You have enabled the Risk Vector "Users interacting with malicious content" in the Detect Preferences on your CASB tenant. It is later seen that the Risk Vector is producing false positive incidents for actions such as download of an internal document which is confirmed not to contain any malicious data such as a VBA script or Malware, or the URL of the document should not be treated as suspicious by the Risk Vector. 

CASB Detect

You can narrow down the definition of the malicious content Risk Vector by following the below process:

1. Go to Detect -> Preferences -> Risk Vectors
2. Click on the three dots next to the "Users interacting with malicious content" Risk Vector and select "Edit". 
3. You should see a popup similar to this:
   
   
   
4. On the left side, go to the Query tab, there should be an Investigate Event Risk filter available. Hover over it with the mouse cursor and click on the "Filter" icon:
   
   
5. That should produce a popup similar to this:
   
   
6. In addition to the "null" value, there may be other deselected values here such as Exposed or Violations. This definition defines what Risk types seen on end user activity will fall under the definition of the malicious content Risk Vector. All selected values are added to the Exclude filter for the vector, meaning that these specific Risks will not generate Detect events for that vector. 
7. Depending on which types of Risks should not generate the Detect events for the Risk Vector, select them to be added to the Exclude filter. 
8. Save the filter for the Risk Vector and then monitor further generation of Detect events by the vector to check whether you're now seeing the expected amount of events and if there are still any false positives. 

In addition, other actions can be taken such as:

Flagging Detect incidents as False Positives

One way to handle false positives and help the system improve its accuracy is to verify and flag them:

• Navigate to Detect > Incidents in the CloudSOC console.
• Locate the specific incident triggered by the "Users interacting with malicious content" risk vector.
• Review the incident details to confirm it is a false positive.
• Flag the incident as a False Positive. This action can help reduce the user's risk score and provides feedback to the detection engine.

More on this can be found here:

Verify Detect Incidents 

Tuning Detect Preferences

You can adjust the sensitivity or configuration of threat-based detectors to reduce noise:

• Go to Detect > Users and click on the Preferences (gear icon) or navigate to Detect > Preferences.
• Look for the Threats Based section.
• Locate the Malicious URL detector.
• If that detector is seen in the list, you may be able to adjust the Importance or Confidence levels for this detector. Lowering the importance will reduce its impact on the overall user Risk Score.

More on this can be found here:

Threat-Based Incident Detector  

Configure ThreatScore automatic reduction

There is a setting in Detect Preferences which enables an automatic reduction of service ThreatScores over time. It can be enabled or disabled. More on the topic here:

Configure Detect User Preferences