Hey Rodrigo,
In our lab the only time we've seen duplicates is with the Gatelets; for example O365 Gatelet and MS Teams Gatelet overlapping the coverage. We've never noticed a double incident in our lab related to Network (WSS) and Application (CASB).
We believe that the CASB Gateway (i.e. WSS/CSWG) makes a determination to send it either to the REST detector or to the WSS detector. We don't think it would send to both detectors simultaneously.
The only scenario we can think of is potentially if CASB gateway determines the traffic needs to go to the WSS detector, but the outcome of the traffic is to change data at rest in a cloud app and then the securlet API would invoke on the data at rest afterwards.. thus using the Rest CDS from CASB. Â If CASB is catching data in motion after WSS handles it, we can't think of any obvious scenarios there.
If we understand more background about what you are seeing, we can try to duplicate it in the lab to see what happens. Can you please provide as many details as possible for duplication?
Thanks,
Olin