Dell SonicWall Single Sign On (SSO) agent often pulls service user accounts (Sophos Antivirus, Nvidia Updater, etc.) instead of actual logged in users. I noticed that this is especially prominent when DC Security Logs option is used.
In this example SonicWall SSO agent is pulling sophos.update account instead of actual logged-in domain users.
To resolve the issue login to SonicWall firewall and navigate to Users > Settings. Click on Configure SSO button, then change to Users tab and add "sophos.update" and other system / service accounts you want to exclude to "User names used by Windows services" list.
SonicWall tutorial didn't mention this, but for changes to take affect I had to restart SSO Agent service using Directory Connector Configuration.
SonicWall NSA 220W