You need to know what sender parameter is used to store the username and domain information sent from the proxy server in the format provided by the proxy server to use this information in a CSV or LDAP Lookup, for example information from Microsoft's Threat Management Gateway (TMG) looks like "Negotiate://EXAMPLE-DOMAIN/username" or from Bluecoat proxy looks like "WinNT://EXAMPLE-DOMAIN/username"

The username and domain information sent from the proxy server is stored in the sender-email parameter.

By default most proxy server's only send the IP address and not the domain user information to the Network Prevent server which is stored in the sender-ip parameter.