The "recipient" field shows unknown in the DLP incidents [DLP Enforce]
DLP is integrated with CloudSOC, and the CloudDetector is successfully receiving activity from CloudSOC. A policy is created in DLP for Share activities.
The "recipient" field is based on email activity. Sharing does not include this field. Share activity includes a field called "Shared with" instead.
This is true for any activity that does not include a "recipient" field.
Policies for share activity should be based on the "shared with" attribute instead of "recipient" field.
Other activity's like upload will also have recipient field as unknown