Check the Report center logging for Gatelet aware SaaS traffic. Report center, Web Browsing per Site or Full logs, or similar options.

If no SaaS traffic exists, verify if Gatelets are enabled from CloudSOC Store (example of enabled Gatelet below).

If the Gatelets are enabled, it could be that your SaaS traffic is being diverted/steered away from WSS. Check on-prem firewall and proxy configuration for both the WSSAgent traffic and the Gatelet traffic. Verify the URLS and IP's for WSS and SAAS urls are properly whitelisted.  See WSS-ingress whitelisting and verify the SaaS traffic is not being sent through the local proxy or blocked at the firewall.

Additionally when Agent Traffic Manager (ATM) is in use, please check if there is any policy that is stopping sending traffic to CloudSOC.

Collect a SymDIAG of the machine while replicating the problem with the gatelet SaaS e.g. o365.  Test with more than one gatelet to make sure the problem is not gatelet specific.

The symdiag will also get a pcap of the traffic from the workstation.

If your using the Full version of WSS, hitting pod.threatpulse.com from a browser will state if the traffic is protected.  WSS-lite agent will not suggest it is protected because only the gatelet traffic is protected and not all traffic.

From the audit datasource in CloudSOC, check the WSS datasource to see if gatelet SaaS traffic is detected e.g. o365, box etc...

Domains of Interest (DOI) for a Gatelet need to be SSL intercepted so the traffic can be inspected. 

Broadcom support can help to get a policy trace to verify that the traffic is being properly intercepted.

The DOI or URL used for login or upload to that Web App could be bypassed, which could cause behavior of no Content Inspection.