if you add a new correlation rule you have a field named "Group By" with this field you can correlate all Events with the same Session ID into one Event. But you need also a correlation logic =) and this is a little bit tricky in this case.
We have been able to get the correlation rule to pull in all the events with the same external session ID but we need it to fill in the username from one of the events and then the source and destination IPs from another event and so on into the correlation event but it is just adding the events and not populating the correlation event with the data from the other events. Is there additional steps we need to do to pull this data into the main event?
I think I understand what you are trying to accomplish; you have two different events, one that provides the username and another one that provides the assigned IP address; and the external session ID is the common denominator.
I'm not sure if SIEM can correlate both events and provide all fields (session ID, IP address, username) in one event, but I believe F5 can do exactly that, by iRules. The iRule will do that correlation on F5 and send the correlated event to SIEM.