The "recipient" field shows unknown in the DLP incidents [DLP Enforce]
DLP is integrated with CloudSOC, and the CloudDetector is successfully receiving activity from CloudSOC. A policy is created in DLP for Share activities.
The "recipient" field is based on email activity. Sharing does not include this field. Share activity includes a field called "Shared with" instead.
This is true for any activity that does not include a "recipient" field.
Policies for share activity should be based on the "shared with" attribute instead of "recipient" field.
Other activity's like upload will also have recipient field as unknown.
You may see the recipient field populated if it has been shared.