top of page
Search

Petra Security's "Incidents" Tab — A Game-Changer for M365 Breach Investigations

  • Jul 16
  • 3 min read

Updated: Jul 17

ree

-------------------------------------------------------------------------------------------------------------

If there’s one tab in Petra Security that I keep going back to, it’s the Incidents tab.

ree
This is where all the action happens.

Whether it’s a suspected business email compromise (BEC) or credential abuse, Petra gives you a full incident timeline, with zero fluff and maximum clarity.


------------------------------------------------------------------------------------------------------------

🕵️‍♂️ It Doesn’t Just Show the Breach — It Reconstructs It

Let me walk you through what I love about it.

ree

When you open an incident:

  • You see what the attacker accessed — including emails read, emails deleted, files touched, and actions taken.

    ree

  • It confirms the length of attacker access — for example:Attacker had access for 8 minutes”This level of precision is rare in M365 investigations.


  • And it tells you how long Microsoft’s logging delay was —“Microsoft logs were delayed by 4 minutes”That context is gold when you’re trying to piece things together quickly.



📧 Real Example: 327 Emails Read

In one incident view, Petra showed the attacker read 327 emails.

ree

You can literally see:

  • Which emails were opened

  • Whether the attacker sent emails

  • Whether they modified or deleted anything


Everything is timestamped. No guesswork. No stitching logs from multiple sources.


------------------------------------------------------------------------------------------------------

📅 A Timeline That Actually Tells a Story

Now this is what really makes Petra stand out — the timeline view.


It doesn’t just dump logs. It tells the story of the incident:

  • Phishing email received

  • Login attempt (failed or successful)

  • File downloaded

  • Inbox rule created

  • User disabled

  • Account locked by Petra

  • Attacker session terminated


1. First screenshot showed Start of the activity from Phishing!
ree
2. Second screenshot is last Page when Petra has locked account and killed the session and disabled the user
ree


All of this is visually aligned, so you can follow the breach minute-by-minute — including automated remediation actions Petra took in real-time.

It makes investigation fast, visual, and accurate.



🌐 Deep Dive Into Logins: Who, Where, How

Let’s say you want to dig deeper into the login behavior of above scenario.

Just click the Login tab inside the incident. You’ll see:

ree

  • Previous login IP

  • Known user location

  • Device and browser used (user agent)

  • And then the attacker’s new IP, location, and device


So if someone logs in from USA at 9 AM, and then suddenly another login shows up from Brazil five minutes later using a different ISP and browser — it’s immediately obvious.

📨 Attachment Received & Opened — Email Evidence Tells All

Want to confirm whether a user received a phishing email and clicked it?

ree

Petra’s Exchange tab within the incident confirms:

  • Whether the attachment was received (In this case Yes above screenshot)

  • Whether it was opened (In this case Yes Accessed attachments/Read)

  • And what happened immediately afterward (like malicious app installs or SharePoint access (In this case No)


This is huge when you need to prove chain of attack or answer the client’s question:“How did this even start?”

------------------------------------------------------------------------------------------------------

⚙️ Remediation Actions — Right at Your Fingertips

But wait — Petra doesn’t just show you the damage.

It lets you take real-time action directly from the incident panel:

ree

  • Lock the account

  • 🚫 Kill active sessions

  • 🔐 Reset the password

This isn’t just monitoring — it’s investigation + response, in one place.

No need to jump into Azure, Security Center, or PowerShell. One-click and done.


------------------------------------------------------------------------------------------------------------

Thoughts

This incident panel is the reason I keep telling people: Petra is different.

Everything you need is in one place — presented clearly, contextually, and without a bunch of unnecessary clicks or tabs. The UI is clean. The data is actionable. And the fact that Petra tracks and highlights exact attacker actions? That’s a game-changer.


Honestly, I just hope no big company comes in and acquires this as well! . We’ve seen how that story goes — the innovation gets buried. But for now, Petra is still crushing it, and I’m here for it.

--------------------------------------------------------------------------------------------------------


Upcoming Article: Petra Security: Reporting, Threat Hunting, Investigation tip and Final Thoughts

 
 
 

Comments

bottom of page