We have an MX68 in production and recently started receiving syslog messages with event ype "security_filtering_file_scanned" stating that a file download was blocked.  The associated domains AND file hashes are not listed malicious from other online sources.  Below is one of the parsed logs.

"dst_ip": "XXXXXXXX",
"@version": "1",
"@timestamp": "2020-05-20T09:51:26.319Z",
"client_mac": "XXXXXXXXXX",
"log_type": "security_event",
"url": "http://officecdn.microsoft.com.edgesuite.net/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114/Office/Data/v32...",
"src_ip": "XXXXXXXX",
"host": "XXXXXXXX",
"epoch": "1589968286.289412569",
"dst_port": "80",
"src_port": "50830",
"sec_type": "security_filtering_file_scanned",
"hostname": "XXXXXXXXX",
"enc": "sha256",
"disposition": "malicious",
"hash": "a14c085acbc26c3c9dce99c8955c95c3d0db2fd5ecc4741b4735b6c50d55cdb7",
"action": "block"

How does AMP cloud determine the download is malicious?  Is it the URL or the file hash?

Side note, we don't see any record of these security events in "Security & SD-WAN > Security Center" or "Network Wide > Event Log".  We only get the syslog messages saying these file downloads were blocked.