Exposed O365 content doesn't show as exposed in CloudSOC (CASB).
A document will only show up as exposed once the share link has been accessed. The Microsoft (MSFT) Access Control List (ACL) does not get updated until a user has accessed the link. CloudSOC O365 Securlet will not know the file has been exposed until after the MSFT ACL has been updated.
Verify the external files have been accessed in order to updated the ACL.
Broadcom has requested MSFT enhance the process so that the ACL is updated when the file is shared and not when the file is accessed. As of 01 Feb 2024 - this is working as designed.