Under Protect > Policies > Alerts you see a blank mail ID for an internal user.
`Log Obfuscation for External Accounts` setting is enabled and it is working as designed.
In CloudSOC Investigate logs/Policy Alerts, there are 2 user fields:
The activity being treated as External comes into play ONLY if the latter 'CloudService User' is different from the former 'CloudSOC User'. If the 'Cloud Service User' is not in the Users table in CloudSOC (even if part of the primary/secondary domain for the tenant) then it is treated as external. This distinction is made to allow customers to have the same domain across tenants and have independent policies in those tenants. e.g., '[email protected]' could be a valid user in `example1` tenant but if Google Drive access is done for '[email protected]' Google drive from a machine belonging to '[email protected]' (who is part of 'example2' tenant), that access will be treated as external (as userA is not part of example2 tenant in CloudSOC). If userA is to be treated as internal in `example2` tenant, it will have to be in Users table in that tenant.
`Log Obfuscation for External Accounts` feature is implemented to cover the use case where none of the tenant admins should get to see any PII for external accounts monitoring for legal reasons (just policy enforcement when appropriate).