DLP is integrated with CloudSOC, and the CloudDetector is successfully receiving activity from CloudSOC. A policy is created in DLP for Share activities. 

The "recipient" field is based on email activity. Sharing does not include this field. Share activity includes a field called "Shared with" instead. 

This is true for any activity that does not include a "recipient" field.

Policies for share activity should be based on the "shared with" attribute instead of "recipient" field. 
 Other activity's like upload will also have recipient field as unknown