Skip to main content
September 26, 2025

Full Incidents in Tenant Report Appendix

When a Tenant Report includes an Incident, the complete Incident Report will now be added to the Appendix.
Full Incident in Tenant Report

Full Incident in Tenant Report

Tenant Report Bug Fixes

Thanks to some helpful feedback from customers, we’ve fixed a few bugs in the Tenant Report.
  • Improved readability of the Executive Summary page
  • Fixed bug for particularly long usernames in the failed attacks section
September 19, 2025

Tenant Report Redesign

The Tenant Report has been redesigned! Go check out the new Report Generator.
Tenant Report Redesign

Tenant Report Redesign

Tenant Report Configuration

Tenant Report Configuration

Tenant Report Configuration

  • High Value Accounts: tag accounts like CEO, CFO, billing manager to see greater detail on who is targeting them.
  • Hidden Accounts: hide accounts that you want to be excluded from the report, like your own admin account or testing accounts.
  • Hidden Incidents: hide incidents that you want to be excluded from the report, like those that you’ve already surfaced to the client.
  • Other Options: customize which sections are included in the report.
September 12, 2025

Automate Sending Monthly Tenant Reports

Now you can schedule sending security reports to your tenants and your organization at the end of every month.Directly to tenants: Go to a tenant’s page, click the gear icon on the top right, and add their emails in the “Tenant-Specific Monthly Reports” section. These emails will receive a tenant-specific security report at the end of every month.
Tenant-Specific Automated Security Reports

Tenant-Specific Automated Security Reports

To your organization: Go to settings and add internal emails in the “Automated Monthly Reports” section. These emails will receive a security report for every tenant at the end of every month.Note: These emails will receive security reports for all of your tenants. We recommend that you only add emails within your organization.
Automated Monthly Reports

Organization Automated Monthly Reports

September 5, 2025

Include User Licenses in Admin Panel and Excel Export

Now you can see what licenses each user has in the admin panel and when you export user lists to Excel. This is useful for right-sizing spend for your clients.
User Licenses

User Licenses

Edit Tenant Name

Now you can edit the name of a tenant.
Edit Tenant Name

Edit Tenant Name

August 29, 2025

Petra Automatically Enables Audit Logs

Now when you onboard a tenant, Petra automatically enables audit logs if they were not already enabled.We all know the pain of trying to enable audit logs in Purview—it lags by hours and often takes several attempts. Now onboarding in Petra is the last step in setting up monitoring.Like everything else in Petra, this is available regardless of Microsoft license level.

Improved Threat Remediation Report Timeline

We updated the summary timeline at the bottom of the Threat Remediation Report to focus on the most important events in the incident—especially how you stopped it.
Improved Threat Remediation Report Timeline

Improved Threat Remediation Report Timeline

August 22, 2025

SharePoint Malicious File Removal

Attackers often upload new files to SharePoint to use as a phishing lure.Petra commonly uncovers these files in baselining when latent attackers are discovered. Now you can remove them from SharePoint from within Petra without opening Microsoft.
SharePoint Malicious File Removal

SharePoint Malicious File Removal

August 15, 2025

Tenant Logs Excel Export

You can now export tenant logs to Excel. The export includes fully enriched metadata for Exchange, including email subjects, sender, recipients, and more.The export respects any filters you have applied in the viewer, so you can get, for example:
  • A specific user’s activity across logins, Exchange, SharePoint, Teams, etc.
  • All activity across a tenant for a specific time period.
  • All sent emails across a tenant for a specific time period.
Tenant Logs Excel Export

Export button opens the Excel export dialog

Tenant Logs Excel Export

Excel export modal

August 8, 2025

Halo PSA Integration

You can now link your Halo PSA account to Petra. Go to Settings > Integrations to link your Halo PSA account.Follow this guide to integrate with Halo PSA: Halo PSA Integration.
August 1, 2025

Phish Search & Retraction

Phish search and retraction now catches replies and forwards. It’s surprisingly common for the recipient of a phish to forward it to coworkers. Now Petra finds all of those replies and forwards so we can retract those too.
Phish Search & Retraction

Asha, the initial recipient, forwarded the phish to Holly.

Excel Export for Usage by Tenant

The usage page in settings now includes an option to export usage data by tenant to Excel.
Excel Export for Usage by Tenant

Excel Export for Usage by Tenant

Beta of API Endpoint for Tenant Usage

We launched a beta of an API endpoint for tenant usage. Contact us if you want to try it. Read more about it in the API documentation.
July 25, 2025

Email Search and Removal

The admin panel now includes the ability to search for emails by subject, sender, and recipient, as well as the option to remove emails.
Emails Admin

Find and Remove Emails

Sensitive Tenants

Sensitive Tenants are tenants that only admins have access to within Petra. This is useful for safeguarding access to certain tenants, such as the MSP’s own tenant.
Sensitive Tenants

Sensitive Tenants

July 18, 2025

Better Phish Deletion

Phish Deletion Options

Phish Deletion

Phish deletion now includes both soft delete and hard delete.
  • Soft delete moves the email to the recoverable folder within deleted items (which users are much less likely to find than just the deleted folder).
  • Hard delete deletes the email from the mailbox.
We aim for the remediation actions taken by Petra Response to be 1) effective and 2) reversible, so we will soft delete and leave the hard delete as an option for your analyst when they review the incident. If it turns out we were wrong, your analyst would instead click “Recover” to move the emails back to the inbox.

Delegated Activity in the Activity Viewer

Delegated Activity

Delegated Activity

Now when one user acts on behalf of another, the activity viewer will display both the actor and the delegated mailbox.This is critical for understanding compromises involving delegated mailboxes and administrators who have permission to act on behalf of other users.
July 11, 2025
  • Deep Links: Now if you open a link to a specific page (e.g. an incident link in a ticket), you’ll be taken to that same page after you sign in.
  • Streamlined Sign In: We removed the organization selection step during sign in, reducing sign-in flow by 1 click in 99% of cases.

Incident Forensics Countdown

Microsoft logs are often delayed by a few minutes, which could cause the forensics in the Threat Remediation Report to change in the minutes after the incident.You can now see an estimated time for all of the forensics to be published by Microsoft and included in the Threat Remediation Report.
Incident Forensics Countdown

Incident Forensics Countdown

July 4, 2025

Improvements to Self-serve Tenant Management

Self-serve Tenant Management

Self-serve Tenant Management

You can now remove tenants at any time without talking to anyone.Go to Settings > Usage to manage your tenants.
June 27, 2025

Similar Phish Retraction

Similar Phish Retraction

Stop others from falling for the same phish

Now you can quickly see who else received a similar phish and remove it from their inbox.This stops other employees from falling for the same phish.Highlights:
  • The ‘Current Folder’ column updates in realtime as you or the employee moves the email.
  • The ‘Interactions’ column opens the Email Interactions Panel which displays all read/moved/deleted/etc. interactions with the email.
June 20, 2025

Edit Analyst Note for Reports

Edit Analyst Note for Reports

Edit Analyst Note for Reports

This week’s release gives you the ability to edit the analyst note that appears in the Threat Remediation Report PDF.We also added formatting to the notes to accommodate timelines, highlighting critical info, etc.
June 13, 2025

Added DKIM & Mailbox Permissions to Remediation Actions Panel

Added DKIM & Mailbox Permissions to Remediation Actions Panel

DKIM & Mailbox Permissions

The Remediation Actions panel now includes attacker activity in DKIM configuration and mailbox permissions.This is important for understanding what the attacker did and how to undo it.
June 6, 2025

White-label Portal & PDF Reports

White-label Portal & PDF Reports

White-label Portal & PDF Reports

You now have the ability to use your own branding in the Petra portal and reports.Now your logo is used in the nav bar and every report, which gives your external guests a consistent experience with your brand.
May 30, 2025

Petra Autopsy: Incident Response for BECs

Active vs Autopsy panel

Petra Autopsy analyzes the 6 months prior to onboarding

Introducing Petra Autopsy.We now have the capability to do find and compile forensics for compromises up to 6 months before onboarding.Now when a prospect or client needs incident response for a BEC, you can offer them a full forensic incident report and Excel export delivered within 24 hours.
May 23, 2025

Improved White-label Threat Remediation Report

Improved White-label Threat Remediation Report

Improved White-label Threat Remediation Report

We redesigned the PDF export.Highlights:
  1. New executive summary for quick read-through.
  2. Attack duration and impact (crowd favorites in the portal) are now in the PDF.
  3. More compact timeline of events table on the second page.
May 16, 2025

Tenant-specific Access

Tenant-specific access

Tenant-specific access

You can now invite members to a subset of your tenants in Petra.This is helpful for two use-cases:
  1. Giving access to a client who needs to see the portal themselves.
  2. Least-privilege access to a subset of tenants for an AE or technical team member.
May 12, 2025

Revamped Attack Timeline

Revamped Attack Timeline

Attack Timeline

The new attack timeline shows all of the attacker’s activity over the course of an account compromise: from the initial phish -> successful logins -> sharepoint/exchange activity.Then, we can see Petra flagging that attacker’s activity, killing current sessions, and locking the account.Afterwards, we often see failed logins as the attacker bangs on the door.The new attack timeline sits at the bottom of the incident view, just beneath the Attack Impact panel.
May 9, 2025

Attack Impact

Attack Impact in continuous monitoring

Attack Impact in continuous monitoring

Attack Impact in an incident response case.

Attack Impact in an incident response case

What files/emails did the attacker touch?Usually, defenders have to dig through logs and powershell scripts to find the answer.Instead, we make it easy to see what an attacker did with Attack Impact.You can see exactly which emails and files the attacker read, modified, sent, or deleted.This is particularly helpful for identifying things like:
  1. What emails did the attacker send? To whom? (Likely to laterally phish).
  2. What files did the attacker modify?
  3. What did the attacker delete?
Just as importantly, Attack Impact helps you identify what the attacker did NOT read or interact with. For GDPR and HIPAA clients with disclosure requirements, this is a huge time and money saver.
May 2, 2025
Filter emails by subject

Filter emails by subject

Super fast tenant-wide search.This is useful for a variety of forensics tasks, like tracking down an email that a user vaguely remembers or getting to the root of an email thread.When you want all of the emails in a thread, use “contains” without case sensitivity to include the “Re:” and “Fwd:” messages. When you want the root, use “equals.”
April 25, 2025
Petra identifies emails similar to the known phish

Two emails are similar to the known phish

We see this all the time: after a successful phish, sometimes attackers will send similar emails to other users in the organization, hoping to phish them as well. If the first one worked, there’s a pretty high chance others will too.After a user has been phished, and the phishing email has been identified by Petra, Petra shows you similar emails to the phish email.In a future update, you’ll be able to one-click remove these emails from mailboxes in your tenant.

Email Interactions Panel

See who has interacted with an email

Asha received and opened the phish

Via the Email Interactions Panel, you can see who has read/forwarded/replied/etc. an email.This is helpful after a user has gotten phished to see who all is in the blast radius––i.e. who all has read/clicked/replied to the phish email.In a future update, you’ll be able to one-click remove all identified similar phishing emails from your environment.

Other updates this week:

  • Incident logs export: Export all logs from an incident as .xlsx
  • User list export: Export all users in a tenant as .xlsx
April 18, 2025

Company IP Detection

Company IP detection showing a shared IP address

104.8.38.161 is the Daly City office VPN

IP geolocation can be misleading. Just because a user logs in from a New York IP every day doesn’t mean they’re actually in New York — it could be the company’s shared tunnel or office VPN that everyone uses.Petra now tells you when a login is coming from a shared company IP. Our detection engine already uses this signal to cut down on false impossible travel alerts, and now we’re surfacing it in the portal so you have that context when investigating.

Logging Received Emails

‘Email Received’ events are now processed in addition to the traditional operations logged in the Unified Audit Log. Now, you can see who has received an email before they interact with it at all.
April 11, 2025

Disable Inbox Rules & App Registrations

Remediate inbox rules and app registrations

Remediate inbox rules and app registrations

You can now 1-click disable inbox rules and app registrations that the attacker added when they had access. You’ll also see audit logs that record when each action was taken, and by whom.The portal constantly syncs with the state from Microsoft, so if for some reason something was disabled or deleted directly in Microsoft, that would be reflected here too.
April 3, 2025

Filter Auth Methods and Devices by username

  • Search and filter authentication methods and devices by specific usernames for targeted investigations.
  • Username is auto-populated to the compromised account during an incident.

Export spotlighted investigations as PDF

  • Download complete records of spotlight investigations as PDF files for documentation and sharing.
  • Reports are company-branded for professional presentation.
March 27, 2025

Phish Identification

  • Petra identifies the email that is most likely the phish that led to the user’s compromise.
  • Phish appears in attack timeline with forensic details showing when the user clicked on the phish and if the user deleted it thereafter.
  • Identify if the attacker deleted the phish to cover their tracks.

Autotask Integration

  • Generate tickets in an Autotask queue when there’s an incident.

Redesign tenant report

  • White-labeled tenant report includes an executive summary on the first page.

Include inbox rule content in Attack Timeline

  • See the contents of the inbox rules including their title, conditions, exceptions, and actions.
March 20, 2025

Added Acme Corp demo tenant to the portal

  • Demo tenant now available in your portal for product exploration.
  • Use this tenant to demonstrate the value of M365 monitoring to prospects.

Data Center tagging in activity viewer

  • IP addresses belonging to data centers are tagged in the logs viewer.
  • Easily identify traffic originating from cloud providers and hosting services.

Login stats sidebar

  • View login frequency across various cities over time.
  • Identify unusual login location patterns at a glance.

Multi-select filters on logs

  • Add filters that match multiple values (e.g., country not equals US or Canada).
  • Create complex queries to narrow down specific activity patterns.

Slack webhook integration

  • Send incident notifications to Slack channels through webhooks.

Mail to UPN auto-resolution

  • Searching by email address or UPN includes logs for both automatically.
March 13, 2025

Make the entire app mobile-friendly

  • All Petra interfaces now fully support mobile devices.
  • Control Microsoft from anywhere, even when away from your desk.

Add filters to rare activity

  • Filter rare activity events by type.

User page

  • View user details with complete metadata, authentication methods, and logs.
March 6, 2025

P1/P2 risk events

  • If your tenant has P1/P2 risk events, you can see them in the portal.
  • Investigate the activity in the context of surrounding logs.

Spotlighted investigations

  • Review investigations into suspicious but ultimately benign behavior.
  • Highlight this investigations to show the value of M365 monitoring.

Report Generator

  • Generate comprehensive reports of tenant activity.
February 27, 2025

Apply filters to log exports

  • Export logs with the same filters applied in the viewer.

Add rare activity to tenant report

  • Rare activity events now included in tenant reports.
February 20, 2025

New failed attack types: password spray and known malicious IP

  • Detection for password spray attacks against your tenant.
  • Identification of connection attempts from known malicious IP addresses.
  • Better visibility into failed attack attempts targeting your organization.
February 13, 2025

Apps, devices, auth methods, directory roles tables

  • Track application usage, device access, authentication methods, and role assignments.
  • Useful for tracking activity around an attack.
February 6, 2025

Filter by not equals

  • Create exclusion filters (e.g., country not US, ISP not Comcast).
  • Focus on activity from unexpected or non-standard sources.

Autocomplete some filters

  • Autocomplete for username, UPN, browser, OS, etc. filters as you type.
  • Faster filter creation with suggested values from your tenant data.
January 30, 2025

Share filter bar across all log sources

  • Filters in activity viewer apply across all tables (logins, Exchange, SharePoint, Teams).
  • Maintain consistent filtering criteria when switching between different log types.

Remediation readiness panel

  • At-a-glance view of how you’ll be notified of incidents.
  • Verify your notification channels are correctly configured.

API for SIEM integration

  • API for pulling incidents using a cursor, designed for SIEM integration.
  • Incorporate Petra incident data into your existing security workflows.
January 23, 2025

Users export

  • Export all users in a tenant to spreadsheet format.
  • Analyze user data outside of the Petra platform.

Failed attacks

  • View targeting patterns and attack toolkits used against your organization.
  • Identify which users are being targeted, typically executives.
  • Use this data as a sales artifact to demonstrate M365 monitoring value.
January 16, 2025

Remediation controls

  • Lock down compromised accounts with a single click.
  • For hybrid tenants, Petra renews the lock repeatedly to prevent on-prem sync from unlocking the account.

Teams integration

  • Send incident notifications to Microsoft Teams channels.
  • Keep your security team informed through their existing communication platforms.
January 9, 2025

Third party app names

  • Track third-party apps that users sign into within the activity viewer.
  • See friendly application names instead of just application IDs.

ConnectWise integration

  • Automatically generate tickets in ConnectWise when incidents occur.
  • Streamline incident response through your established ticketing system.
January 2, 2025
  • Scan for attackers already present in the tenant before monitoring began.
  • Identify and remediate existing compromises during the onboarding process.
  • Get immediate security value from day one of Petra implementation.
2024 Archive

An Eventful Year

  • Launched initial activity viewer with login logs
  • Added Exchange Online activity tracking
  • Added SharePoint and OneDrive activity tracking
  • Added Teams activity tracking
  • Added email notifications for incidents
  • Added webhook notifications for incidents
  • Built investigation tools to analyze raw logs with very low latency
  • Added custom geolocation data enrichment to correct Microsoft’s often incorrect IP geolocation
  • Added tenant-wide activity search
  • Built role-based access control for members in the portal
  • Built PDF export reporting capabilities
I