Analyzing OneDrive Audit Results
Once the Nightfall audit is started, it is placed in the queue for scanning, with the status displayed as Queued. Once the scan begins, the status changes to Scanning. After the audit is completed, the status is updated to Completed. To stop an audit, click the ellipsis menu and select Stop.
To view the results of a specific audit, click the ellipsis menu for the desired audit and select View Results. This option displays the results of only the selected audit.
To view the results of all the audits, navigate to the Results tab. On the Results tab, you can apply filters to view the results of desired audits or directly select a OneDrive audit from the drop-down menu.
Understanding Audit Event Content
The scan results display the following columns.
Name
The name of the file.
Location
The location of the file scanned (OneDrive). You can click the OneDrive icon to navigate to the file.
Results
The number of external users who have access to the file.
Who
The email address of the user who owns the file.
Status
The current status of the scan result.
Ellipsis menu
The ellipsis menu allows you to perform the following actions.
Ignore: This action changes the status to ignored. You can apply this action if there is no further action to be taken on the file.
Acknowledge: This action changes the status to Acknowledged. You can apply this action when you wish to take an action on the file later.
Restrict to Owner: This action restricts the file access only to the owner of the file.
Move to Recycle Bin: This action moves the file to the recycle bin. You can retrieve the file later, if required.
Delete File: This action permanently deletes the file. You cannot retrieve the file later.
When you click a file, the following details are displayed.
Tenant ID: The unique identifier for your organization’s M365 environment.
Tenant Registration ID: The registration ID of the M365 tenant.
Item Name: The name of the file containing sensitive data.
Item ID: The M365 ID of the file containing sensitive data.
Item Link: The OneDrive link to the file containing sensitive data.
Size: The total size of the file containing sensitive data
Created At: The date and time when the file was created.
Last Modified At: The latest date and time when the file was modified.
Owner Email: The Email ID of the file owner.
Owner Name: The name of the file owner.
Drive ID: The unique identifier of the drive in which the file exists.
Created By Email: The Email ID of the user who created the file (may not always be the owner).
Created By Name: The name of the user who created the file (may not always be the owner).
Last Modified By Email: The Email ID of the user who last modified the file.
Last Modified By Name: The name of the user who last modified the file.
Detection Rules: The name of the detection rule(s) violated by the file
The following details related to sensitive data are displayed.
Detector: The name of the detector that was violated.
Text Before: The text that appears before the sensitive data.
Finding: The sensitive data found in the document with confidence level of the finding.
Text After: The text that appears before the sensitive data (if present).
Last updated
Was this helpful?