Forensic reports show 'No user' instead of the username.
'No user' shows up in logs because SSL interception is disabled.
Web Security Service
First Solution:
Enable SSL interception in the web portal.
Second Solution:
If the users access a site that is added to Trusted Destinations list, that would mean that the Trusted Destination rule is disabling authentication and categorization for those web apps, domains and IPs. In other words, the WSS won't assign a category to those destinations and it won't ask for credentials to allow access.
Removing the sites from the Trusted Destination list will allow SSL interception.