Exposed O365 Contact doesn't show as exposed in CloudSOC.
A document will only show up as exposed once the share link has been accessed. The MSFT ACL does not get updated until a user has accessed the link. CloudSOC will not know the file has been exposed until after the ACL has been updated.
Verify the external files have been accessed in order to updated the ACL.
Broadcom has requested MSFT enhance the process so that the ACL is updated when the file is shared and not when the file is accessed. Currently this is working as designed.