With the lightweight gateway, we are not seeing user information in the suspicious activity reports. Do advanced security auditing policies need to be in place?
This activity for instance was a remote execution attempt run in user context. (script downloaded from here.)
