Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.petrasecurity.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Petra cannot see audit logs from before auditing was enabled. Petra Scan, Autopsy, and every other Petra feature can only analyze logs that Microsoft was actively recording. If audit logs were enabled one week ago, Scan and Autopsy can only look back one week. If audit logs were not enabled prior to onboarding, Petra cannot scan activity prior to onboarding. Microsoft does not backfill logs retroactively, and there is no exception to this for any Petra feature.

What are Microsoft 365 Audit Logs?

Microsoft 365 Unified Audit Logs (UAL) record user and admin activity across your Microsoft 365 environment: logins, email access, SharePoint activity, Teams interactions, and more. Petra relies on these logs to detect threats, investigate incidents, and produce reports.

How to enable audit logs

Audit logging needs to be turned on in your Microsoft 365 tenant. To enable it:
  1. Sign in to the Microsoft Purview compliance portal as a Global Admin.
  2. Navigate to Solutions > Audit.
  3. If you see a banner that says “Start recording user and admin activity”, click it to turn on audit logging.
  4. If you don’t see the banner, auditing is already enabled for your tenant.
There is no cost to enable audit logging and it does not require any additional Microsoft licensing.

Do I need to enable audit logs myself?

For monitoring: No. When you onboard a tenant, Petra checks the audit log status and enables them for you automatically. For the Scan lookback: Audit logs need to have been on already. Petra Scan investigates the last 6 months of activity, but it can only analyze logs that Microsoft was actively recording. If audit logs were recently enabled, the lookback only covers the period since they were turned on. Microsoft does not backfill logs retroactively.
You cannot just turn on audit logs and expect to see 6 months of historical data. Petra can only analyze logs that Microsoft was actively recording. If logs were enabled last week, the Scan lookback can only see one week of data.

How to check if your logs are flowing

From the Tenants table: If a tenant’s status shows Audit Logs Not Enabled, audit logging is not turned on for that tenant. From the Activity Viewer: Navigate into the tenant and scroll down to the logs section. Browse through the Logins, Exchange, SharePoint, and Teams tabs and look at the date range of available data:
  • If logs stop abruptly at a date within the last 6 months, that is most likely when audit logging was enabled for the tenant. Everything before that date was not recorded by Microsoft.
  • If the tenant was recently onboarded, Petra may still be backfilling. See below for expected timelines.

How to tell when audit logs were enabled

Click into a tenant and look at Tenant Statistics. You’ll see an entry like Audit Logging enabled <date> showing exactly when logging was turned on for that tenant. If audit logs were enabled within the last 6 months, a banner at the top of the tenant page also calls this out.
Tenant page showing the recently-enabled audit logs banner and the Audit Logging enabled date in Tenant Statistics

How long does backfill take?

When you onboard a new tenant, Petra pulls up to 6 months of historical audit logs from Microsoft. This process typically takes up to 72 hours, depending on:
  • The volume of activity in the tenant
  • Microsoft API response times and rate limits
  • The number of users and event types
Microsoft’s own APIs can introduce delays in surfacing audit log data. If your backfill seems slow, this is almost always due to Microsoft-side throttling rather than an issue with Petra.

FAQs

I just onboarded a tenant and don’t see any logs yet. Is something wrong?

Probably not. Petra takes up to 72 hours to backfill historical logs after onboarding. Give it some time and check the Activity Viewer again later.

Can Scan or Autopsy look back before audit logging was enabled?

No. Scan and Autopsy can only analyze activity that Microsoft was actively recording. If audit logging was enabled one week ago, Scan and Autopsy can only look back one week. Microsoft does not backfill logs for the period before auditing was turned on, so there is no way to recover forensic data from before that date.

Can I see logs older than 6 months?

No. Microsoft 365 retains standard audit logs for approximately 6 months (180 days). Even if auditing has been enabled longer, data older than 6 months is no longer available from Microsoft’s APIs.

My logs go cold a few months back. Why?

This almost always means audit logging was enabled on that date. Microsoft only records activity from the moment auditing is turned on — it does not retroactively generate logs for the period before. The date where logs stop is likely when someone enabled auditing for that tenant.

Petra says “Audit Logs Not Enabled.” What do I do?

This means the tenant does not have Unified Audit Logs turned on. Without them, Petra cannot do a historical lookback. Petra will enable audit logs and begin monitoring going forward, but the Scan lookback will have limited or no historical data to analyze. For the best results, make sure audit logs are enabled on your tenants before onboarding.

Does Petra work without audit logs?

Yes. Petra will enable audit logs for you and begin monitoring from that point forward. However, without historical audit log data, the Scan lookback cannot analyze past activity. For the best protection, enable audit logging on all your tenants as early as possible.