What ITDR covers
RAIDEN monitors two Microsoft identity signal sources:| Source | What it detects |
|---|---|
| Entra ID Identity Protection | Users flagged as risky by Microsoft — leaked credentials, sign-ins from anonymous IPs, impossible travel, and other Microsoft-native risk detections |
| Microsoft Defender | Identity-related security alerts from Microsoft Defender for Identity and Defender for Cloud Apps — lateral movement, suspicious authentication, privilege escalation |
ITDR case creation
ITDR cases are created automatically — no manual setup required. RAIDEN polls your Entra ID and Defender signals on every poll cycle (every 5 minutes). When a risky user or Defender alert is detected:- A case is created with the source signal attached
- RAIDEN runs an AI investigation against the case, pulling in any related RAIDEN findings for the same user
- The case appears in your Cases view with the source labelled — look for the Entra ID or Defender badge
Viewing ITDR cases
Go to ITDR in the main navigation. This view shows all cases sourced from identity signals, separate from RAIDEN’s own detection cases. You can also see ITDR cases in the main Cases view — they are not hidden or separated from your standard workflow. From the ITDR view you can:- See all users currently at risk according to Microsoft’s signals
- Filter by risk level (High, Medium, Low) and signal source
- Click through to the full case for the AI investigation report and remediation options
Responding to ITDR cases
ITDR cases use the same response actions as any other RAIDEN case:- Revoke all active sessions — immediately sign the user out of everything
- Disable account — prevent further sign-ins while you investigate
- Create Conditional Access block policy — persistent block in Entra ID
- Confirm as false positive — dismiss the risk flag and suppress future alerts for this signal type
Dismissing Entra ID risk flags
When you confirm a case as a false positive and apply remediation, RAIDEN can dismiss the corresponding Entra ID risk flag on your behalf. This keeps your Entra ID risk state clean and prevents the same signal from creating another case.Dismissing an Entra ID risk flag requires the
IdentityRiskyUser.ReadWrite.All permission. This is included in RAIDEN’s standard permission set.Baseline learning and ITDR
RAIDEN’s behavioural baseline (built from your tenant’s own audit log activity) runs in parallel with ITDR signals. This means a user flagged by Entra ID as risky will also have their RAIDEN-native detection history included in the investigation case — giving you both the Microsoft signal and RAIDEN’s independent assessment in one view.Frequently asked questions
Do I need an E5 licence for ITDR?
Do I need an E5 licence for ITDR?
Entra ID Identity Protection risk events require at least a Microsoft Entra ID P1 licence (included in Microsoft 365 E3, E5, and most Business Premium plans). Microsoft Defender identity alerts require Microsoft Defender for Identity, which is included in E5 and available as an add-on.RAIDEN works at any licence tier — ITDR simply adds coverage if those licences are present. If your tenant does not have P1/P2 or Defender, RAIDEN’s own detection engine still runs on all tenants.
How quickly do ITDR cases appear?
How quickly do ITDR cases appear?
RAIDEN polls Entra ID and Defender signals on every poll cycle — every 5 minutes. Cases typically appear within 5–10 minutes of Microsoft flagging the risk event.
Will ITDR create duplicate cases if RAIDEN already detected the same threat?
Will ITDR create duplicate cases if RAIDEN already detected the same threat?
RAIDEN deduplicates across its own detections. If RAIDEN’s engine already created a case for the same user and the same session, the ITDR signal will be attached to the existing case as additional evidence rather than creating a new one.