Changelog

​

Petra Autopsy: Incident Response for BECs

Introducing Petra Autopsy.

We now have the capability to do find and compile forensics for compromises up to 6 months before onboarding.

Now when a prospect or client needs incident response for a BEC, you can offer them a full forensic incident report and Excel export delivered within 24 hours.

​

Improved White-label Threat Remediation Report

We redesigned the PDF export.

Highlights:

1. New executive summary for quick read-through.
2. Attack duration and impact (crowd favorites in the portal) are now in the PDF.
3. More compact timeline of events table on the second page.

​

Tenant-specific Access

You can now invite members to a subset of your tenants in Petra.

This is helpful for two use-cases:

1. Giving access to a client who needs to see the portal themselves.
2. Least-privilege access to a subset of tenants for an AE or technical team member.

​

Revamped Attack Timeline

The new attack timeline shows all of the attacker’s activity over the course of an account compromise: from the initial phish -> successful logins -> sharepoint/exchange activity.

Then, we can see Petra flagging that attacker’s activity, killing current sessions, and locking the account.

Afterwards, we often see failed logins as the attacker bangs on the door.

The new attack timeline sits at the bottom of the incident view, just beneath the Attack Impact panel.

​

Attack Impact

What files/emails did the attacker touch?

Usually, defenders have to dig through logs and powershell scripts to find the answer.

Instead, we make it easy to see what an attacker did with Attack Impact.

You can see exactly which emails and files the attacker read, modified, sent, or deleted.

This is particularly helpful for identifying things like:

1. What emails did the attacker send? To whom? (Likely to laterally phish).
2. What files did the attacker modify?
3. What did the attacker delete?

Just as importantly, Attack Impact helps you identify what the attacker did NOT read or interact with. For GDPR and HIPAA clients with disclosure requirements, this is a huge time and money saver.

​

Tenant-wide Email Subject Search

Super fast tenant-wide search.

This is useful for a variety of forensics tasks, like tracking down an email that a user vaguely remembers or getting to the root of an email thread.

When you want all of the emails in a thread, use “contains” without case sensitivity to include the “Re:” and “Fwd:” messages. When you want the root, use “equals.”

​

Phish Similarity Search

We see this all the time: after a successful phish, sometimes attackers will send similar emails to other users in the organization, hoping to phish them as well. If the first one worked, there’s a pretty high chance others will too.

After a user has been phished, and the phishing email has been identified by Petra, Petra shows you similar emails to the phish email.

In a future update, you’ll be able to one-click remove these emails from mailboxes in your tenant.

​

Email Interactions Panel

Via the Email Interactions Panel, you can see who has read/forwarded/replied/etc. an email.

This is helpful after a user has gotten phished to see who all is in the blast radius––i.e. who all has read/clicked/replied to the phish email.

In a future update, you’ll be able to one-click remove all identified similar phishing emails from your environment.

​

Other updates this week:

• Incident logs export: Export all logs from an incident as .xlsx
• User list export: Export all users in a tenant as .xlsx

​

Company IP Detection

IP geolocation can be misleading. Just because a user logs in from a New York IP every day doesn’t mean they’re actually in New York — it could be the company’s shared tunnel or office VPN that everyone uses.

Petra now tells you when a login is coming from a shared company IP. Our detection engine already uses this signal to cut down on false impossible travel alerts, and now we’re surfacing it in the portal so you have that context when investigating.

​

Logging Received Emails

‘Email Received’ events are now processed in addition to the traditional operations logged in the Unified Audit Log. Now, you can see who has received an email before they interact with it at all.

​

Disable Inbox Rules & App Registrations

You can now 1-click disable inbox rules and app registrations that the attacker added when they had access. You’ll also see audit logs that record when each action was taken, and by whom.

The portal constantly syncs with the state from Microsoft, so if for some reason something was disabled or deleted directly in Microsoft, that would be reflected here too.

​

Filter Auth Methods and Devices by username

• Search and filter authentication methods and devices by specific usernames for targeted investigations.
• Username is auto-populated to the compromised account during an incident.

​

Export spotlighted investigations as PDF

• Download complete records of spotlight investigations as PDF files for documentation and sharing.
• Reports are company-branded for professional presentation.

​

Phish Identification

• Petra identifies the email that is most likely the phish that led to the user’s compromise.
• Phish appears in attack timeline with forensic details showing when the user clicked on the phish and if the user deleted it thereafter.
• Identify if the attacker deleted the phish to cover their tracks.

​

Autotask Integration

• Generate tickets in an Autotask queue when there’s an incident.

​

Redesign tenant report

• White-labeled tenant report includes an executive summary on the first page.

​

Include inbox rule content in Attack Timeline

• See the contents of the inbox rules including their title, conditions, exceptions, and actions.

​

Added Acme Corp demo tenant to the portal

• Demo tenant now available in your portal for product exploration.
• Use this tenant to demonstrate the value of M365 monitoring to prospects.

​

Data Center tagging in activity viewer

• IP addresses belonging to data centers are tagged in the logs viewer.
• Easily identify traffic originating from cloud providers and hosting services.

​

Login stats sidebar

• View login frequency across various cities over time.
• Identify unusual login location patterns at a glance.

​

Multi-select filters on logs

• Add filters that match multiple values (e.g., country not equals US or Canada).
• Create complex queries to narrow down specific activity patterns.

​

Slack webhook integration

• Send incident notifications to Slack channels through webhooks.

​

Mail to UPN auto-resolution

• Searching by email address or UPN includes logs for both automatically.

​

Make the entire app mobile-friendly

• All Petra interfaces now fully support mobile devices.
• Control Microsoft from anywhere, even when away from your desk.

​

Add filters to rare activity

• Filter rare activity events by type.

​

User page

• View user details with complete metadata, authentication methods, and logs.

​

P1/P2 risk events

• If your tenant has P1/P2 risk events, you can see them in the portal.
• Investigate the activity in the context of surrounding logs.

​

Spotlighted investigations

• Review investigations into suspicious but ultimately benign behavior.
• Highlight this investigations to show the value of M365 monitoring.

​

Report Generator

• Generate comprehensive reports of tenant activity.

​

Apply filters to log exports

• Export logs with the same filters applied in the viewer.

​

Add rare activity to tenant report

• Rare activity events now included in tenant reports.

​

New failed attack types: password spray and known malicious IP

• Detection for password spray attacks against your tenant.
• Identification of connection attempts from known malicious IP addresses.
• Better visibility into failed attack attempts targeting your organization.

​

Apps, devices, auth methods, directory roles tables

• Track application usage, device access, authentication methods, and role assignments.
• Useful for tracking activity around an attack.

​

Filter by not equals

• Create exclusion filters (e.g., country not US, ISP not Comcast).
• Focus on activity from unexpected or non-standard sources.

​

Autocomplete some filters

• Autocomplete for username, UPN, browser, OS, etc. filters as you type.
• Faster filter creation with suggested values from your tenant data.

​

Share filter bar across all log sources

• Filters in activity viewer apply across all tables (logins, Exchange, SharePoint, Teams).
• Maintain consistent filtering criteria when switching between different log types.

​

Remediation readiness panel

• At-a-glance view of how you’ll be notified of incidents.
• Verify your notification channels are correctly configured.

​

API for SIEM integration

• API for pulling incidents using a cursor, designed for SIEM integration.
• Incorporate Petra incident data into your existing security workflows.

​

Users export

• Export all users in a tenant to spreadsheet format.
• Analyze user data outside of the Petra platform.

​

Failed attacks

• View targeting patterns and attack toolkits used against your organization.
• Identify which users are being targeted, typically executives.
• Use this data as a sales artifact to demonstrate M365 monitoring value.

​

Remediation controls

• Lock down compromised accounts with a single click.
• For hybrid tenants, Petra renews the lock repeatedly to prevent on-prem sync from unlocking the account.

​

Teams integration

• Send incident notifications to Microsoft Teams channels.
• Keep your security team informed through their existing communication platforms.

​

Third party app names

• Track third-party apps that users sign into within the activity viewer.
• See friendly application names instead of just application IDs.

​

ConnectWise integration

• Automatically generate tickets in ConnectWise when incidents occur.
• Streamline incident response through your established ticketing system.

​

Latent attacker search

• Scan for attackers already present in the tenant before monitoring began.
• Identify and remediate existing compromises during the onboarding process.
• Get immediate security value from day one of Petra implementation.

​

An Eventful Year

• Launched initial activity viewer with login logs
• Added Exchange Online activity tracking
• Added SharePoint and OneDrive activity tracking
• Added Teams activity tracking
• Added email notifications for incidents
• Added webhook notifications for incidents
• Built investigation tools to analyze raw logs with very low latency
• Added custom geolocation data enrichment to correct Microsoft’s often incorrect IP geolocation
• Added tenant-wide activity search
• Built role-based access control for members in the portal
• Built PDF export reporting capabilities