A large number of events have the user_name field populated with sesuser or sytem
|Article:TECH140322|||||Created: 2010-09-20|||||Updated: 2012-06-12|||||Article URL http://www.symantec.com/docs/TECH140322|
You noticed that you find a large number of activity is generated by a user called sesuser or system.
This is an agent behavior:
This is working as designed. These fields are getting normalised by the agent.
For more information on normalisation see SSIM_Administrators_Guide.pdf
Section called : "Understanding event normalization" Page 233
Article URL http://www.symantec.com/docs/TECH140322