Unknown user is shown for one of the policies in SaaS Security API

• Events look its missing data.
• In Mongodb people are missing.
• No record for the unknown user in the backend database.

There could be possible causes as below :

1. Would it be possible for what all User activity actions, value unknown coming ? Also is it for all events or random ?
-  It is unknown what activities generate these Unknown matched items. Looking at latest samples
2. Is there a case where Asset details has user information for an event however user activity log missing the user details for the same event ?
- As you can see in UnknownUserScreenshot4.JPG screenshot every day there is an event with 5 digit totals and all listed by Unknown user, this is thinking to believe there is some sort of automation, or repeated process triggering these events, but it is hard to correlate and all related to some Google Drive events .

• These actions are to be performed by a bot. Like the one mentioned in Asset [assetid.JP], Gdrive automatically deletes files in the trash after 30 days.
• T​​​​​he unknown user profiles are BOTS. Prisma SaaS don't receive any user email while querying Google api's in case of bots, and Prisma SaaS shows the user name as "Unknown"
• For example : 

  Asset646c58b39913857eb6c8de07.JPG and then actions are deleted actions. Suppose on 5-22 Amy Sept deletes the file - moving the file to the trash. Now exactly after 30 days - 6-21, it gets deleted by automatic action from the trash.

  Unknownuserscreenshot1 - one other case can be when someone who is not logged in with Google is doing any actions with the files. Like viewing a file. A person outside the user's domain viewing this data can also show up as unknown since Prisma SaaS doesn't have permission to fetch that external user's data.