The Agent is associating the file operation with a different/remote user rather than the one reported to the Console.

• App Control Console: All Supported Versions
• App Control Windows Agent: 8.9.0 - 8.9.6
• Microsoft Windows: All Supported Versions

The Agent is associating the file operation with a different/remote user rather than the user reported in the Event. 

This issue was tracked under EPCB-21383 and resolved with the release of Agent 8.10.0. Upgrading will resolve the issue.

• Prior to version 8.9.0, Agents only checked the User identity (SID) of running processes, but not of individual process threads.
• Agent 8.9.0 adds the ability to check the User identity (SID) of a process thread, which is more granular and secure.