Investigating non-US activity

Why Monitor Non-United States Activity?

Your clients and your employees probably see red flags from activity originating outside the US. While this isn’t always the case, it can make valuable collateral for clients and stakeholders. Petra makes it easy to investigate activity coming from outside the US.

You can also access these features in our demo tenant, Acme Corp.

Method 1: Using the Reporting Tab

The Reporting tab offers a streamlined view of non-US activity:

  1. Navigate to the Reporting tab in the top navigation bar
  2. Look for the Uncommon Activity section
  3. Click on New country outside the US to filter the results
  4. Each listed user is clickable for deeper investigation

When you click on a specific user entry, you’ll see:

  • The complete user profile
  • Specific log entries associated with their non-US login
  • Detailed information about the activity location

This activity-specific view includes the user information up top, then the specific relevant logs highlighted in yellow. The logs viewer beneath is fully functional so that you can apply additional filters and further investigate.

Method 2: Using the Logs Viewer

Logs viewers can be found all over Petra. Any one of them will allow you to search for activity coming from outside the United States.

  1. Navigate to the tenant page (via the top left corner navigation)
  2. Scroll down to the Activity section
  3. Use the filter option to select not in: United States

Initially, you’ll likely see numerous failed attacks from outside the US. Low-sophistication attackers often use obviously malicious IPs that are easily blocked by Microsoft. More sophisticated attackers typically use IP rotation techniques.

Filter Out Failed Attacks/Blocked Activity

To focus on actual user behavior rather than blocked attacks:

  1. Apply an additional filter for successful logins only
  2. Review the list of legitimate users accessing from non-US locations
  3. Select a specific user to investigate their pattern of activity

You can further refine your investigation by:

  • Filtering for specific applications (Exchange, SharePoint, Teams)
  • Examining the timing and frequency of access
  • Checking for consistent patterns that may indicate legitimate travel versus suspicious activity

The logs view preserves the username of the user you’re investigating as you add more filters and switch between Logins, Exchange activity, SharePoint activity, and more.

The Activity viewer, showing Exchange activity from outside the US.

  • Tenant Selection: Use the dropdown in the top left corner to switch between tenants
  • Home: Click the Petra logo in the top left to return to the home page
  • Tenant Activity: Access a specific tenant’s activity panel from the home page by clicking on a tenant in the list