diff --git a/filebeat/module/system/auth/ingest/pipeline.json b/filebeat/module/system/auth/ingest/pipeline.json
index a5496839970..978685a5387 100644
--- a/filebeat/module/system/auth/ingest/pipeline.json
+++ b/filebeat/module/system/auth/ingest/pipeline.json
@@ -61,6 +61,12 @@
                 "target_field": "source.geo",
                 "ignore_failure": true
             }
+        },
+        {
+            "script": {
+                "lang": "painless",
+                "source": "if (ctx.process.name == \"sshd\") {                if (ctx.event.outcome == \"Accepted\") {                  ctx.event.type = \"authentication_success\";                  ctx.event.category = \"authentication\";                  ctx.event.action = \"ssh_login\";                } else if (ctx.event.outcome == \"Invalid\" || ctx.event.outcome == \"Failed\") {                  ctx.event.type = \"authentication_failure\";                  ctx.event.category = \"authentication\";                  ctx.event.action = \"ssh_login\";                }              }"
+            }
         }
     ],
     "on_failure" : [{
diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json
index c780956e8a5..0098f02a5b7 100644
--- a/filebeat/module/system/auth/test/test.log-expected.json
+++ b/filebeat/module/system/auth/test/test.log-expected.json
@@ -4,6 +4,9 @@
         "event.dataset": "system.auth",
         "event.module": "system",
         "event.outcome": "Accepted",
+        "event.category": "authentication",
+        "event.action": "ssh_login",
+        "event.type": "authentication_success",
         "fileset.name": "auth",
         "host.hostname": "localhost",
         "input.type": "log",
@@ -22,6 +25,9 @@
         "event.dataset": "system.auth",
         "event.module": "system",
         "event.outcome": "Accepted",
+        "event.category": "authentication",
+        "event.action": "ssh_login",
+        "event.type": "authentication_success",
         "fileset.name": "auth",
         "host.hostname": "localhost",
         "input.type": "log",
@@ -39,6 +45,9 @@
         "event.dataset": "system.auth",
         "event.module": "system",
         "event.outcome": "Invalid",
+        "event.category": "authentication",
+        "event.action": "ssh_login",
+        "event.type": "authentication_failure",
         "fileset.name": "auth",
         "host.hostname": "localhost",
         "input.type": "log",
@@ -54,6 +63,9 @@
         "event.dataset": "system.auth",
         "event.module": "system",
         "event.outcome": "Failed",
+        "event.category": "authentication",
+        "event.action": "ssh_login",
+        "event.type": "authentication_failure",
         "fileset.name": "auth",
         "host.hostname": "slave22",
         "input.type": "log",
@@ -170,4 +182,4 @@
         "user.id": "48",
         "user.name": "apache"
     }
-]
\ No newline at end of file
+]