In logs of the Symantec Endpoint Detection and Response (EDR), the user_name field for some events (such as 4096: Reputation Lookup OR 4100: SONAR) does not match the user who was logged in at that time.
Release : 4.6.8
EDR takes the user_name field from the event object, if present. If the user_name field is not present, EDR enriches the field from the device info cache stored on the EDR.
Broadcom engineering is aware of this issue and is committed to resolving it in a future build.