Rich,
So you could do this with a CSV lookup. I would create your CSV file and make sure that it is automatically updated every night and saved to the SymantecDLP\plugins directory. I am not sure but you may have issues with writing over an existing file when it is being used.. try and see.
You will then need to create a CSV lookup that has 2 columns (IP address and Username)
You will then need to set the
attr.sender-ip = ipcolumn
attr.Username=usernamecolumn
keys=ipcolumn
This should work.. though keep in mind that this will RUN ON ALL events.. Endpoint, Web, Network, and Discover.. so it migh break some things.
You might want to look at a Script, that you can control the type if incidents.
Ronak
If this answers your question please marked this solved.