Sharo,
I have answered this question a few dozen times..
You will need to create a Script Lookup plugin that runs for ONLY Web Prevent events and then have it run an LDAP lookup based on the output. You will see that there is a NEW Variable that comes from the Script that will need to be used in the LDAP lookup. ($HTTPUserName$)
You will need to add that variable to EACH lookup line.
attr.First\ Name =:(|(mail=$sender-email$)(sAMAccountName=$file-owner$)(sAMAccountName=$endpoint-user-name$)(sAMAccountName=$HTTPUserName$)):givenName
https://www.symantec.com/connect/forums/using-lookup-plugin-network-prevent-web-icap?list_context_id=1681&list_context_type=sc_forum
https://www.symantec.com/connect/forums/liveldaplookup-using-substrings?list_context_id=1681&list_context_type=sc_forum
Good Luck,
PLEASE MARKED SOLVED