Issue
I would like to determine in more details how is the username mentioned in the Carbon Black console is capture?
Environment
VMware Carbon Black Cloud
Resolution
Carbon Black support provided the following explanation: The user field is populated by the installing user (for attended installs) or the best guess of the user that was online when it was installed (for unattended installs). For 3.5 sensors behavior is to enumerate the logged-on users at the time of sending the status message and find the interactive user with the most recent logon time. The status message is sent once after a restart and then every 8 hours after that or every 15 minutes when in bypass. The status message can also be sent for various triggers such as network changes, if the status of the local scanner changes (sig pack update or enable/disable), when the LR session is established/closed, VDI reregistration, or network quarantine status change. If there is no interactive user logged in to the endpoint within the 8-hour window, you may get a non-interactive username such as “Windows Manager\USER-2”.