Setup & Connection
I received an 'Unverified publisher' warning from Microsoft. Is this safe?
I received an 'Unverified publisher' warning from Microsoft. Is this safe?
Yes, this is expected. RAIDEN is in early access and Microsoft publisher verification is in progress. The warning does not indicate a security risk. Click Accept to continue with the consent flow.
Why am I asked to sign in to Microsoft twice?
Why am I asked to sign in to Microsoft twice?
RAIDEN connects to two separate Microsoft APIs — Microsoft Graph and the Office Management Activity API. Microsoft requires a separate consent screen for each. Both use the same Global Administrator account and the whole process takes under 30 seconds.
Do I need an E5 licence to use RAIDEN?
Do I need an E5 licence to use RAIDEN?
No. RAIDEN works at any Microsoft 365 licence tier. It uses the Office Management Activity API for audit log ingestion, which is available across all commercial M365 plans.
The connection test failed. What do I do?
The connection test failed. What do I do?
The most common causes are:
- Audit logging not enabled — go to Microsoft Purview → Audit → Start recording user and admin activity
- Insufficient privileges — the consenting account must be a Global Administrator
- Second consent not completed — go to Settings → Connection and click Reconnect M365
I didn't receive my invite email. What should I do?
I didn't receive my invite email. What should I do?
Check your junk or spam folder first — invite emails are occasionally filtered by corporate mail systems. If it’s not there, contact your RAIDEN onboarding contact to resend the invite.
Detections & Cases
I'm seeing a lot of alerts. Where do I start?
I'm seeing a lot of alerts. Where do I start?
Filter by Critical and High severity first. Work Cases, not individual alerts — the case report gives you the full picture with an AI-generated investigation summary. Individual alerts are the building blocks; cases are the investigations.
An alert fired on a known-safe IP or application. What do I do?
An alert fired on a known-safe IP or application. What do I do?
Mark the alert as False Positive and use the suppression options to prevent future alerts for the same IP, application, or user. RAIDEN will not fire that rule against that entity again.
How do I know RAIDEN is actively monitoring?
How do I know RAIDEN is actively monitoring?
Go to Settings → Connection to see the last poll time and event count. If no events have been ingested in the last 30 minutes, check the connection status. You can also email support@raidenhq.com if you suspect a connectivity issue.
How quickly will I see detections after connecting?
How quickly will I see detections after connecting?
RAIDEN starts polling immediately after the connection is verified. The first poll processes the last 24 hours of audit logs. Findings typically appear within 5–10 minutes depending on your tenant activity level.
Team & Access
What roles are available?
What roles are available?
| Role | What they can do |
|---|---|
| Owner | Full access — team management, M365 connection, all settings |
| Admin | Full access except owner-only settings — can invite users and change roles |
| Analyst | View and action cases and alerts, mark false positives, export reports |
| Viewer | Read-only access to cases and alerts |
How long are invite links valid?
How long are invite links valid?
Invite links are valid for 7 days from the time they are generated. If a link expires, an Owner or Admin can generate a new one from Settings → Team.