Microsoft logs are often delayed by a few minutes, which could cause the forensics in the Threat Remediation Report to change in the minutes after the incident.
You can now see an estimated time for all of the forensics to be published by Microsoft and included in the Threat Remediation Report.
Incident Forensics Countdown
Self-serve Tenant Management
You can now remove tenants at any time without talking to anyone.
Go to Settings > Usage to manage your tenants.
Stop others from falling for the same phish
Now you can quickly see who else received a similar phish and remove it from their inbox.
This stops other employees from falling for the same phish.
Highlights:
Edit Analyst Note for Reports
This week’s release gives you the ability to edit the analyst note that appears in the Threat Remediation Report PDF.
We also added formatting to the notes to accommodate timelines, highlighting critical info, etc.
DKIM & Mailbox Permissions
The Remediation Actions panel now includes attacker activity in DKIM configuration and mailbox permissions.
This is important for understanding what the attacker did and how to undo it.
White-label Portal & PDF Reports
You now have the ability to use your own branding in the Petra portal and reports.
Now your logo is used in the nav bar and every report, which gives your external guests a consistent experience with your brand.
Petra Autopsy analyzes the 6 months prior to onboarding
Introducing Petra Autopsy.
We now have the capability to do find and compile forensics for compromises up to 6 months before onboarding.
Now when a prospect or client needs incident response for a BEC, you can offer them a full forensic incident report and Excel export delivered within 24 hours.
Improved White-label Threat Remediation Report
We redesigned the PDF export.
Highlights:
Tenant-specific access
You can now invite members to a subset of your tenants in Petra.
This is helpful for two use-cases:
Attack Timeline
The new attack timeline shows all of the attacker’s activity over the course of an account compromise: from the initial phish -> successful logins -> sharepoint/exchange activity.
Then, we can see Petra flagging that attacker’s activity, killing current sessions, and locking the account.
Afterwards, we often see failed logins as the attacker bangs on the door.
The new attack timeline sits at the bottom of the incident view, just beneath the Attack Impact panel.
Attack Impact in continuous monitoring
Attack Impact in an incident response case
What files/emails did the attacker touch?
Usually, defenders have to dig through logs and powershell scripts to find the answer.
Instead, we make it easy to see what an attacker did with Attack Impact.
You can see exactly which emails and files the attacker read, modified, sent, or deleted.
This is particularly helpful for identifying things like:
Just as importantly, Attack Impact helps you identify what the attacker did NOT read or interact with. For GDPR and HIPAA clients with disclosure requirements, this is a huge time and money saver.
Filter emails by subject
Super fast tenant-wide search.
This is useful for a variety of forensics tasks, like tracking down an email that a user vaguely remembers or getting to the root of an email thread.
When you want all of the emails in a thread, use “contains” without case sensitivity to include the “Re:” and “Fwd:” messages. When you want the root, use “equals.”
Two emails are similar to the known phish
We see this all the time: after a successful phish, sometimes attackers will send similar emails to other users in the organization, hoping to phish them as well. If the first one worked, there’s a pretty high chance others will too.
After a user has been phished, and the phishing email has been identified by Petra, Petra shows you similar emails to the phish email.
In a future update, you’ll be able to one-click remove these emails from mailboxes in your tenant.
Asha received and opened the phish
Via the Email Interactions Panel, you can see who has read/forwarded/replied/etc. an email.
This is helpful after a user has gotten phished to see who all is in the blast radius––i.e. who all has read/clicked/replied to the phish email.
In a future update, you’ll be able to one-click remove all identified similar phishing emails from your environment.
104.8.38.161 is the Daly City office VPN
IP geolocation can be misleading. Just because a user logs in from a New York IP every day doesn’t mean they’re actually in New York — it could be the company’s shared tunnel or office VPN that everyone uses.
Petra now tells you when a login is coming from a shared company IP. Our detection engine already uses this signal to cut down on false impossible travel alerts, and now we’re surfacing it in the portal so you have that context when investigating.
‘Email Received’ events are now processed in addition to the traditional operations logged in the Unified Audit Log. Now, you can see who has received an email before they interact with it at all.
Remediate inbox rules and app registrations
You can now 1-click disable inbox rules and app registrations that the attacker added when they had access. You’ll also see audit logs that record when each action was taken, and by whom.
The portal constantly syncs with the state from Microsoft, so if for some reason something was disabled or deleted directly in Microsoft, that would be reflected here too.