You notice the WSS User is coming in as domain\samAccountName, but in CloudSOC, the user's secondary id is samAccountName. This causes the CloudSOC to identify the user as a unknown/guest user.

If you are using the Office 365 to synchronize with Azure AD, and your Azure AD is integrated with on-prem AD domains, then you may find the sAMAccountName is showing as the user's  secondary id. This is different from the domain\username format that WSS agent normally sends to CloudSOC and can cause the CloudSOC to identify the user as a guest user. 

You can create a case with CloudSOC support to enable user normalization for this CloudSOC tenant. Please ensure that all secondary ids are in the same format (samAccountName only, no secondary id as domain\samAccountName) because we can't support mix formats at the moment.