Cisco Cloudlock's scans of a customer environment are seen as "User Downloads”, as Cloudlock utilizes user impersonation logins to access and scan queued files. The files are not actually stored by Cloudlock; only access content and metadata needed for Incident creation (e.g. owner, ACL, activity history, match excerpts, etc.) will be retained in any capacity. This download scan action does not appear in the Activity feed, as Cloudlock filters this information out by recognizing its own source IP.
However, sometimes Google does not properly report the activity and does not provide the source IP address. When this happens, Cloudlock cannot recognize and filter out its own activity, and it will display within the customer's activity feed as a User Download.