Your clients and your employees probably see red flags from activity originating outside the US. While this isn’t always the case, it can make valuable collateral for clients and stakeholders. Petra makes it easy to investigate activity coming from outside the US.
You can also access these features in our demo tenant, Acme Corp.
The Reporting tab offers a streamlined view of non-US activity:
Navigate to the Reporting tab in the top navigation bar
Look for the Uncommon Activity section
Click on New country outside the US to filter the results
Each listed user is clickable for deeper investigation
When you click on a specific user entry, you’ll see:
The complete user profile
Specific log entries associated with their non-US login
Detailed information about the activity location
This activity-specific view includes the user information up top, then the specific relevant logs
highlighted in yellow. The logs viewer beneath is fully functional so that you can apply
additional filters and further investigate.
Logs viewers can be found all over Petra. Any one of them will allow you to search for activity coming from outside the United States.
Navigate to the tenant page (via the top left corner navigation)
Scroll down to the Activity section
Use the filter option to select not in: United States
Initially, you’ll likely see numerous failed attacks from outside the US. Low-sophistication
attackers often use obviously malicious IPs that are easily blocked by Microsoft. More
sophisticated attackers typically use IP rotation techniques.
To focus on actual user behavior rather than blocked attacks:
Apply an additional filter for successful logins only
Review the list of legitimate users accessing from non-US locations
Select a specific user to investigate their pattern of activity
You can further refine your investigation by:
Filtering for specific applications (Exchange, SharePoint, Teams)
Examining the timing and frequency of access
Checking for consistent patterns that may indicate legitimate travel versus suspicious activity
The logs view preserves the username of the user you’re investigating as you add more filters and
switch between Logins, Exchange activity, SharePoint activity, and more.
The Activity viewer, showing Exchange activity from outside the US.