RAIDEN runs a set of purpose-built detection rules against your Microsoft 365 audit log continuously. Each rule targets a specific attack technique or abuse pattern observed in real M365 environments. This page lists every active detection rule, what it monitors, and what triggers a finding.
How detections work
RAIDEN processes Microsoft 365 audit log events on every poll cycle (every 5 minutes). Events are evaluated against each active detection rule. When a rule’s conditions are met, a finding is created. Related findings for the same user are grouped into a Case with an AI-generated investigation report.
All detection rules are:
- Pure signal — no false-positive-based throttling. Every match creates a finding.
- Per-user scoped — findings are always attributed to a specific user account.
- Configurable via suppression — you can suppress a rule for a specific IP, application, or user if it fires on known-safe activity. See Cases & Alerts — Suppression.
Identity & Authentication
SESSION_BAD_ASN
Detects sign-ins from IP addresses belonging to ASNs (Autonomous System Numbers) associated with known threat infrastructure — hosting providers, bulletproof hosting networks, and datacentre ranges commonly used by attackers.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory audit log — sign-in events |
| MITRE ATT&CK | T1078 — Valid Accounts |
| Severity | High |
SESSION_BAD_ASN_VPN
Detects sign-ins from IP addresses associated with commercial VPN services and anonymising proxies. A legitimate user connecting via VPN is low risk; the same user suddenly switching to a VPN they have never used before — especially during a session with other suspicious indicators — is a strong signal.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory audit log |
| MITRE ATT&CK | T1090 — Proxy |
| Severity | Medium |
IMPOSSIBLE_TRAVEL
Detects two successful authentications from the same account within a time window that makes physical travel between the originating locations impossible. For example, a login from London followed 20 minutes later by a login from Singapore.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory sign-in events |
| MITRE ATT&CK | T1078 — Valid Accounts |
| Severity | High |
BASELINE_ANOMALY
Detects statistically significant deviations from a user’s established behavioural baseline. RAIDEN builds a profile of each user’s normal activity — usual ASNs, locations, session patterns, and application usage — and flags sessions that fall outside those norms. Requires 7–14 days of activity before the baseline is meaningful.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory sign-in events |
| MITRE ATT&CK | T1078 — Valid Accounts |
| Severity | Medium |
SESSION_ID_REUSE
Detects when the same session token or session ID is used from two different IP addresses — a strong indicator of token theft and session hijacking.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory sign-in events |
| MITRE ATT&CK | T1550.004 — Use Alternate Authentication Material: Web Session Cookie |
| Severity | High |
Phishing & Token Theft
DEVICE_CODE_PHISHING
Detects the device code authentication flow being used in suspicious context. Device code phishing is an increasingly common technique where attackers trick users into entering a device code that grants the attacker persistent access to the user’s account.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory sign-in events |
| MITRE ATT&CK | T1528 — Steal Application Access Token |
| Severity | High |
TOKEN_THEFT_SESSION
Detects indicators of session token theft — authentication events that show characteristics consistent with a replayed or stolen token, such as unusual client metadata, missing device registration, or session origin inconsistencies.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory sign-in events |
| MITRE ATT&CK | T1550.004 — Use Alternate Authentication Material: Web Session Cookie |
| Severity | High |
AITM_PHISHING
Detects Adversary-in-the-Middle (AiTM) phishing attacks — where an attacker proxies a legitimate Microsoft login to steal credentials and session tokens simultaneously. Triggered by combinations of indicators including unusual ASNs, session reuse, and post-authentication activity patterns.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory sign-in events, Exchange audit log |
| MITRE ATT&CK | T1557 — Adversary-in-the-Middle |
| Severity | Critical |
AITM_INTEL_KIT_MATCH
Detects sign-ins from IP addresses and infrastructure previously associated with known AiTM phishing kits (EvilGinx, Modlishka, Muraena, and variants). Matched against a continuously updated threat intelligence feed.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory sign-in events |
| MITRE ATT&CK | T1557 — Adversary-in-the-Middle |
| Severity | High |
Identity Posture
MFA_ACTIVITY
Detects suspicious MFA changes — new MFA device registrations, method changes, or MFA-related admin operations on the account. Particularly significant when combined with a recent sign-in from an unusual location.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory audit log |
| MITRE ATT&CK | T1556.006 — Modify Authentication Process: Multi-Factor Authentication |
| Severity | High |
AUTH_METHOD_POLICY_MODIFIED
Detects changes to the tenant-wide authentication methods policy — for example, enabling or disabling SMS OTP, adding or removing FIDO2 key support, or modifying Temporary Access Pass settings. These are admin-level changes that alter the security posture for all users.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory audit log |
| MITRE ATT&CK | T1556 — Modify Authentication Process |
| Severity | Medium |
Exfiltration & Data Access
SPO_MASS_DOWNLOAD
Detects a high volume of SharePoint or OneDrive file download events from a single session within a short time window — a pattern consistent with bulk data exfiltration.
| Detail | Value |
|---|
| Event source | SharePoint audit log |
| MITRE ATT&CK | T1030 — Data Transfer Size Limits |
| Severity | High |
SPO_MASS_SHARING_LINK_EXFIL
Detects mass creation of anonymous sharing links for files or folders — a technique used to exfiltrate data without downloading it directly. A high volume of sharing links created in a short window is a strong exfiltration indicator.
| Detail | Value |
|---|
| Event source | SharePoint audit log |
| MITRE ATT&CK | T1567 — Exfiltration Over Web Service |
| Severity | High |
MAILBOX_DELEGATION
Detects suspicious mailbox delegation — granting another account full mailbox access or send-on-behalf permissions. Commonly used by attackers after compromise to maintain persistent mailbox access without needing the user’s credentials.
| Detail | Value |
|---|
| Event source | Exchange audit log |
| MITRE ATT&CK | T1098.002 — Account Manipulation: Additional Email Delegate Permissions |
| Severity | Medium |
Persistence & Manipulation
MAIL_FORWARDING
Detects the creation of inbox rules that forward emails to external addresses or hide security-related emails from the user. Both techniques are used by attackers after account compromise to maintain visibility into the victim’s mailbox.
| Detail | Value |
|---|
| Event source | Exchange audit log |
| MITRE ATT&CK | T1114.003 — Email Collection: Email Forwarding Rule |
| Severity | High |
POWER_AUTOMATE_ABUSE
Detects suspicious Power Automate flow creation — particularly flows that connect to external services, perform data exports, or are created immediately after a suspicious authentication event.
| Detail | Value |
|---|
| Event source | Exchange / M365 audit log |
| MITRE ATT&CK | T1567 — Exfiltration Over Web Service |
| Severity | Medium |
TEAMS_ANOMALY
Detects unusual Microsoft Teams activity — high-volume external message sends, unusual Teams app installations, or Teams usage that deviates significantly from the user’s normal pattern.
| Detail | Value |
|---|
| Event source | Microsoft Teams audit log |
| MITRE ATT&CK | T1534 — Internal Spearphishing |
| Severity | Medium |
OAUTH_APP_ABUSE
Detects OAuth application consent grants that are suspicious — apps requesting high-privilege permissions, apps newly registered with unusual metadata, or consent events immediately following a suspicious sign-in.
| Detail | Value |
|---|
| Event source | AzureActiveDirectory audit log |
| MITRE ATT&CK | T1550.001 — Use Alternate Authentication Material: Application Access Token |
| Severity | High |
Microsoft Defender Integration
MS_DEFENDER_ALERTS
Ingests security alerts from Microsoft Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps. Defender alerts are treated as first-class RAIDEN findings and grouped into cases alongside RAIDEN-native detections for the same user.
| Detail | Value |
|---|
| Event source | Microsoft Graph Security API (/security/alerts_v2) |
| MITRE ATT&CK | Varies by alert |
| Severity | Inherited from Defender severity |
Defender alert ingestion requires SecurityEvents.Read.All permission (included in RAIDEN’s standard permission set). The alerts visible in RAIDEN are the same alerts you would see in the Microsoft Defender portal — RAIDEN adds them to your investigation workflow.
Suppressing false positives
If a detection fires on known-safe activity — for example, a legitimate VPN you use regularly — you can suppress it per IP, application, or user from the alert view. See Cases & Alerts — Marking a false positive for the steps.
Suppression is per rule. Suppressing a rule for one IP does not affect other rules or other IPs. 
