Skip to main content
RAIDEN surfaces threats as two distinct concepts: alerts, which are individual detection events, and cases, which are grouped investigations built from related alerts. Understanding the difference helps you triage faster and avoid working detections in isolation.

Cases vs. alerts

TermWhat it is
AlertA single detection event — for example, one suspicious login from an unusual location
CaseA group of related alerts for the same user, treated as one investigation with an AI-generated report
Start with Cases, not individual alerts. Each case includes an AI-generated investigation report that summarises all the evidence. Read that report before drilling into individual alerts — it gives you the full picture in seconds.

Alert severity levels

Every alert carries a severity level that tells you how urgently it needs attention.
SeverityMeaningWhen to act
CriticalActive or confirmed account compromiseImmediately
HighStrong indicators of attackToday
MediumSuspicious but unconfirmedWithin 48 hours
LowUnusual activity, low riskMonitor
InfoContextual data, no direct riskNo action needed
When your alert volume is high, filter by Critical and High first. Work cases rather than individual alerts — the case report gives you the consolidated picture with context.

Responding to a real threat

When a case looks like a genuine threat, work through it in this order:
1

Read the AI-generated investigation report

Open the case and read the report at the top. It summarises all related alerts and evidence in plain language, written for IT admins rather than security analysts.
2

Take action from the Remediation panel

Use the RAIDEN Actions buttons in the Remediation panel to contain the threat directly — revoke sessions, disable the account, or delete malicious inbox rules — without opening a separate admin portal. See Response Actions for details on each action.
3

Document what you did

Use Case Notes to record what actions you took and when. This creates an audit trail and helps teammates who pick up the case later.
4

Update the case status

Set the case status to Investigating while you are actively working it. Change it to Closed once the threat is resolved.

Case statuses

Cases have two statuses you can set manually:
StatusWhen to use it
InvestigatingThe case is open and actively being worked
ClosedThe threat has been resolved or determined to be a false positive

Marking a false positive

If an alert fired on known-safe activity, mark it as a false positive and suppress future alerts for that entity.
1

Open the alert

Navigate to the alert inside the case.
2

Change the status to False Positive

Set the alert status to False Positive.
3

Apply suppression and save

Use the suppression options to stop future alerts for the same IP address, application, or user. Click Save to apply.

Suppression options

When marking a false positive, you can suppress future alerts by:
  • IP address — RAIDEN will not alert on that detection rule when activity originates from this IP
  • Application — suppresses the rule for a specific application
  • User — suppresses the rule for a specific user account
Suppression applies per detection rule. It prevents that specific rule from firing against the suppressed entity — other rules continue to run normally.

Case Notes

Every case has a Case Notes section where you can add free-text entries. Use it to:
  • Record what actions you took and the timestamps
  • Note context that is not visible in the alert data
  • Leave handover information for teammates
Case Notes are visible to all team members with access to the case.