Exposed O365 content doesn't show as exposed in CloudSOC (CASB).

A document will only show up as exposed once the share link has been accessed. The Microsoft (MSFT) Access Control List (ACL) does not get updated until a user has accessed the link. CloudSOC O365 Securlet will not know the file has been exposed until after the MSFT ACL has been updated.

Verify the external files have been accessed in order to updated the ACL.

• A user can create public links to files or share files to external addresses and there is no visibility of these exposures until the file is accessed by the emailed recipient for the external share or accessed through the created public link. There is no way to remove, or even know about, these exposures within CloudSOC before they are accessed once.
  
  
• Through the Securlet dashboard, any files that are not exposed, do not contain a keyword that triggers a DLP policy, will not be visible in the Exposed tab. Only files that have been exposed (accessed by the outside) are visible.
  
  
• For O365 Securlet, if a user performs an action against a file, (share, upload, etc.) it can take up to 6 hours for that to be reflected in Securlet / Exposed, although the action should be seen in Investigate in minutes.
• 
  This means if there is a policy to remove public exposures, a link can be created and emailed out, and the file still can be accessed until the Securlet becomes aware, scans it, and applies applicable policy.

Broadcom has requested MSFT enhance the process so that the ACL is updated when the file is shared and not when the file is accessed.  As of 01 Feb 2024 -  this is working as designed.