An Office 365 Access Monitoring via securlet policy has been configured in CASB (CloudSOC).

When a user downloads a shared file, the event does not appear in the Investigate tab, even though other O365 activities are logged.

Download activity for Access Monitoring policies is captured under Admin activity events and depends on Microsoft 365 audit logs as the data source.

Reference:

O365 Securlet ATP: Access Monitoring

If audit logging is not enabled in the Microsoft 365 tenant, download events will not be available for CASB to ingest.

Complete the following steps to turn on auditing:

1. Sign in to the Microsoft Purview portal.
2. Select the Audit solution card. If the Audit solution card isn't displayed, select View all solutions and then select Audit from the Core section.
3. If auditing isn't turned on for your organization, a banner is displayed prompting you to start recording user and admin activity.
4. Click on the Start recording user and admin activity banner.

It might take up to 60 minutes for the change to take effect.

• Since the download activity is being generated by management API there might be a slight delay sometimes
• Once audit logging is enabled, download activities can be monitored for external users (including anonymous shared links) and internal users.
• Download events are retrieved through the Microsoft 365 Management Activity API, so a delay in visibility is expected in some cases.