Petra Security: The UI, the Logs, and Why I Genuinely Prefer It Over Microsoft Sentinel

I really like Petra Security’s user interface. No offense to Microsoft Sentinel, but Petra’s UI feels modern, intuitive, and built for real-world investigation. With Microsoft, things are powerful — no doubt — but often buried in layers of menus and dashboards.

Petra, on the other hand? Everything is just… right there.

And that makes a big difference when you're knee-deep in incident response or hunting through user activity.

------------------------------------------------------------------------------------------------------------

🔍 Not a Full Microsoft 365 Monitor — But the Best for What Matters Most

Petra doesn’t aim to replace Microsoft Defender, Sentinel, or all your SIEM tools. It's not trying to be everything.

Once the Petra app is approved by a Microsoft 365 admin (using OAuth), it starts collecting and analyzing the most critical logs in your environment:

• Entra ID (formerly Azure AD)

• Exchange Online

• SharePoint

• Microsoft Teams

  
  

Yes, logins are tracked — but they’re only about 2% of the story. The real value lies in everything else.

------------------------------------------------------------------------------------------------------------

🧑‍💼 User Intelligence: Before Logs Come In, Petra Knows the User

Before we even touch logs, Petra collects rich identity information for every user:

• Full name and email

• Job title

• Whether the account is active or disabled

• Last password change

• Assigned Employee ID (if any)

• Phone number (if present)

• Authentication method: whether the user uses just a password, or also has MFA like Microsoft Authenticator

  
  

And this part is so underrated. In Microsoft, you have to dig into separate portals or click multiple layers deep to get all this info. In Petra, it's presented in one clean view — which is super helpful during investigations.

You can even quickly check which users don’t have MFA enabled — something every security team should monitor.

------------------------------------------------------------------------------------------------------------

🧭 The “Activity” Tab — Petra’s Unified Log View

Petra doesn’t just give you logs. It gives you investigative context in a timeline. And it calls this the Activity panel.

You can see everything here:

• Successful and failed login attempts

• File accesses

• Inbox actions

• SharePoint interactions

• Teams activity

Let’s say you want to find all failed logins — easy. Just filter for Incorrect password and boom, it’s there.

Want to drill down on one user’s failed password attempts? Add that user email as a filter in username column and you're done.

------------------------------------------------------------------------------------------------------------

📧 Exchange Logs — The Gold Standard for Email Investigation

Here’s where Petra really won me over: the way it handles Exchange activity.

You can see:

• Emails received, read, sent, and deleted

• Actions performed by the user

• Subject lines of the emails 😍 (yes, subject lines — very helpful in investigation)

• Email rules created by the user

• Got a suspicion about a phishing email that led to compromise?

  Go check the subject line and delivery time. Done.

• Want to see if the attacker set up a malicious inbox rule?

Filter for inbox rule creation — it’s that easy.

Petra even captures:

• Transport rules

• Mail sync events

• External sharing

• Delegate access

Everything — in one pane.

------------------------------------------------------------------------------------------------------------

When it comes to Microsoft 365 investigations, we often talk about logins and email activity — but there’s so much more beneath the surface. And honestly, SharePoint and OneDrive logs are where a lot of the real impact lives.

Think about it: attackers don’t just want to log in — they want to steal data. And where is that data?

That’s why I was genuinely impressed by how Petra Security handles these logs.

🧾 Every File Interaction Captured: SharePoint & OneDrive

Petra tracks everything a user does inside SharePoint and OneDrive:

• ✅ File Accessed

• ✏️ File Modified

• 📥 File Downloaded

• 🔁 File Synced

Well, let me walk you through a real-world scenario — especially for those newer to incident response.

An attacker gains access to an M365 account. There’s no suspicious email activity and no new inbox rules.

But in SharePoint:

• They browse a folder named “Payment Docs”

• Download Invoices_Q4_2025.xlsx

• Sync an entire user directory to their machine

• Access a document called passwords.txt

But Petra stitches everything together. You can filter for downloads, file syncs, and modifications. You’ll see timestamps, file names, actions taken, and the user’s IP or device.

This is why SharePoint and OneDrive logs matter. Petra gives them the attention they deserve.

------------------------------------------------------------------------------------------------------------

💬 Teams Logs: Chat, Meetings, File Sharing

We won’t go too deep here, but yes — Petra also tracks Teams activity. That includes:

• 🧵 New chats created

• 📎 Links or files shared

• 📅 Meetings scheduled

• 👤 Participant joins/leaves and Many More

These logs are crucial for spotting lateral movement, phishing via Teams, or even attackers trying to extract data from group chats.

------------------------------------------------------------------------------------------------------------

🔐 Authentication Logs: Who Changed What?

Petra tracks authentication method changes across all users. So, you’ll know:

• When a user removed MFA

• When they added a new method (like Microsoft Authenticator or SMS)

• If they’re only using a password (⚠️ red flag!)

Because often, attackers try to downgrade authentication after getting in. Seeing those changes in plain view — without digging — is a massive win for any SOC analyst.

------------------------------------------------------------------------------------------------------------

💻 Devices, Permissions, and App Registrations

Let’s talk about the remaining three log sources in Petra captured:

1. Devices Log

Tracks every device tied to a user — by:

• Device name

• User ID

• Type (mobile/laptop/desktop)

Perfect for identifying rogue endpoints or signs of lateral movement.

2. Permissions Log

Want to know which users have admin rights or custom roles?

This log shows:

• Role name

• Role description

• Assigned users

Very helpful during privilege reviews and investigations involving privilege escalation.

3. App Registration Log

Petra tracks all enterprise and personal apps added into your M365 environment.

You can see:

• Which apps were installed

• Who registered them

• When they were added

This is where attackers sometimes try to sneak in persistence — by registering apps with elevated API access.

------------------------------------------------------------------------------------------------------------

🚨 All of This in One View — With Context

Seeing all of this in one interface, filterable by:

• IP

• User

• Country

• Device

• App

• Log type

------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------

⚡ Coming Up: Petra's Claim of “Zero False Positives” — Real or Just Hype?

Petra claims to deliver 100% zero false positives.

Next, we’ll dive into what that really means, how their machine learning model works behind the scenes, and whether it actually delivers on this promise in real-world investigations.

------------------------------------------------------------------------------------------------------------

https://www.cyberengage.org/post/petra-security-s-incidents-tab-a-game-changer-for-m365-breach-investigations

------------------------------------------------------------------------------------------------------------