top of page
Search

Petra Security: Reporting, Threat Hunting, Investigation tip and Final Thoughts

  • Jul 17
  • 5 min read

Updated: Jul 21

ree

In the final part of this Petra Security overview, let’s dive into one of my favorite tabs:

Reporting — and then explore how you can conduct effective threat hunting using Petra’s Activity and Users views.
Let’s go.

📊 Reporting: The Power of Organized Insights

The Reporting tab in Petra is divided into focused views — so you can break down incidents, trends, and anomalies without hunting through messy dashboards.

At the top left, you have the option to generate downloadable PDF reports, which are super helpful for SOC leads, management, and even clients during monthly security reviews.

ree

🚫 Failed Attacks: Know What Was Blocked

The first tab shows you Failed Attacks. This is exactly what it sounds like — reporting on all login attempts and activity Petra stopped before they could do any damage.

ree
And that’s important.

You not only get to investigate what happened, but also what could’ve happened — and how Petra stopped it. This allows security teams to:


  • Identify patterns

  • Prepare for future attacks

  • Patch weak spots in identity hygiene


As I always say — don’t take security lightly. It’s not just about reacting; it’s about getting ahead of attackers.



🧠 Uncommon Activity: ML-Powered, Analyst-Friendly (Show false positives it closed which seems compromise but not)

Now, let’s talk about the real MVP of the Reporting tab — Uncommon Activity.

ree

This is where Petra’s machine learning truly shines. From a SOC perspective, this is a huge deal.


For example:

  • Impossible travel detections

  • New device sign-ins

  • Sudden location changes

  • Proxy/VPN logins


Petra filters out the noise and only flags what actually matters.

You see, I’ve worked with many SOC L1/L2 teams. I know firsthand how many false positive impossible travel alerts they close daily. Petra solves that — it’s automated, reliable, and doesn’t require babysitting. And that brings massive cost-efficiency to a company.


False Positive example:

ree



🚨 Microsoft P1/P2 Risk Tab— But Without the Noise (Show All false positives it closed)

We all know Microsoft’s P1 and P2 license features — especially risky user and risky login alerts.

But let’s be honest: they generate a lot of false positives.

Petra provides the same — and better , but with machine learning that actually works.

No whitelist needed. No tuning rules for VPNs. It just understands behavior and adapts.
ree

-------------------------------------------------------------------------------------------------------------

🔍 Threat Hunting with Petra: Two Ways to Investigate

Let’s say you want to investigate a specific user — maybe you’re wondering:

  • Did they download any sensitive files?

  • When did that happen?

  • What IP did they use?


You have two ways to do this in Petra:

1. Activity View (Which I have shown in my second article)

This is the full organizational timeline — filter by the user’s email ID, add action filters (e.g. “File Downloaded”), and start hunting.

ree

2. Users Tab (Which I have shown in my second article as well)

In simple language this activity is user specific:

Click on a user and get:

ree

  • Identity summary (job title, auth methods, etc.)

  • Activity timeline (login, file access, email events, etc.)

ree

This per-user deep dive is smooth and intuitive — a dream for any SOC analyst doing incident recon.


-------------------------------------------------------------------------------------------------------------

Before wrapping up this overview, I want to share a few important investigation tips that Petra itself recommends — and after working through several incidents, I can confidently say these tips are spot on but there alot more which you hav to focus on but lets keep this simple for now.


Whether you're responding to a live compromise or reviewing past activity, keeping these points in mind will make your investigation faster, sharper, and more effective.


✅ Focus on Sent and Created Events in Exchange

These are often your first clue that something malicious happened — especially:


  • Emails created or sent to external recipients

  • Attempts to phish trusted third parties

  • Potential data exfiltration events


Sent emails = intent. If an attacker created or sent a message, it usually means they’re trying to expand access or extract data.


🗑️ Watch for Soft Deleted and Hard Deleted Events

Attackers try to cover their tracks — and Petra captures that.


They might:

  • Delete their phishing emails

  • Remove inbox rules they created

  • Delete replies to hide communication threads


Petra preserves these events even if they’re deleted — a huge win for forensic integrity.



🔐 Investigate Permission Changes in SharePoint

If you see external sharing enabled or permission levels escalated — especially during or right after a compromise — that’s a red flag.


This often points to:

  • Unauthorized access grants

  • Sharing links sent outside the org

  • Attackers prepping data for download


Petra highlights this clearly, making SharePoint investigations way easier.



⚠️ Look for Malicious App Installs and Mail Filter Rules

These are some of the most common persistence mechanisms attackers use post-compromise.


Petra will:

  • Auto-highlight malicious app registrations

  • Show new inbox rules, like forwarding or redirect rules

  • Let you remove both instantly via the Remediation Actions Panel


This helps you not just detect the attacker — but kick them out and shut the door behind them.



📬 Answer the Big Questions

Most clients and security leads want to know two things:

  1. Did the attacker send anything externally?

  2. Was any sensitive data accessed?

With Petra, you can answer both questions confidently — using audit-backed evidence across Exchange, SharePoint, and Teams.

-------------------------------------------------------------------------------------------------------------

Final Thoughts: My Honest Take on Petra Security

Let me be clear — this tool isn’t trying to be everything. It doesn’t cover Defender for Endpoint or vendor telemetry.

It focuses on identity.

And what it does for Entra ID logs, Exchange, SharePoint, and Teams — it does better than anything else I’ve seen. In fact, I honestly believe it’s a solid replacement for Microsoft Entra P2 — except, unlike Microsoft's built-in tools, Petra actually works.


“Petra stopped 10 attacks with 0 false alarms. No whitelists needed — even with VPN usage. If you manage Microsoft environments, you should be using Petra.”Co-founder of one of the best security companies out there

That’s not marketing hype — that’s real-world validation.

I know this tool is paid — but what you get in return? Unmatched insight. Reduced analyst workload. Peace of mind.


-------------------------------------------------------------------------------------------------------------

🤝 Want to Learn More or Connect?

I’m not here to tell you to buy or not buy this tool. I’m here to say: Petra deserves your attention.

If you’re serious about identity security in Microsoft 365 — and want real visibility, real-time ML, and actual investigation power — Petra is worth your time.


And hey, if you want to get in touch with Petra security firm and firm which give you security, feel free to reach out to me. I’d be happy to connect you with the right people.

-------------------------------------------------------------------------------------------------------------

Upcoming Article: Who’s Using a Proxy or VPN in Your M365 Environment — and Why It Matters

 
 
 
bottom of page