Search HTTP attributes in the DLP Endpoint Server records
Today the HTTP events arriving from the Network Monitor are a bit "skinny" and if you cannot link the IP address to the Computer/User you might not know who caused the incident.
Since Symantec DLP has an Endpoint server which has information on all endpoints attached to it, I believe it would be correct that in a case of an HTTP event,
The Endpoint server will be queried for that IP address.
In a more "proactive" approach, if there was a match to the Endpoint, the EDP server could "query" the endpoint computer for the user that is using the computer at that moment.