CloudSOC / Audit / Services indicates that certain traffic is allowed that the customer believes is blocked by the firewall.
CASB Audit is designed to report traffic greater than 0 bytes
Audit reads from the firewall\proxy logs to discover Services first by URL and then by destination IP.
CSB (CloudSOC) tracks IP attributes used by these Services such as DNS, certificate details etc...
SaaS vendors can repurpose Services for other processes that result in Audit reporting an app as allowed.
In Audit - check the Discovery Profile of the Services for allowed IP's and then cross-reference those IP addresses with the allowed traffic in the firewall.
Isolating the Service to find the IP used for a process can help you determine if this is a problem. Verify the certificate for that IP.
Example firewall snip-it shows a destination address of 184.108.40.206
2020-09-01T20:16:18+21:00 PFW-NDE-USA-GCS-DOM-01 2020/09/01 21:18:14,7.255E+12,TRAFFIC,end,,9/1/2020 21:18,10.10.0.1,220.127.116.11....,0x40001c,tcp,allow,1545,626,919....
IP 18.104.22.168 has a certificate with subject:
Note: Audit does not differentiate between Google Drive and Google Docs. They share services and or resources. This example could apply to other vendor services that may share a common resource.