Audit services in CASB indicates that certain traffic is allowed that the customer believes is blocked by the firewall.
CASB audit is designed to report traffic greater than 0 bytes
Audit reads from the firewall\proxy logs to discover services first by URL and then by destination IP. CloudSOC tracks IP attributes used by these services such as DNS, certificate details etc...
SaaS vendors can repurpose services for other processes that result in audit reporting an app as allowed.
Check the Discovery Profile of the services for allowed IP's and then cross-reference those IP addresses with the allowed traffic in the firewall.
Isolating the service to find the IP used for a process can help you determine if this is a problem. Verify the certificate for that IP.
Example firewall snip-it show a destination address of 220.127.116.11
2020-09-01T20:16:18+21:00 PFW-NDE-USA-GCS-DOM-01 2020/09/01 21:18:14,7.255E+12,TRAFFIC,end,,9/1/2020 21:18,10.10.0.1,18.104.22.168....,0x40001c,tcp,allow,1545,626,919....
IP 22.214.171.124 has a certificate with subject:
Note: Audit does not differentiate between Google Drive and Google Docs they share services and or resources. This could apply to other vendor services that could share a common resource.