The "Sender" field in Web Prevent incident was matching with sAMAccountName in Active Directory however when Lookup was configured

 with the value sAMAccountName=$endpoint-user-name$ , it was unable to pull the attributes

1. Enable Tomcat Logging on Enforce server.

2. Click on Lookup in the incident field.

3. In the Localhost.xxxx.xx.xx.log check the attributes that were pulled. Check for lookup parameter key it matches in the log.

Number=null, Business Unit=null, file-modified-by=null, subject=HTTP incident, sender-port=-2147483648, endpoint-domain-name=null, First Name=null, endpoint-file-path=null, Manager First Name=null, endpoint-user-name=null, path=null, Manager Phone=null, Dismissal Reason=null, endpoint-machine-name=null, sender-ip=value, discover-repository-location=null, Phone=null, endpoint-file-name=null, file-created-by=null, discover-name=null, endpoint-dos-volume-name=null, endpoint-application-name=null, Postal Code=null, file-owner=null, discover-location=null, Sender Email=null,

discover-server=null, file-create-date=null, discover-extraction-date=null, Manager Last Name=null, plugin-chain-id=0, Mail superior jerarquico=null, Departamento=null, file-access-date=null, discover-content-root-path=null, Assigned To=null, Employee Code=null, Manager Email=null, Country=null, Region=null, Last Name=null, file-owner-domain=null, date-sent=Thu May 03 14:27:21 CEST 2018, endpoint-application-path=null, endpoint-volume-name=null, sender-email=value

4. Confirm that the "Sender" value in the web prevent incident snapshot matches sender-email Lookup Parameter key.

5. Accordingly Change sAMAccountName=$endpoint-user-name$ to sAMAccountName=$sender-email$ in Lookup plugin.

6. In the incident click on Lookup and it should pull the desired value.