In logs of the Symantec Endpoint Detection and Response (EDR), the user_name field for some events (such as 4096: Reputation Lookup) does not match the user who was logged in at that time.
EDR takes the user_name field from the event object, if present. If the user_name field is not present, EDR enriches the field from the device info cache stored on the EDR.
Release : 4.6.0
Broadcom engineering is aware of this issue and is committed to resolving it in a future build.