The PANOS firewall can capture events of type "USERID" and the computer account shows a username with a "$" at the end.
This is standard in active directory to do this for machine accounts, see here as an example:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oN0iCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Currently the integration pipeline uses this grok filter:

And it fails with hostname/usernames of type hostname\\username$

This grok pattern makes the pipeline not crash on those username type:

^%{HOSTNAME:source.user.domain}\\%{DATA:source.user.name}$

Maybe there is a better less expensive pattern to match, but the above worked in a jiffy.