If the Top Users sections of your reports and dashboards are only showing IP addresses or hostnames instead of real usernames, this means that Sophos UTM is not authenticating users.
Fastvue Sophos Reporter can only show usernames if they exist in the log data sent to the Fastvue server from the UTM. This only happens when your Web Filter profile is authenticating users.
You can check your log data for usernames by checking the Web Protection Live Log in the Sophos UTM's web admin interface. If each line shows user="", then Sophos UTM is not authenticating your web traffic.
Configuring Active Directory Single Sign On (SSO) is one method of ensuring your users authenticate their traffic through the UTM. For more information, please see our article Sophos UTM and Active Directory Step by Step Integration Guide.
There are also other methods of authentication that you may like to explore.
Once usernames are logged by Sophos UTM, Fastvue Sophos Reporter can match them to their User object in Active Directory. You can then utilize other features such as Department and Security Group reporting.
Note: Sophos UTM's on-box reports display hostnames instead of IP addresses (resolved IPs). Unfortunately, this information is not passed to the Fastvue server in the Web Protection log data so it cannot be displayed. For unauthenticated traffic, Fastvue Reporter will attempt to resolve the source IP address to a hostname and display the hostname as the 'user' in the reports. If you're seeing IP addresses as the 'user', that means that the Fastvue Server cannot resolve the IP address to a hostname. You can test this by logging into the Fastvue server and run 'nslookup <ip address>' at the command line.