Exposed o365 Contact doesn't show as exposed in CloudSOC.
A document will only show up as exposed once the share link has been accessed. The MSFT ACL does not get updated until a user has accessed the link. CloudSOC will not know the file has been exposed until after the ACL has been updated.
Verify the external files have been accessed in order to updated the ACL.
A user can create public links to files or share files to external addresses and there is no visibility of these exposures until the file is accessed by the emailed recipient for the external share or accessed through the created public link. There is no way to remove, or even know about, these exposures before they are accessed once.
Through the Securlet dashboard, any files that are not exposed and does not contain a keyword that triggers a DLP profile will not be visible in any way to Symantec admins. Only files that have been exposed (accessed by the outside) or have a potential to expose DLP profile data are visible.
For O365, if a user performs an action against a file, (share, upload, etc.) it can take up to 6 hours for that to be reflected in the Securlet, although the action should be seen in Investigate in minutes. This means if we have a policy to remove public exposures, a link can be created and emailed out, and the file accessed until the Securelet becomes aware, scans it and applies applicable policy.
Broadcom has requested MSFT enhance the process so that the ACL is updated when the file is shared and not when the file is accessed. Currently this is working as designed.