In logs of the Symantec Endpoint Detection and Response (EDR), the user_name field for some events (such as 4096: Reputation Lookup OR 4100: SONAR) does not match the user who was logged in at that time.

EDR takes the user_name field from the event object, if present. If the user_name field is not present, EDR enriches the field from the device info cache stored on the EDR.

Release : 4.6.8

Broadcom engineering is aware of this issue and is committed to resolving it in a future build.