When a user uploads files to Salesforce, not all events are detected by CloudSOC. There are no corresponding DLP violations when the files should match the DLP policy.
Some files uploaded to Salesforce are considered as "Salesforce files" rather than attachments. Therefore, the Salesforce Securlet requires the Query All Files option enabled in Salesforce.
Release : 1.0
As per the Salesforce Tech Note, please enable the Query All Files option in Salesforce in order to retrieve all files from the organization, including files in non-member libraries and files in unlisted groups, in order to see the data in CloudSOC.
Please refer to Tech Note--Salesforce Securlet for additional information: