If you are using Web Prevent for monitor Outlook Web Access (OWA) traffic, you probably were unlucky to find out any user account information in such incidents.
Good news! After inspecting a "Message body" part of such incidents, I found out that it contains a string with user SID from Active Directory. Using this entry you can fetch any user's information from your Active Directory.
And even better! You can use it in your Lookup Plugins as well. With a little trick. As you may know, Lookup Plugins can not directly deal with incident's attachments, message and so on. But if you leveraging any script language for Lookup Plugin, you can easily get around this limitation. There is another place where you can get any incident's component - Incident Reporting and Update API.
I prefer to write Lokkup Plugins with Python for it's simplicity. If you do so, I recommend using SUDS to deal with API.