The User field contains either the user that was active on the agent computer (Source) at the time of the event, or the Console User in the case of events generated by console activities.

There are cases in which an event cannot be attributed to either a console or a logged in user on an agent system:

• In some cases, the user name will be “System”.
• The User field might be empty when there is no user account to attribute to the event. This occurs for agent-generated Computer Management events like “Agent restart” and “Agent Policy updated”. Those events are initiated by the App Control Agent itself and therefore have no associated user.
• In some cases, the User field will be “<unknown>” because a user cannot be determined. For example, it would be <unknown> for the Discovery events “Device attached” and “Device detached”. When devices are attached or detached from a computer, App Control tries to determine which user is currently “active” at that time. If an active user cannot be determined – for example, if there is no one currently logged in – App Control will use the special string “<unknown>” for User.

If you are using Unified Management of multiple servers, the “user” identified for actions performed on client servers through the management server is not necessarily the user currently logged into the console. The account used to authenticate the connection between the management server and the client server appears as the user.