When having users on a TufinOS, each user has an ID that can be checked in /etc/passwd, e.g.

# cat /etc/passwd | grep tufin-admin
tufin-admin:x:1000:1000::/home/tufin-admin:/bin/bash
#

If a user is added, ID1001 might be the ID for this new user. 
Checking system activity (e.g. with ps aux) might show this user quite active, even if not logged in. 

The reason for this effect is that TOS is running some processes with ID1001 - independently of "real usage" of this ID in /etc/passwd or not.
Processes using this ID are e.g. Java, MongoDB, Kafka, ... 

So don't wonder about users not logged in to CLI but using some resources, it's not an attack, but TOS working as designed by Tufin.