User activity isn't showing is CASB Audit, but is showing IP addresses instead. 

IP addresses will show in the username if there is no user associated with the activity.

User activity will not show in Audit if the time window does not include the time of the activity. 

The proxy must report an authenticated user performed the operation in order for a username to be present.

Verify with the proxy logs that the user is known in the logs.

A process using a service account or user may not offer a user in the proxy logs. Check the proxy logs to verify the user is seen in the raw logs.

Workarounds include IP2user mappings or WMI with Active Directory (see techdocs)

Palo Alto does not list  authenticated users. CloudSOC will report the IP address to differentiate the user.