HTTP/HTTPS incidents triggered by Network Monitor or Network Prevent for Web generally contain the IP address information of the Sender in the Sender field.
LDAP Lookup cannot use this IP address information and considering it is likely that DHCP is configured in user's network then it might not be possible to use a CSV Lookup either.
HTTP/HTTPS incidents triggered by Network Monitor or Network Prevent for Web generally have IP address in Sender field as there is no directory user authentication configured on the source Proxy Server to provide the domain and username of the Sender.
If directory authentication were configured on the Proxy Server then the Proxy Server can send the domain and username instead of the IP address.
In which case you will likely need to consider using a combination of a CSV and LDAP lookup or otherwise a customized Script Lookup.
Note: We do not provide support to configure the directory user authentication on the Proxy server or creating a customized Script Lookup.