Investigating compromised items

After stopping an account compromise and kicking out the attacker, often the first question is: “what did the attacker access?”. We can answer this question deeply and automatically with Petra. Here’s how.

Reviewing Attacker Activity in the Incident Timeline

On the Incident page, Petra provides detailed insights into an attacker’s activities in the Timeline.

  • Navigate to the relevant incident by selecting it from the Incidents page.

  • The Timeline summary shows categories of accessed events such as Logins, Exchange, SharePoint, and Teams.

  • Switch between Summary and Full View:

    • Summary: Offers an overview of event categories accessed.
    • Full View: Details each action step-by-step, including login attempts, accessed files, and emails.

Actions explicitly performed by the attacker are automatically highlighted in red. This works even when the attacker pivots their infrastructure.

The Incidents page, here for a single tenant.

The Incident page (Remediation Actions Panel hidden)

The Timeline (in 'Full' view).

Example Timeline View

Investigating Specific Logs

Detailed log information is accessible directly below the timeline in the Activity viewer. All M365 activity, including Exchange, SharePoint, Teams, and more, is captured and displayed here.

  • Logs detail precise indicators of compromise (IOCs) such as IP addresses, ASNs, and geographic locations.
  • If a log matches the IOCs of the attacker, it is automatically highlighted in red.

Exporting Incident Data

You can export detailed attacker activity data to share externally:

Export as PDF

  • Located at the top of the incident page.
  • Includes comprehensive incident data:
    • Threat details
    • Identity information
    • Timeline of attacker actions
    • Specific files and emails accessed

Export as Excel

  • Click the Export button on the top right corner of the Activity viewer. Remember that the Activity viewer is at the bottom of the Incident page.
  • Provides in-depth forensic data, ideal for detailed incident response and investigation.
  • Captures exhaustive event logs, login attempts, file interactions, inbox activities, and more.
For further details on Excel exports, refer to our dedicated Excel documentation.

The 'Overview' tab of the Excel export.

The 'Logins' tab of the Excel export.

Additional Checks

Petra also provides dedicated panels to quickly check for critical unauthorized modifications:

  • Devices Added
  • Permissions Added
  • App Registrations Added

These panels rapidly highlight unauthorized changes in red. If no such actions occurred, the panels remain clear.

If unauthorized devices, permissions, or app registrations are found, you should get rid of them immediately. You can one-click remove these using the Remediation Actions Panel at the top of the Incident page, where they are automatically tagged.

The Activity viewer, with a malicious app registration tagged.

The Remediation Actions Panel, with a malicious app registration tagged (already removed).