The customer has a DLP keyword policy for Office 365 Securlet (OneDrive or SharePoint). The policy is triggered when the user creates/uploads the file but not when the user downloads the file.

This is because the file is first scanned when it is created or uploaded and has already triggered the DLP violation. The file will not be scanned unless there is a change to its metadata. For example, a content inspection will be invoked if there is a change to the file's content, or if its share status has changed. 

While Securlet can discover and act on data resting in the cloud, it cannot prevent the user from downloading the file, therefore, it is recommended leveraging the Data in motion policy in this case to contain and monitor the access. Therefore, in the use case provided, you can use the DIM policy to monitor the download activities and can have the capability to block or notify the DLP admin in real time. With this layered defence approach, you can use Securlet to gain insight into the type of data that resides in the Cloud and discover which site has sensitive info, then use Gatelet policies to prevent unauthorized data transfer or data exfiltration.