurs",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "allow",
-            "taevitae"
+            "taevitae",
+            "allow"
         ],
         "rsa.misc.category": "itse",
         "rsa.misc.disposition": "rever",
@@ -2791,9 +2791,9 @@
             "10.248.244.203"
         ],
         "related.user": [
+            "sum",
             "mquamei",
-            "eiusm",
-            "sum"
+            "eiusm"
         ],
         "rsa.counters.dclass_c1": 3058,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2846,9 +2846,9 @@
             "10.86.121.152"
         ],
         "related.user": [
-            "nimv",
             "ine",
-            "consecte"
+            "consecte",
+            "nimv"
         ],
         "rsa.counters.dclass_c1": 2771,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2901,13 +2901,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.204.223.184",
-            "10.201.223.119"
+            "10.201.223.119",
+            "10.204.223.184"
         ],
         "related.user": [
-            "rcit",
             "teni",
-            "tuserror"
+            "tuserror",
+            "rcit"
         ],
         "rsa.counters.dclass_c1": 4113,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2964,8 +2964,8 @@
             "10.200.12.126"
         ],
         "related.user": [
-            "Nequepo",
             "elitsedd",
+            "Nequepo",
             "magnido"
         ],
         "rsa.counters.dclass_c1": 3243,
@@ -3021,13 +3021,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.94.89.177",
-            "10.65.225.101"
+            "10.65.225.101",
+            "10.94.89.177"
         ],
         "related.user": [
             "citation",
-            "tuserror",
-            "emquel"
+            "emquel",
+            "tuserror"
         ],
         "rsa.counters.event_counter": 2513,
         "rsa.db.database": "rspiciat",
@@ -3090,8 +3090,8 @@
         ],
         "related.user": [
             "tione",
-            "iin",
-            "uta"
+            "uta",
+            "iin"
         ],
         "rsa.counters.dclass_c1": 5836,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3146,17 +3146,17 @@
             "10.41.181.179"
         ],
         "related.user": [
+            "iosamn",
             "equepor",
-            "niam",
-            "iosamn"
+            "niam"
         ],
         "rsa.counters.event_counter": 7468,
         "rsa.db.database": "erspicia",
         "rsa.internal.event_desc": "ibusB",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "rumwr",
-            "deny"
+            "deny",
+            "rumwr"
         ],
         "rsa.misc.category": "rporis",
         "rsa.misc.disposition": "etco",
@@ -3211,9 +3211,9 @@
             "10.21.208.103"
         ],
         "related.user": [
-            "ostr",
             "imidest",
-            "mipsa"
+            "mipsa",
+            "ostr"
         ],
         "rsa.counters.dclass_c1": 7766,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3270,9 +3270,9 @@
             "10.23.6.216"
         ],
         "related.user": [
-            "iarchit",
             "tevelite",
-            "iamquisn"
+            "iamquisn",
+            "iarchit"
         ],
         "rsa.counters.dclass_c1": 639,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3332,16 +3332,16 @@
         ],
         "related.user": [
             "modtempo",
-            "nofde",
-            "animide"
+            "animide",
+            "nofde"
         ],
         "rsa.counters.event_counter": 7580,
         "rsa.db.database": "Lore",
         "rsa.internal.event_desc": "nto",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "ali",
-            "cancel"
+            "cancel",
+            "ali"
         ],
         "rsa.misc.category": "sciv",
         "rsa.misc.disposition": "tlabo",
@@ -3397,9 +3397,9 @@
             "10.178.79.217"
         ],
         "related.user": [
-            "ccusan",
             "inibusBo",
-            "tqui"
+            "tqui",
+            "ccusan"
         ],
         "rsa.counters.event_counter": 3538,
         "rsa.db.database": "sequun",
@@ -3461,8 +3461,8 @@
             "10.77.86.215"
         ],
         "related.user": [
-            "meaqu",
             "rcit",
+            "meaqu",
             "xerc"
         ],
         "rsa.counters.dclass_c1": 7286,
@@ -3515,12 +3515,12 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.186.133.184",
-            "10.211.161.187"
+            "10.211.161.187",
+            "10.186.133.184"
         ],
         "related.user": [
-            "sci",
             "boriosa",
+            "sci",
             "acons"
         ],
         "rsa.counters.dclass_c1": 1578,
@@ -3569,8 +3569,8 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.254.198.47",
-            "10.160.147.230"
+            "10.160.147.230",
+            "10.254.198.47"
         ],
         "related.user": [
             "illoin",
@@ -3624,8 +3624,8 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.182.197.243",
-            "10.40.24.93"
+            "10.40.24.93",
+            "10.182.197.243"
         ],
         "related.user": [
             "orisnis",
@@ -3683,12 +3683,12 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.249.13.159",
-            "10.108.130.106"
+            "10.108.130.106",
+            "10.249.13.159"
         ],
         "related.user": [
-            "colab",
             "uisautei",
+            "colab",
             "exeacomm"
         ],
         "rsa.counters.dclass_c1": 1044,
@@ -3744,12 +3744,12 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.39.244.49",
-            "10.64.94.174"
+            "10.64.94.174",
+            "10.39.244.49"
         ],
         "related.user": [
-            "iunt",
             "Sedut",
+            "iunt",
             "estiae"
         ],
         "rsa.counters.event_counter": 7128,
@@ -3757,8 +3757,8 @@
         "rsa.internal.event_desc": "enimips",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "cancel",
-            "gna"
+            "gna",
+            "cancel"
         ],
         "rsa.misc.category": "Nequepor",
         "rsa.misc.disposition": "nisiu",
@@ -3923,8 +3923,8 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.43.244.252",
-            "10.251.212.166"
+            "10.251.212.166",
+            "10.43.244.252"
         ],
         "related.user": [
             "uptat",
@@ -4015,8 +4015,8 @@
         ],
         "related.user": [
             "mqu",
-            "uatDuisa",
-            "tesseq"
+            "tesseq",
+            "uatDuisa"
         ],
         "rsa.counters.dclass_c1": 1623,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4102,8 +4102,8 @@
         ],
         "related.user": [
             "volu",
-            "ineavol",
-            "rehe"
+            "rehe",
+            "ineavol"
         ],
         "rsa.counters.dclass_c1": 3064,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4209,12 +4209,12 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.57.169.205",
-            "10.172.121.239"
+            "10.172.121.239",
+            "10.57.169.205"
         ],
         "related.user": [
-            "iuta",
             "ctas",
+            "iuta",
             "ipsu"
         ],
         "rsa.counters.dclass_c1": 392,
@@ -4268,13 +4268,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.129.234.200",
-            "10.42.218.103"
+            "10.42.218.103",
+            "10.129.234.200"
         ],
         "related.user": [
+            "dquia",
             "tevelit",
-            "tisundeo",
-            "dquia"
+            "tisundeo"
         ],
         "rsa.counters.dclass_c1": 6709,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4331,8 +4331,8 @@
             "10.76.121.224"
         ],
         "related.user": [
-            "ali",
             "scive",
+            "ali",
             "oloremi"
         ],
         "rsa.counters.dclass_c1": 6155,
@@ -4390,9 +4390,9 @@
             "10.195.8.141"
         ],
         "related.user": [
+            "dolo",
             "ota",
-            "enimip",
-            "dolo"
+            "enimip"
         ],
         "rsa.counters.dclass_c1": 469,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4445,13 +4445,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.179.60.167",
-            "10.173.13.179"
+            "10.173.13.179",
+            "10.179.60.167"
         ],
         "related.user": [
+            "isn",
             "ptasn",
-            "apar",
-            "isn"
+            "apar"
         ],
         "rsa.counters.dclass_c1": 758,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4508,9 +4508,9 @@
             "10.178.190.123"
         ],
         "related.user": [
-            "ore",
+            "tiset",
             "orsi",
-            "tiset"
+            "ore"
         ],
         "rsa.counters.dclass_c1": 2290,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4591,13 +4591,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.207.198.239",
-            "10.8.147.176"
+            "10.8.147.176",
+            "10.207.198.239"
         ],
         "related.user": [
+            "aUteni",
             "incididu",
-            "Loremips",
-            "aUteni"
+            "Loremips"
         ],
         "rsa.counters.dclass_c1": 3043,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4653,9 +4653,9 @@
             "10.116.26.185"
         ],
         "related.user": [
-            "litesseq",
             "oNe",
-            "nseq"
+            "nseq",
+            "litesseq"
         ],
         "rsa.counters.dclass_c1": 3218,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4704,13 +4704,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.86.180.150",
-            "10.253.127.130"
+            "10.253.127.130",
+            "10.86.180.150"
         ],
         "related.user": [
             "mnisis",
-            "itasper",
-            "etconsec"
+            "etconsec",
+            "itasper"
         ],
         "rsa.counters.dclass_c1": 4564,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4765,12 +4765,12 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.220.175.201",
-            "10.158.161.5"
+            "10.158.161.5",
+            "10.220.175.201"
         ],
         "related.user": [
-            "rrors",
-            "dolo"
+            "dolo",
+            "rrors"
         ],
         "rsa.counters.event_counter": 4098,
         "rsa.db.database": "tsed",
@@ -4856,8 +4856,8 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.248.16.82",
-            "10.150.27.144"
+            "10.150.27.144",
+            "10.248.16.82"
         ],
         "related.user": [
             "ditautf",
@@ -4919,9 +4919,9 @@
             "10.146.131.76"
         ],
         "related.user": [
-            "Except",
             "olo",
-            "orsi"
+            "orsi",
+            "Except"
         ],
         "rsa.counters.dclass_c1": 5844,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -5032,9 +5032,9 @@
             "10.253.175.129"
         ],
         "related.user": [
+            "ate",
             "nrep",
-            "epteurs",
-            "ate"
+            "epteurs"
         ],
         "rsa.counters.dclass_c1": 6260,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -5094,16 +5094,16 @@
         ],
         "related.user": [
             "aboris",
-            "atus",
-            "orumetMa"
+            "orumetMa",
+            "atus"
         ],
         "rsa.counters.event_counter": 5863,
         "rsa.db.database": "inventor",
         "rsa.internal.event_desc": "loi",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "block",
-            "atcupi"
+            "atcupi",
+            "block"
         ],
         "rsa.misc.category": "tation",
         "rsa.misc.disposition": "seddoe",
@@ -5155,12 +5155,12 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.81.108.232",
-            "10.52.106.68"
+            "10.52.106.68",
+            "10.81.108.232"
         ],
         "related.user": [
-            "aco",
             "neavolup",
+            "aco",
             "uaturve"
         ],
         "rsa.counters.event_counter": 5098,
@@ -5168,8 +5168,8 @@
         "rsa.internal.event_desc": "pis",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "Quisaut",
-            "allow"
+            "allow",
+            "Quisaut"
         ],
         "rsa.misc.category": "idol",
         "rsa.misc.disposition": "mmodico",
@@ -5222,21 +5222,21 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.223.10.28",
-            "10.230.48.97"
+            "10.230.48.97",
+            "10.223.10.28"
         ],
         "related.user": [
-            "erit",
+            "usmodte",
             "untex",
-            "usmodte"
+            "erit"
         ],
         "rsa.counters.event_counter": 4029,
         "rsa.db.database": "ommodi",
         "rsa.internal.event_desc": "itatiset",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "tconse",
-            "deny"
+            "deny",
+            "tconse"
         ],
         "rsa.misc.category": "uaerat",
         "rsa.misc.disposition": "met",
@@ -5291,9 +5291,9 @@
             "10.161.212.150"
         ],
         "related.user": [
-            "tasnul",
             "sequamn",
-            "res"
+            "res",
+            "tasnul"
         ],
         "rsa.counters.dclass_c1": 4846,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -5348,21 +5348,21 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.247.108.144",
-            "10.226.75.20"
+            "10.226.75.20",
+            "10.247.108.144"
         ],
         "related.user": [
-            "fugia",
             "tema",
-            "maccusan"
+            "maccusan",
+            "fugia"
         ],
         "rsa.counters.event_counter": 3711,
         "rsa.db.database": "psa",
         "rsa.internal.event_desc": "stiaec",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "block",
-            "iat"
+            "iat",
+            "block"
         ],
         "rsa.misc.category": "officia",
         "rsa.misc.disposition": "ametcon",
@@ -5412,12 +5412,12 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.192.15.65",
-            "10.97.22.61"
+            "10.97.22.61",
+            "10.192.15.65"
         ],
         "related.user": [
-            "rExcep",
             "nimides",
+            "rExcep",
             "illumd"
         ],
         "rsa.counters.dclass_c1": 4173,
@@ -5469,8 +5469,8 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.116.76.161",
-            "10.197.254.133"
+            "10.197.254.133",
+            "10.116.76.161"
         ],
         "related.user": [
             "ide",
@@ -5482,8 +5482,8 @@
         "rsa.internal.event_desc": "ritat",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "quid",
-            "cancel"
+            "cancel",
+            "quid"
         ],
         "rsa.misc.category": "dipi",
         "rsa.misc.disposition": "asnulapa",
@@ -5533,13 +5533,13 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.28.77.79",
-            "10.144.14.15"
+            "10.144.14.15",
+            "10.28.77.79"
         ],
         "related.user": [
-            "rspic",
+            "upta",
             "utlab",
-            "upta"
+            "rspic"
         ],
         "rsa.counters.dclass_c1": 4810,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -5591,12 +5591,12 @@
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
         "related.ip": [
-            "10.18.15.43",
-            "10.248.177.182"
+            "10.248.177.182",
+            "10.18.15.43"
         ],
         "related.user": [
-            "quei",
             "quaturve",
+            "quei",
             "caecat"
         ],
         "rsa.counters.dclass_c1": 983,
diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json
index 84a3179ce567..530aa6f4cc11 100644
--- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json
@@ -974,8 +974,8 @@
         "observer.type": "DDOS",
         "observer.vendor": "Netscout",
         "related.ip": [
-            "10.168.131.247",
-            "10.136.232.108"
+            "10.136.232.108",
+            "10.168.131.247"
         ],
         "rsa.internal.messageid": "Blocked_Host",
         "rsa.misc.msgIdPart1": "Blocked",
@@ -1674,8 +1674,8 @@
         "observer.type": "DDOS",
         "observer.vendor": "Netscout",
         "related.ip": [
-            "10.216.83.142",
-            "10.224.198.212"
+            "10.224.198.212",
+            "10.216.83.142"
         ],
         "rsa.internal.messageid": "anomaly",
         "rsa.misc.category": "utodita",
@@ -1712,8 +1712,8 @@
         "observer.type": "DDOS",
         "observer.vendor": "Netscout",
         "related.ip": [
-            "10.28.226.128",
-            "10.122.76.148"
+            "10.122.76.148",
+            "10.28.226.128"
         ],
         "rsa.internal.messageid": "Blocked_Host",
         "rsa.misc.msgIdPart1": "Blocked",
diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json
index 92415bf00c4d..56a4f778e7f4 100644
--- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json
@@ -59,7 +59,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -127,7 +127,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -195,7 +195,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -263,7 +263,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json
index d6e9404a8425..b5c79d506d1f 100644
--- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json
@@ -67,7 +67,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -143,7 +143,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -219,7 +219,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -295,7 +295,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -372,7 +372,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -448,7 +448,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -524,7 +524,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -601,7 +601,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -677,7 +677,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -753,7 +753,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -829,7 +829,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json
index 9f10e9f89f34..cc096b3acc25 100644
--- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json
@@ -316,7 +316,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -390,7 +390,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -465,7 +465,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -540,7 +540,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -615,7 +615,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0",
         "user_agent.os.full": "Mac OS X 10.14",
diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json
index 2daa90ba4b75..60c77401b355 100644
--- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json
+++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json
@@ -88,7 +88,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -185,7 +185,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -282,7 +282,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -379,7 +379,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -476,7 +476,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -573,7 +573,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -670,7 +670,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -767,7 +767,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -864,7 +864,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -961,7 +961,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -1058,7 +1058,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -1155,7 +1155,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -1252,7 +1252,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -1349,7 +1349,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -1443,7 +1443,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -1540,7 +1540,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -1637,7 +1637,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -1731,7 +1731,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -1828,7 +1828,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -1925,7 +1925,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -2022,7 +2022,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -2119,7 +2119,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -2216,7 +2216,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -2313,7 +2313,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -2410,7 +2410,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -2507,7 +2507,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -2604,7 +2604,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -2701,7 +2701,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -2798,7 +2798,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -2894,7 +2894,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -2992,7 +2992,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -3076,7 +3076,7 @@
             "forwarded"
         ],
         "user.id": "Unknown",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -3173,7 +3173,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -3257,7 +3257,7 @@
             "forwarded"
         ],
         "user.id": "Unknown",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -3355,7 +3355,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -3439,7 +3439,7 @@
             "forwarded"
         ],
         "user.id": "Unknown",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -3537,7 +3537,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -3634,7 +3634,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -3731,7 +3731,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -3815,7 +3815,7 @@
             "forwarded"
         ],
         "user.id": "Unknown",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -3913,7 +3913,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -4007,7 +4007,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -4104,7 +4104,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -4201,7 +4201,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -4285,7 +4285,7 @@
             "forwarded"
         ],
         "user.id": "Unknown",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -4382,7 +4382,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -4479,7 +4479,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -4576,7 +4576,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -4673,7 +4673,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -4770,7 +4770,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -4867,7 +4867,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -4964,7 +4964,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -5061,7 +5061,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -5158,7 +5158,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -5255,7 +5255,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -5352,7 +5352,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -5449,7 +5449,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -5546,7 +5546,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -5640,7 +5640,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -5737,7 +5737,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -5834,7 +5834,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -5931,7 +5931,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -6028,7 +6028,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -6125,7 +6125,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -6222,7 +6222,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -6319,7 +6319,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -6416,7 +6416,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -6513,7 +6513,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
@@ -6610,7 +6610,7 @@
         "user.domain": "testsiem.onmicrosoft.com",
         "user.id": "asr@testsiem.onmicrosoft.com",
         "user.name": "asr",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.14",
diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json
index c85eeff2148f..437a7ea5627a 100644
--- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json
+++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json
@@ -65,7 +65,7 @@
         "tags": [
             "forwarded"
         ],
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.15",
@@ -140,7 +140,7 @@
         "tags": [
             "forwarded"
         ],
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.15",
@@ -230,7 +230,7 @@
         "tags": [
             "forwarded"
         ],
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Firefox",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0",
         "user_agent.os.full": "Mac OS X 10.15",
diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json
index 6892f63bb1c5..56ba3e6e78d4 100644
--- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json
@@ -544,9 +544,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
+            "10.245.200.97",
             "10.34.161.166",
-            "10.219.116.137",
-            "10.245.200.97"
+            "10.219.116.137"
         ],
         "rsa.internal.event_desc": "rehend",
         "rsa.internal.messageid": "428",
@@ -592,8 +592,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.118.80.140",
-            "10.252.122.195"
+            "10.252.122.195",
+            "10.118.80.140"
         ],
         "rsa.internal.messageid": "401",
         "rsa.internal.msg": "inesci",
@@ -965,8 +965,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.126.34.82",
-            "10.14.1.45"
+            "10.14.1.45",
+            "10.126.34.82"
         ],
         "rsa.internal.messageid": "196",
         "rsa.internal.msg": "vita",
@@ -999,8 +999,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.251.20.13",
-            "10.101.74.44"
+            "10.101.74.44",
+            "10.251.20.13"
         ],
         "related.user": [
             "rsitv"
@@ -1173,8 +1173,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.54.14.189",
-            "10.216.125.252"
+            "10.216.125.252",
+            "10.54.14.189"
         ],
         "rsa.internal.messageid": "402",
         "rsa.internal.msg": "tvol",
@@ -1208,8 +1208,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.97.124.211",
-            "10.53.113.23"
+            "10.53.113.23",
+            "10.97.124.211"
         ],
         "rsa.identity.user_sid_dst": "iumdol",
         "rsa.internal.messageid": "1154",
@@ -1304,8 +1304,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.108.249.60",
-            "10.76.110.144"
+            "10.76.110.144",
+            "10.108.249.60"
         ],
         "rsa.internal.messageid": "931",
         "rsa.internal.msg": "qua",
@@ -1378,8 +1378,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.147.88.219",
-            "10.31.190.145"
+            "10.31.190.145",
+            "10.147.88.219"
         ],
         "related.user": [
             "corpori"
@@ -1420,9 +1420,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.108.84.24",
             "10.113.100.237",
-            "10.251.248.228"
+            "10.251.248.228",
+            "10.108.84.24"
         ],
         "rsa.internal.event_desc": "volupt",
         "rsa.internal.messageid": "606",
@@ -1820,8 +1820,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.116.173.79",
-            "10.185.37.32"
+            "10.185.37.32",
+            "10.116.173.79"
         ],
         "rsa.internal.messageid": "178",
         "rsa.internal.msg": "ende",
@@ -2094,8 +2094,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.222.169.140",
-            "10.117.63.181"
+            "10.117.63.181",
+            "10.222.169.140"
         ],
         "rsa.internal.messageid": "195",
         "rsa.internal.msg": "magnaal",
@@ -2318,8 +2318,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.125.85.128",
-            "10.78.29.246"
+            "10.78.29.246",
+            "10.125.85.128"
         ],
         "rsa.internal.messageid": "355",
         "rsa.internal.msg": "labo",
@@ -2571,8 +2571,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.143.0.78",
-            "10.250.149.166"
+            "10.250.149.166",
+            "10.143.0.78"
         ],
         "rsa.internal.messageid": "713",
         "rsa.misc.action": [
@@ -2673,8 +2673,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.179.3.247",
-            "10.219.228.115"
+            "10.219.228.115",
+            "10.179.3.247"
         ],
         "rsa.internal.messageid": "373",
         "rsa.misc.action": [
diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json
index 5f0e879398ac..3bd7adbce314 100644
--- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json
+++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json
@@ -22,8 +22,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.21.199",
-            "209.73.177.115"
+            "209.73.177.115",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -83,8 +83,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.21.199",
-            "207.58.145.61"
+            "207.58.145.61",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -158,8 +158,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_REFRESH_HIT"
+            "TCP_REFRESH_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -320,8 +320,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -368,8 +368,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.21.199",
-            "66.102.9.147"
+            "66.102.9.147",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -380,8 +380,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "200",
@@ -443,8 +443,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_REFRESH_HIT",
-            "GET"
+            "GET",
+            "TCP_REFRESH_HIT"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -494,8 +494,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.21.199",
-            "207.58.145.61"
+            "207.58.145.61",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -506,8 +506,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_REFRESH_HIT"
+            "TCP_REFRESH_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -557,8 +557,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.21.199",
-            "207.58.145.61"
+            "207.58.145.61",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -670,8 +670,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "209.85.16.38",
-            "10.105.21.199"
+            "10.105.21.199",
+            "209.85.16.38"
         ],
         "related.user": [
             "badeyek"
@@ -682,8 +682,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -861,8 +861,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -962,8 +962,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "207.58.145.61",
-            "10.105.21.199"
+            "10.105.21.199",
+            "207.58.145.61"
         ],
         "related.user": [
             "badeyek"
@@ -974,8 +974,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_REFRESH_HIT"
+            "TCP_REFRESH_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -1083,8 +1083,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.21.199",
-            "64.127.126.178"
+            "64.127.126.178",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -1158,8 +1158,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "302",
@@ -1317,8 +1317,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "209.73.177.115",
-            "10.105.21.199"
+            "10.105.21.199",
+            "209.73.177.115"
         ],
         "related.user": [
             "badeyek"
@@ -1328,8 +1328,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "CONNECT"
+            "CONNECT",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "200",
@@ -1378,8 +1378,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_DENIED",
-            "GET"
+            "GET",
+            "TCP_DENIED"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -1425,8 +1425,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.33.214",
-            "216.155.194.239"
+            "216.155.194.239",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -1498,8 +1498,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -1561,8 +1561,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/css",
         "rsa.misc.result_code": "200",
@@ -1669,8 +1669,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -1719,8 +1719,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_IMS_HIT",
-            "GET"
+            "GET",
+            "TCP_IMS_HIT"
         ],
         "rsa.misc.content_type": "text/css",
         "rsa.misc.result_code": "304",
@@ -1769,8 +1769,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_IMS_HIT",
-            "GET"
+            "GET",
+            "TCP_IMS_HIT"
         ],
         "rsa.misc.content_type": "text/css",
         "rsa.misc.result_code": "304",
@@ -1819,8 +1819,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "204.13.51.238",
-            "10.105.47.218"
+            "10.105.47.218",
+            "204.13.51.238"
         ],
         "related.user": [
             "nazsoau"
@@ -1882,8 +1882,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.47.218",
-            "204.13.51.238"
+            "204.13.51.238",
+            "10.105.47.218"
         ],
         "related.user": [
             "nazsoau"
@@ -1894,8 +1894,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/css",
         "rsa.misc.result_code": "200",
@@ -1941,8 +1941,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.33.214",
-            "216.155.194.239"
+            "216.155.194.239",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -1997,8 +1997,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.33.214",
-            "68.142.194.14"
+            "68.142.194.14",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2009,8 +2009,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -2057,8 +2057,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "68.142.219.132",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.219.132"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2116,8 +2116,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.33.214",
-            "216.155.194.239"
+            "216.155.194.239",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2127,8 +2127,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "POST"
+            "POST",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/plain",
         "rsa.misc.result_code": "200",
@@ -2185,8 +2185,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/xml",
         "rsa.misc.result_code": "200",
@@ -2236,8 +2236,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.21.199",
-            "63.245.209.21"
+            "63.245.209.21",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -2248,8 +2248,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "302",
@@ -2295,8 +2295,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "68.142.231.252",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.231.252"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2461,8 +2461,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "POST",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "POST"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -2510,8 +2510,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "POST",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "POST"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -2558,8 +2558,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "CONNECT",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "CONNECT"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -2618,8 +2618,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_REFRESH_HIT",
-            "GET"
+            "GET",
+            "TCP_REFRESH_HIT"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -2714,8 +2714,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "68.142.219.132",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.219.132"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2726,8 +2726,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_REFRESH_HIT",
-            "GET"
+            "GET",
+            "TCP_REFRESH_HIT"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -2784,8 +2784,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "POST"
+            "POST",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/plain",
         "rsa.misc.result_code": "200",
@@ -2904,8 +2904,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_REFRESH_HIT"
+            "TCP_REFRESH_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -3050,8 +3050,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.33.214",
-            "68.142.219.132"
+            "68.142.219.132",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -3110,8 +3110,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.33.214",
-            "68.142.219.132"
+            "68.142.219.132",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -3122,8 +3122,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_REFRESH_HIT",
-            "GET"
+            "GET",
+            "TCP_REFRESH_HIT"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -3170,8 +3170,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "68.142.219.132",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.219.132"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -3182,8 +3182,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_REFRESH_HIT"
+            "TCP_REFRESH_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -3230,8 +3230,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "68.142.219.132",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.219.132"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -3242,8 +3242,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_REFRESH_HIT",
-            "GET"
+            "GET",
+            "TCP_REFRESH_HIT"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -3342,8 +3342,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_IMS_HIT",
-            "GET"
+            "GET",
+            "TCP_IMS_HIT"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "304",
@@ -3392,8 +3392,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_HIT"
+            "TCP_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "200",
@@ -3440,8 +3440,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "212.58.226.33",
-            "10.105.21.199"
+            "10.105.21.199",
+            "212.58.226.33"
         ],
         "related.user": [
             "badeyek"
@@ -3671,8 +3671,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "POST"
+            "POST",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "302",
@@ -3782,8 +3782,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "68.142.219.132",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.219.132"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -3794,8 +3794,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/xml",
         "rsa.misc.result_code": "200",
@@ -3854,8 +3854,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/xml",
         "rsa.misc.result_code": "200",
@@ -3914,8 +3914,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -3964,8 +3964,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -4014,8 +4014,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -4125,8 +4125,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.33.214",
-            "68.142.219.132"
+            "68.142.219.132",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4137,8 +4137,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "302",
@@ -4197,8 +4197,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -4308,8 +4308,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.33.214",
-            "68.142.219.132"
+            "68.142.219.132",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4378,8 +4378,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "200",
@@ -4424,8 +4424,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.33.214",
-            "68.142.194.14"
+            "68.142.194.14",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4436,8 +4436,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "200",
@@ -4715,8 +4715,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.21.199",
-            "209.73.177.115"
+            "209.73.177.115",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -4789,8 +4789,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -4840,8 +4840,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "213.160.98.159",
-            "10.105.33.214"
+            "10.105.33.214",
+            "213.160.98.159"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4953,8 +4953,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.33.214",
-            "213.160.98.167"
+            "213.160.98.167",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -5091,8 +5091,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "304",
@@ -5141,8 +5141,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -5191,8 +5191,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -5249,8 +5249,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "200",
@@ -5297,8 +5297,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "10.105.21.199",
-            "217.12.10.96"
+            "217.12.10.96",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -5408,8 +5408,8 @@
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
         "related.ip": [
-            "213.160.98.169",
-            "10.105.21.199"
+            "10.105.21.199",
+            "213.160.98.169"
         ],
         "related.user": [
             "badeyek"
@@ -5420,8 +5420,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_SWAPFAIL_MISS",
-            "GET"
+            "GET",
+            "TCP_SWAPFAIL_MISS"
         ],
         "rsa.misc.content_type": "application/x-javascript",
         "rsa.misc.result_code": "200",
@@ -5470,8 +5470,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_HIT"
+            "TCP_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "text/css",
         "rsa.misc.result_code": "200",
@@ -5683,8 +5683,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_HIT"
+            "TCP_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "200",
diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json
index 5d44c5bd12f2..9fc69ab77543 100644
--- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json
+++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json
@@ -150,7 +150,7 @@
         "url.domain": "192.168.86.28",
         "url.original": "/dd.xml",
         "url.path": "/dd.xml",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.13.5",
@@ -208,7 +208,7 @@
         "url.domain": "192.168.86.28",
         "url.original": "/ssdp/device-desc.xml",
         "url.path": "/ssdp/device-desc.xml",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.13.5",
diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json
index 4df04b99e4de..eb9298f3d1b4 100644
--- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json
@@ -45,7 +45,7 @@
         "url.domain": "example.com",
         "url.query": "amremap",
         "user.name": "rci",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "G8142",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -208,7 +208,7 @@
         "url.domain": "www5.example.org",
         "url.query": "con",
         "user.name": "tur",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "5024D_RU",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61",
         "user_agent.os.full": "Android 9",
@@ -872,7 +872,7 @@
         "url.domain": "internal.example.net",
         "url.query": "iades",
         "user.name": "tat",
-        "user_agent.device.name": "Generic Tablet",
+        "user_agent.device.name": "Notepad_K10",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -1313,7 +1313,7 @@
         "url.domain": "internal.example.com",
         "url.query": "tet",
         "user.name": "ionevo",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "POCOPHONE F1",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -1370,7 +1370,7 @@
         "url.domain": "example.net",
         "url.query": "orem",
         "user.name": "tenbyCi",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "G8142",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -1703,7 +1703,7 @@
         "url.domain": "example.com",
         "url.query": "tutlab",
         "user.name": "siut",
-        "user_agent.device.name": "Generic Tablet",
+        "user_agent.device.name": "Notepad_K10",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -1921,7 +1921,7 @@
         "url.domain": "api.example.net",
         "url.query": "tincu",
         "user.name": "mve",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "G8142",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -1978,7 +1978,7 @@
         "url.domain": "mail.example.org",
         "url.query": "rsita",
         "user.name": "uat",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "POCOPHONE F1",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -2143,7 +2143,7 @@
         "url.domain": "mail.example.com",
         "url.query": "uptatemU",
         "user.name": "ore",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "5024D_RU",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61",
         "user_agent.os.full": "Android 9",
@@ -2360,7 +2360,7 @@
         "url.domain": "api.example.com",
         "url.query": "urExce",
         "user.name": "eporroq",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "U307AS",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -2417,7 +2417,7 @@
         "url.domain": "example.net",
         "url.query": "erun",
         "user.name": "fugitse",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "G8142",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -2579,7 +2579,7 @@
         "url.domain": "www.example.net",
         "url.query": "quasiar",
         "user.name": "econs",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "POCOPHONE F1",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -2693,7 +2693,7 @@
         "url.domain": "internal.example.net",
         "url.query": "taliqui",
         "user.name": "leumiur",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Yandex Browser",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.15.6",
@@ -2750,7 +2750,7 @@
         "url.domain": "mail.example.net",
         "url.query": "atnulapa",
         "user.name": "quaU",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "U307AS",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -2861,7 +2861,7 @@
         "url.domain": "api.example.org",
         "url.query": "incidid",
         "user.name": "tiumto",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "G8142",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -2969,7 +2969,7 @@
         "url.domain": "example.org",
         "url.query": "atem",
         "user.name": "ntmo",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "LM-V350",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 10",
@@ -3689,7 +3689,7 @@
         "url.domain": "www5.example.com",
         "url.query": "Utenimad",
         "user.name": "ptate",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "5024D_RU",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61",
         "user_agent.os.full": "Android 9",
@@ -3743,7 +3743,7 @@
         "url.domain": "www.example.net",
         "url.query": "aqui",
         "user.name": "ventor",
-        "user_agent.device.name": "Generic Tablet",
+        "user_agent.device.name": "Notepad_K10",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -3908,7 +3908,7 @@
         "url.domain": "www5.example.net",
         "url.query": "oremip",
         "user.name": "oluptat",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "LM-V350",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 10",
@@ -4181,7 +4181,7 @@
         "url.domain": "example.com",
         "url.query": "miurere",
         "user.name": "cin",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "5024D_RU",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61",
         "user_agent.os.full": "Android 9",
@@ -4460,7 +4460,7 @@
         "url.domain": "www5.example.com",
         "url.query": "luptasnu",
         "user.name": "mmo",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "5024D_RU",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61",
         "user_agent.os.full": "Android 9",
@@ -5343,7 +5343,7 @@
         "url.domain": "api.example.net",
         "url.query": "aborio",
         "user.name": "uira",
-        "user_agent.device.name": "Generic Tablet",
+        "user_agent.device.name": "Notepad_K10",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -5511,7 +5511,7 @@
         "url.domain": "internal.example.org",
         "url.query": "nidol",
         "user.name": "mco",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "5024D_RU",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61",
         "user_agent.os.full": "Android 9",
diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json
index 2df5f4bcff83..ea74e1c3b31a 100644
--- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json
@@ -23,8 +23,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.176.10.114",
-            "10.206.191.17"
+            "10.206.191.17",
+            "10.176.10.114"
         ],
         "related.user": [
             "sumdo"
@@ -182,8 +182,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "uptassi",
         "rsa.misc.action": [
-            "Blocked",
-            "giatq"
+            "giatq",
+            "Blocked"
         ],
         "rsa.misc.category": "llu",
         "rsa.misc.filter": "tconsec",
@@ -208,7 +208,7 @@
         ],
         "url.original": "https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte",
         "user.name": "tenima",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "U307AS",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -240,8 +240,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.103.246.190",
-            "10.252.125.53"
+            "10.252.125.53",
+            "10.103.246.190"
         ],
         "related.user": [
             "equun"
@@ -255,8 +255,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "ima",
         "rsa.misc.action": [
-            "Allowed",
-            "llam"
+            "llam",
+            "Allowed"
         ],
         "rsa.misc.category": "aboris",
         "rsa.misc.filter": "atatnonp",
@@ -281,7 +281,7 @@
         ],
         "url.original": "https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid",
         "user.name": "equun",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "G8142",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -313,8 +313,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.61.78.108",
-            "10.136.153.149"
+            "10.136.153.149",
+            "10.61.78.108"
         ],
         "related.user": [
             "ercit"
@@ -328,8 +328,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "inim",
         "rsa.misc.action": [
-            "reetdolo",
-            "Blocked"
+            "Blocked",
+            "reetdolo"
         ],
         "rsa.misc.category": "osquir",
         "rsa.misc.filter": "ipit",
@@ -386,8 +386,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.183.16.166",
-            "10.66.250.92"
+            "10.66.250.92",
+            "10.183.16.166"
         ],
         "related.user": [
             "tessec"
@@ -401,8 +401,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "avol",
         "rsa.misc.action": [
-            "ist",
-            "Allowed"
+            "Allowed",
+            "ist"
         ],
         "rsa.misc.category": "lorema",
         "rsa.misc.filter": "sun",
@@ -474,8 +474,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "lupt",
         "rsa.misc.action": [
-            "dun",
-            "Blocked"
+            "Blocked",
+            "dun"
         ],
         "rsa.misc.category": "rsitamet",
         "rsa.misc.filter": "usmod",
@@ -532,8 +532,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.74.17.5",
-            "10.119.185.63"
+            "10.119.185.63",
+            "10.74.17.5"
         ],
         "related.user": [
             "erc"
@@ -547,8 +547,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tame",
         "rsa.misc.action": [
-            "nsec",
-            "Blocked"
+            "Blocked",
+            "nsec"
         ],
         "rsa.misc.category": "emaperi",
         "rsa.misc.filter": "rehe",
@@ -605,8 +605,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.78.151.178",
-            "10.25.192.202"
+            "10.25.192.202",
+            "10.78.151.178"
         ],
         "related.user": [
             "quip"
@@ -620,8 +620,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "atquovo",
         "rsa.misc.action": [
-            "amvolup",
-            "Allowed"
+            "Allowed",
+            "amvolup"
         ],
         "rsa.misc.category": "hil",
         "rsa.misc.filter": "deFinibu",
@@ -678,8 +678,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.71.170.37",
-            "10.135.225.244"
+            "10.135.225.244",
+            "10.71.170.37"
         ],
         "related.user": [
             "atu"
@@ -693,8 +693,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "ihilm",
         "rsa.misc.action": [
-            "psaquae",
-            "Allowed"
+            "Allowed",
+            "psaquae"
         ],
         "rsa.misc.category": "eFinib",
         "rsa.misc.filter": "inesci",
@@ -719,7 +719,7 @@
         ],
         "url.original": "https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe",
         "user.name": "atu",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "POCOPHONE F1",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -865,7 +865,7 @@
         ],
         "url.original": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos",
         "user.name": "ihilmo",
-        "user_agent.device.name": "Generic Tablet",
+        "user_agent.device.name": "Notepad_K10",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -897,8 +897,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.31.240.6",
-            "10.167.98.76"
+            "10.167.98.76",
+            "10.31.240.6"
         ],
         "related.user": [
             "ratvolu"
@@ -970,8 +970,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.135.160.125",
-            "10.0.55.9"
+            "10.0.55.9",
+            "10.135.160.125"
         ],
         "related.user": [
             "volupta"
@@ -1058,8 +1058,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "nnum",
         "rsa.misc.action": [
-            "ntoccae",
-            "Allowed"
+            "Allowed",
+            "ntoccae"
         ],
         "rsa.misc.category": "tium",
         "rsa.misc.filter": "uteirure",
@@ -1116,8 +1116,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.5.126.127",
-            "10.252.124.150"
+            "10.252.124.150",
+            "10.5.126.127"
         ],
         "related.user": [
             "inibusB"
@@ -1131,8 +1131,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "mod",
         "rsa.misc.action": [
-            "xeacomm",
-            "Allowed"
+            "Allowed",
+            "xeacomm"
         ],
         "rsa.misc.category": "sauteiru",
         "rsa.misc.filter": "antiu",
@@ -1277,8 +1277,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "quid",
         "rsa.misc.action": [
-            "itecto",
-            "Allowed"
+            "Allowed",
+            "itecto"
         ],
         "rsa.misc.category": "quam",
         "rsa.misc.filter": "adeser",
@@ -1408,8 +1408,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.29.155.171",
-            "10.229.83.165"
+            "10.229.83.165",
+            "10.29.155.171"
         ],
         "related.user": [
             "ulapar"
@@ -1423,8 +1423,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "vitaedi",
         "rsa.misc.action": [
-            "llitanim",
-            "Allowed"
+            "Allowed",
+            "llitanim"
         ],
         "rsa.misc.category": "apariat",
         "rsa.misc.filter": "tasnulap",
@@ -1481,8 +1481,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.129.192.145",
-            "10.161.148.64"
+            "10.161.148.64",
+            "10.129.192.145"
         ],
         "related.user": [
             "lor"
@@ -1554,8 +1554,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.7.200.140",
-            "10.203.65.161"
+            "10.203.65.161",
+            "10.7.200.140"
         ],
         "related.user": [
             "snost"
@@ -1569,8 +1569,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tdol",
         "rsa.misc.action": [
-            "Allowed",
-            "nte"
+            "nte",
+            "Allowed"
         ],
         "rsa.misc.category": "adeseru",
         "rsa.misc.filter": "mac",
@@ -1642,8 +1642,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "iutali",
         "rsa.misc.action": [
-            "Blocked",
-            "atcupi"
+            "atcupi",
+            "Blocked"
         ],
         "rsa.misc.category": "isetq",
         "rsa.misc.filter": "equinesc",
@@ -1700,8 +1700,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.24.111.229",
-            "10.39.31.115"
+            "10.39.31.115",
+            "10.24.111.229"
         ],
         "related.user": [
             "fugi"
@@ -1741,7 +1741,7 @@
         ],
         "url.original": "https://example.com/luptatem/uaeratv.gif?dat=periam#dqu",
         "user.name": "fugi",
-        "user_agent.device.name": "Generic Tablet",
+        "user_agent.device.name": "Notepad_K10",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -1788,8 +1788,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "riss",
         "rsa.misc.action": [
-            "Blocked",
-            "risnis"
+            "risnis",
+            "Blocked"
         ],
         "rsa.misc.category": "emqu",
         "rsa.misc.filter": "oluptas",
@@ -1846,8 +1846,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.128.173.19",
-            "10.88.172.34"
+            "10.88.172.34",
+            "10.128.173.19"
         ],
         "related.user": [
             "agnaaliq"
@@ -1919,8 +1919,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.130.241.232",
-            "10.238.224.49"
+            "10.238.224.49",
+            "10.130.241.232"
         ],
         "related.user": [
             "onse"
@@ -1960,7 +1960,7 @@
         ],
         "url.original": "https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug",
         "user.name": "onse",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "POCOPHONE F1",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -2033,7 +2033,7 @@
         ],
         "url.original": "https://example.com/emUte/molestia.htm?orroqu=elitsed#labore",
         "user.name": "Cic",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "U307AS",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -2106,7 +2106,7 @@
         ],
         "url.original": "https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula",
         "user.name": "ueipsa",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "U307AS",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -2138,8 +2138,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.18.226.72",
-            "10.101.85.169"
+            "10.101.85.169",
+            "10.18.226.72"
         ],
         "related.user": [
             "rroqu"
@@ -2153,8 +2153,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "moles",
         "rsa.misc.action": [
-            "Allowed",
-            "vitaed"
+            "vitaed",
+            "Allowed"
         ],
         "rsa.misc.category": "billoi",
         "rsa.misc.filter": "suntex",
@@ -2179,7 +2179,7 @@
         ],
         "url.original": "https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema",
         "user.name": "rroqu",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "G8142",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -2211,8 +2211,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.87.100.240",
-            "10.242.182.193"
+            "10.242.182.193",
+            "10.87.100.240"
         ],
         "related.user": [
             "stenatus"
@@ -2284,8 +2284,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.80.57.247",
-            "10.229.242.223"
+            "10.229.242.223",
+            "10.80.57.247"
         ],
         "related.user": [
             "itasp"
@@ -2357,8 +2357,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.106.77.138",
-            "10.193.66.155"
+            "10.193.66.155",
+            "10.106.77.138"
         ],
         "related.user": [
             "iusmodt"
@@ -2372,8 +2372,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "uteir",
         "rsa.misc.action": [
-            "Allowed",
-            "Section"
+            "Section",
+            "Allowed"
         ],
         "rsa.misc.category": "cididu",
         "rsa.misc.filter": "Utenima",
@@ -2430,8 +2430,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.236.230.136",
-            "10.54.159.1"
+            "10.54.159.1",
+            "10.236.230.136"
         ],
         "related.user": [
             "mUteni"
@@ -2518,8 +2518,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tvolup",
         "rsa.misc.action": [
-            "utemvel",
-            "Allowed"
+            "Allowed",
+            "utemvel"
         ],
         "rsa.misc.category": "untutlab",
         "rsa.misc.filter": "dol",
@@ -2649,8 +2649,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.128.184.241",
-            "10.138.188.201"
+            "10.138.188.201",
+            "10.128.184.241"
         ],
         "related.user": [
             "etur"
@@ -2810,8 +2810,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "idolores",
         "rsa.misc.action": [
-            "lestia",
-            "Blocked"
+            "Blocked",
+            "lestia"
         ],
         "rsa.misc.category": "risni",
         "rsa.misc.filter": "emacc",
@@ -2868,8 +2868,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.33.144.10",
-            "10.202.224.79"
+            "10.202.224.79",
+            "10.33.144.10"
         ],
         "related.user": [
             "rios"
@@ -2883,8 +2883,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "lit",
         "rsa.misc.action": [
-            "Blocked",
-            "quu"
+            "quu",
+            "Blocked"
         ],
         "rsa.misc.category": "oluptate",
         "rsa.misc.filter": "exercita",
@@ -2982,7 +2982,7 @@
         ],
         "url.original": "https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex",
         "user.name": "CSe",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "U307AS",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -3029,8 +3029,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "voluptas",
         "rsa.misc.action": [
-            "olor",
-            "Allowed"
+            "Allowed",
+            "olor"
         ],
         "rsa.misc.category": "ataevita",
         "rsa.misc.filter": "nderi",
@@ -3160,8 +3160,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.137.164.122",
-            "10.143.0.78"
+            "10.143.0.78",
+            "10.137.164.122"
         ],
         "related.user": [
             "orissus"
@@ -3233,8 +3233,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.30.87.51",
-            "10.156.177.53"
+            "10.156.177.53",
+            "10.30.87.51"
         ],
         "related.user": [
             "psaquaea"
@@ -3321,8 +3321,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tatemse",
         "rsa.misc.action": [
-            "upta",
-            "Blocked"
+            "Blocked",
+            "upta"
         ],
         "rsa.misc.category": "tlabo",
         "rsa.misc.filter": "aliqui",
@@ -3379,8 +3379,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.141.195.13",
-            "10.180.150.47"
+            "10.180.150.47",
+            "10.141.195.13"
         ],
         "related.user": [
             "taliq"
@@ -3394,8 +3394,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "itesse",
         "rsa.misc.action": [
-            "Allowed",
-            "uip"
+            "uip",
+            "Allowed"
         ],
         "rsa.misc.category": "teturad",
         "rsa.misc.filter": "roquisqu",
@@ -3452,8 +3452,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.255.40.12",
-            "10.166.195.20"
+            "10.166.195.20",
+            "10.255.40.12"
         ],
         "related.user": [
             "lamcolab"
@@ -3467,8 +3467,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "mipsumq",
         "rsa.misc.action": [
-            "Allowed",
-            "citation"
+            "citation",
+            "Allowed"
         ],
         "rsa.misc.category": "usant",
         "rsa.misc.filter": "Nem",
@@ -3523,8 +3523,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.100.143.226",
-            "10.22.122.43"
+            "10.22.122.43",
+            "10.100.143.226"
         ],
         "related.user": [
             "ute"
@@ -3538,8 +3538,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "ento",
         "rsa.misc.action": [
-            "Blocked",
-            "Bonoru"
+            "Bonoru",
+            "Blocked"
         ],
         "rsa.misc.category": "luptasnu",
         "rsa.misc.filter": "quamni",
@@ -3564,7 +3564,7 @@
         ],
         "url.original": "https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu",
         "user.name": "ute",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Yandex Browser",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.15.6",
@@ -3596,8 +3596,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.121.9.5",
-            "10.119.53.68"
+            "10.119.53.68",
+            "10.121.9.5"
         ],
         "related.user": [
             "ssec"
@@ -3611,8 +3611,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "dexea",
         "rsa.misc.action": [
-            "tinvolup",
-            "Blocked"
+            "Blocked",
+            "tinvolup"
         ],
         "rsa.misc.category": "ende",
         "rsa.misc.filter": "onse",
@@ -3755,8 +3755,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "epor",
         "rsa.misc.action": [
-            "etquasia",
-            "Allowed"
+            "Allowed",
+            "etquasia"
         ],
         "rsa.misc.category": "iaturE",
         "rsa.misc.filter": "rep",
@@ -3809,8 +3809,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.39.46.155",
-            "10.120.138.109"
+            "10.120.138.109",
+            "10.39.46.155"
         ],
         "related.user": [
             "picia"
@@ -3824,8 +3824,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "adipisc",
         "rsa.misc.action": [
-            "exer",
-            "Blocked"
+            "Blocked",
+            "exer"
         ],
         "rsa.misc.category": "remagna",
         "rsa.misc.filter": "emvel",
@@ -3850,7 +3850,7 @@
         ],
         "url.original": "https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi",
         "user.name": "picia",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "U307AS",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -3897,8 +3897,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "ecillum",
         "rsa.misc.action": [
-            "emp",
-            "Blocked"
+            "Blocked",
+            "emp"
         ],
         "rsa.misc.category": "ciati",
         "rsa.misc.filter": "elit",
@@ -4333,8 +4333,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tDuisaut",
         "rsa.misc.action": [
-            "upidatat",
-            "Allowed"
+            "Allowed",
+            "upidatat"
         ],
         "rsa.misc.category": "aliquide",
         "rsa.misc.filter": "deriti",
@@ -4359,7 +4359,7 @@
         ],
         "url.original": "https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam",
         "user.name": "tsedquia",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "G8142",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -4406,8 +4406,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "rroq",
         "rsa.misc.action": [
-            "fdeFin",
-            "Blocked"
+            "Blocked",
+            "fdeFin"
         ],
         "rsa.misc.category": "diduntut",
         "rsa.misc.filter": "ano",
@@ -4533,8 +4533,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.248.108.55",
-            "10.120.215.174"
+            "10.120.215.174",
+            "10.248.108.55"
         ],
         "related.user": [
             "prehend"
@@ -4548,8 +4548,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "rema",
         "rsa.misc.action": [
-            "uatDu",
-            "Allowed"
+            "Allowed",
+            "uatDu"
         ],
         "rsa.misc.category": "ent",
         "rsa.misc.filter": "iscivel",
@@ -4604,8 +4604,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.51.161.245",
-            "10.15.254.181"
+            "10.15.254.181",
+            "10.51.161.245"
         ],
         "related.user": [
             "abo"
@@ -4645,7 +4645,7 @@
         ],
         "url.original": "https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam",
         "user.name": "abo",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "5024D_RU",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61",
         "user_agent.os.full": "Android 9",
@@ -4677,8 +4677,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.7.152.238",
-            "10.129.66.196"
+            "10.129.66.196",
+            "10.7.152.238"
         ],
         "related.user": [
             "equamn"
@@ -4750,8 +4750,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.185.107.27",
-            "10.29.162.157"
+            "10.29.162.157",
+            "10.185.107.27"
         ],
         "related.user": [
             "evelite"
@@ -4765,8 +4765,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "orinrep",
         "rsa.misc.action": [
-            "squirat",
-            "Blocked"
+            "Blocked",
+            "squirat"
         ],
         "rsa.misc.category": "sequa",
         "rsa.misc.filter": "orainci",
@@ -4823,8 +4823,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.215.63.248",
-            "10.138.0.214"
+            "10.138.0.214",
+            "10.215.63.248"
         ],
         "related.user": [
             "eavolupt"
@@ -4838,8 +4838,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "odita",
         "rsa.misc.action": [
-            "dqu",
-            "Blocked"
+            "Blocked",
+            "dqu"
         ],
         "rsa.misc.category": "ipex",
         "rsa.misc.filter": "ine",
@@ -4864,7 +4864,7 @@
         ],
         "url.original": "https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod",
         "user.name": "eavolupt",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "5024D_RU",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61",
         "user_agent.os.full": "Android 9",
@@ -5115,8 +5115,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.249.1.143",
-            "10.124.177.226"
+            "10.124.177.226",
+            "10.249.1.143"
         ],
         "related.user": [
             "isciveli"
@@ -5156,7 +5156,7 @@
         ],
         "url.original": "https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese",
         "user.name": "isciveli",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Yandex Browser",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.15.6",
@@ -5188,8 +5188,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.146.228.249",
-            "10.167.176.220"
+            "10.167.176.220",
+            "10.146.228.249"
         ],
         "related.user": [
             "estla"
@@ -5261,8 +5261,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.203.47.23",
-            "10.200.74.101"
+            "10.200.74.101",
+            "10.203.47.23"
         ],
         "related.user": [
             "litesse"
@@ -5276,8 +5276,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "nde",
         "rsa.misc.action": [
-            "iqu",
-            "Allowed"
+            "Allowed",
+            "iqu"
         ],
         "rsa.misc.category": "ametco",
         "rsa.misc.filter": "ntincul",
@@ -5334,8 +5334,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.24.23.209",
-            "10.162.78.48"
+            "10.162.78.48",
+            "10.24.23.209"
         ],
         "related.user": [
             "ntore"
@@ -5375,7 +5375,7 @@
         ],
         "url.original": "https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor",
         "user.name": "ntore",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "U307AS",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -5407,8 +5407,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.55.151.53",
-            "10.211.66.68"
+            "10.211.66.68",
+            "10.55.151.53"
         ],
         "related.user": [
             "squir"
@@ -5422,8 +5422,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "diconseq",
         "rsa.misc.action": [
-            "umet",
-            "Allowed"
+            "Allowed",
+            "umet"
         ],
         "rsa.misc.category": "ciad",
         "rsa.misc.filter": "oeiusmod",
@@ -5448,7 +5448,7 @@
         ],
         "url.original": "https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest",
         "user.name": "squir",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "G8142",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -5521,7 +5521,7 @@
         ],
         "url.original": "https://example.org/eius/evo.jpg?iarchit=volupt#ipis",
         "user.name": "mes",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "G8142",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -5626,8 +5626,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.124.119.48",
-            "10.26.222.144"
+            "10.26.222.144",
+            "10.124.119.48"
         ],
         "related.user": [
             "nre"
@@ -5641,8 +5641,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "lloin",
         "rsa.misc.action": [
-            "Blocked",
-            "ici"
+            "ici",
+            "Blocked"
         ],
         "rsa.misc.category": "quidolor",
         "rsa.misc.filter": "nonproi",
@@ -5714,8 +5714,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "officiad",
         "rsa.misc.action": [
-            "Allowed",
-            "antium"
+            "antium",
+            "Allowed"
         ],
         "rsa.misc.category": "emoeni",
         "rsa.misc.filter": "itvo",
@@ -5740,7 +5740,7 @@
         ],
         "url.original": "https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol",
         "user.name": "ten",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "LM-V350",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 10",
@@ -5959,7 +5959,7 @@
         ],
         "url.original": "https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu",
         "user.name": "tectobe",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Yandex Browser",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.15.6",
@@ -6105,7 +6105,7 @@
         ],
         "url.original": "https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa",
         "user.name": "redolo",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "LM-V350",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 10",
@@ -6137,8 +6137,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.13.125.101",
-            "10.97.202.149"
+            "10.97.202.149",
+            "10.13.125.101"
         ],
         "related.user": [
             "colab"
@@ -6152,8 +6152,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "atcupi",
         "rsa.misc.action": [
-            "Blocked",
-            "uaUten"
+            "uaUten",
+            "Blocked"
         ],
         "rsa.misc.category": "modt",
         "rsa.misc.filter": "magnidol",
@@ -6225,8 +6225,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "itautf",
         "rsa.misc.action": [
-            "Blocked",
-            "mini"
+            "mini",
+            "Blocked"
         ],
         "rsa.misc.category": "gna",
         "rsa.misc.filter": "usmo",
@@ -6283,8 +6283,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.10.25.145",
-            "10.224.249.228"
+            "10.224.249.228",
+            "10.10.25.145"
         ],
         "related.user": [
             "mnisiuta"
@@ -6298,8 +6298,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "issuscip",
         "rsa.misc.action": [
-            "Blocked",
-            "remap"
+            "remap",
+            "Blocked"
         ],
         "rsa.misc.category": "eetdolo",
         "rsa.misc.filter": "rsitam",
@@ -6324,7 +6324,7 @@
         ],
         "url.original": "https://www.example.org/iat/acom.html?umdolo=oluptass#umqu",
         "user.name": "mnisiuta",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "LM-V350",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36",
         "user_agent.os.full": "Android 10",
@@ -6371,8 +6371,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "neavolu",
         "rsa.misc.action": [
-            "nofdeF",
-            "Blocked"
+            "Blocked",
+            "nofdeF"
         ],
         "rsa.misc.category": "remagnam",
         "rsa.misc.filter": "maveniam",
@@ -6397,7 +6397,7 @@
         ],
         "url.original": "https://www.example.com/onorum/umiure.gif?lites=admini#trumexer",
         "user.name": "aeabillo",
-        "user_agent.device.name": "Generic Tablet",
+        "user_agent.device.name": "Notepad_K10",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -6444,8 +6444,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "ilmoles",
         "rsa.misc.action": [
-            "Blocked",
-            "tatisetq"
+            "tatisetq",
+            "Blocked"
         ],
         "rsa.misc.category": "ametco",
         "rsa.misc.filter": "liquide",
@@ -6502,8 +6502,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.154.188.132",
-            "10.166.205.159"
+            "10.166.205.159",
+            "10.154.188.132"
         ],
         "related.user": [
             "uptat"
@@ -6640,8 +6640,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.172.159.251",
-            "10.254.119.31"
+            "10.254.119.31",
+            "10.172.159.251"
         ],
         "related.user": [
             "usm"
@@ -6655,8 +6655,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "imadmi",
         "rsa.misc.action": [
-            "tatemacc",
-            "Blocked"
+            "Blocked",
+            "tatemacc"
         ],
         "rsa.misc.category": "tutlabor",
         "rsa.misc.filter": "eturad",
@@ -6728,8 +6728,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "isnost",
         "rsa.misc.action": [
-            "Allowed",
-            "oriosa"
+            "oriosa",
+            "Allowed"
         ],
         "rsa.misc.category": "uis",
         "rsa.misc.filter": "nemul",
@@ -6801,8 +6801,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "ntut",
         "rsa.misc.action": [
-            "nima",
-            "Blocked"
+            "Blocked",
+            "nima"
         ],
         "rsa.misc.category": "boru",
         "rsa.misc.filter": "umquia",
@@ -6827,7 +6827,7 @@
         ],
         "url.original": "https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi",
         "user.name": "eroi",
-        "user_agent.device.name": "Other",
+        "user_agent.device.name": "Mac",
         "user_agent.name": "Yandex Browser",
         "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36",
         "user_agent.os.full": "Mac OS X 10.15.6",
@@ -6874,8 +6874,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tquovo",
         "rsa.misc.action": [
-            "qua",
-            "Allowed"
+            "Allowed",
+            "qua"
         ],
         "rsa.misc.category": "ectet",
         "rsa.misc.filter": "lites",
@@ -6932,8 +6932,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.131.81.172",
-            "10.139.90.218"
+            "10.139.90.218",
+            "10.131.81.172"
         ],
         "related.user": [
             "hende"
@@ -7005,8 +7005,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.152.217.174",
-            "10.128.43.71"
+            "10.128.43.71",
+            "10.152.217.174"
         ],
         "related.user": [
             "mquiado"
@@ -7020,8 +7020,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "olupt",
         "rsa.misc.action": [
-            "Blocked",
-            "temvele"
+            "temvele",
+            "Blocked"
         ],
         "rsa.misc.category": "natuser",
         "rsa.misc.filter": "amnihil",
@@ -7046,7 +7046,7 @@
         ],
         "url.original": "https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta",
         "user.name": "mquiado",
-        "user_agent.device.name": "Generic Tablet",
+        "user_agent.device.name": "Notepad_K10",
         "user_agent.name": "Chrome",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36",
         "user_agent.os.full": "Android 9",
@@ -7078,8 +7078,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.217.193.148",
-            "10.26.149.221"
+            "10.26.149.221",
+            "10.217.193.148"
         ],
         "related.user": [
             "uisa"
@@ -7224,8 +7224,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
         "related.ip": [
-            "10.119.106.108",
-            "10.135.38.213"
+            "10.135.38.213",
+            "10.119.106.108"
         ],
         "related.user": [
             "ore"
@@ -7265,7 +7265,7 @@
         ],
         "url.original": "https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota",
         "user.name": "ore",
-        "user_agent.device.name": "Generic Smartphone",
+        "user_agent.device.name": "5024D_RU",
         "user_agent.name": "Chrome Mobile",
         "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61",
         "user_agent.os.full": "Android 9",
diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json
index 423d10f5ac2b..66ca65108fd2 100644
--- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json
+++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json
@@ -28,8 +28,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "<vendor_event_cat>",
         "rsa.misc.action": [
-            "<web_method>",
-            "<action>"
+            "<action>",
+            "<web_method>"
         ],
         "rsa.misc.category": "<category>",
         "rsa.misc.filter": "<filter>",