With the lightweight gateway, we are not seeing user information in the suspicious activity reports.  Do advanced security auditing policies need to be in place? 

This activity for instance was a remote execution attempt run in user context.  (script downloaded from here.)