There are two scans within Microsoft Cloud App Security; the first scan is what we call the “at rest scan,” so this one is ongoing and will scan your files from the oldest to the newest.
The second scan is what we call the “near real-time scan,” and once a file has been changed or added, it will be scanned through this queue, then it will go through the content scan engine or the third party DLP engine, and depending on what you choose after your files have been scanned.
Then it will be able to gather information and then take the appropriate governance actions when needed. If there is a policy match, you’ll see these alerts within Microsoft Cloud App Security, so you could also get a text or email notification, and we can also send these alerts to your SIEM.
The following architecture describes the main components and actions for Data and File Control.

More blog posts about Microsoft Cloud App Security