You are using Proxy Forwarding Method with Edge SWG / WSS integrated with DLP cloud. You need to forward Authenticated user's email address to DLP cloud for policy control.

Traffic flow is as below:

Browser Authenticated traffic by on-premise proxy-> WSS forwarding -> DLP Cloud.

Since authentication is done only by the on-prem proxy, we will have to configure the on-premise proxy to add the user email address information in its header when forwarding to WSS.

1. For Proxy Forwarding, the customer first needs to enable the Proxy to enable the reporting on the user's email address. For ProxySG, it is done through the Integrated Windows Authentication IWA-Direct realm configuration:

1. SSH into the ProxySG
2. To go to the configure terminal: #config
3. Edit the IWA -direct : #(config) security iwa-direct eidt-realm NAME
4. Enable Email reporting: #(config) email-address enable

Then add the email attribute to the CPL under the Auth_cloud forwarding section:

;=========================================
;  User Authentication Forwarding
;=========================================
;
; Upon user authentication,
; pass the username and groups to WSS.
;
<Proxy Cloud_Auth> condition=!WSS_Proxy_Bypass_List condition=CloudSOC_Domains_List
        authenticated=yes action.Auth_Cloud(yes)
; User and Group information are passed to WSS in
;  special headers added to the request.
;
define action Auth_Cloud
        set(request.x_header.x_BC_AUTH_USER_EMAIL, "$(user.email_address:encode_base64)")        
        set( request.x_header.BC_Auth_User, "$(user:encode_base64)" ) 
        set( request.x_header.BC_Auth_Groups, "$(groups:encode_base64)" )    
        set( request.header.Client-IP, "$(client.address)" )

Once WSS receives the information, it will automatically forward it to DLP cloud.