Detection, IOCs, and Respond Rules

The Detection, IOCs, and Respond Rules section explains how detection logic is defined and tuned in Kaseya SIEM, after you understand how the platform is used in day‑to‑day operations.

In Using Kaseya SIEM, alerts surface activity, investigations add context, and decisions are made before escalation or automation. This section builds on that workflow by explaining how signals are defined, combined, and escalated so detection supports investigation‑driven decisions rather than replacing them.

Kaseya SIEM evaluates normalized security data from multiple sources and surfaces individual signals such as events and indicators of compromise (IOCs). Those signals gain meaning through correlation across time, users, devices, and systems, and through intentional escalation using Respond rules when higher confidence is established.

Articles in this section

This section includes the following articles:

Indicators of Compromise: Explains how IOC rules are used to flag known or suspicious signals, add investigation context, and contribute supporting evidence without drawing conclusions on their own
Using the Respond Module: Introduces the Respond module and explains how Respond rules, templates, connections, and actions fit together before rules are created or automated
Creating Respond rules: Walks through how to build Respond rules that correlate multiple signals into higher‑confidence alerts, including rule structure, scope, conditions, schedules, and outcomes
Managing Respond connections: Explains how Respond connections enable response actions for each organization, how connection status affects automation, and how to identify and fix broken connections
Respond actions: Describe common response actions that may be available when a Respond rule triggers and explains how to use them safely, including when alert‑only behavior is appropriate

How detection progresses in Kaseya SIEM

Detection in Kaseya SIEM typically progresses through three layers:

Individual signals, such as events and IOC matches, that flag potentially relevant activity
Correlation of related activity across time, users, devices, and systems to establish context
Escalation using Respond rules when investigation confirms that a repeatable pattern should be surfaced or acted on consistently

The articles in this section follow this progression intentionally.

How to use this section

Use Detection, IOCs, and Respond Rules:

After you understand how alerts and investigations work in practice
When individual alerts are insufficient and correlation is required
When turning investigation insight into repeatable detection logic
When designing escalation and response behavior intentionally

If you are still learning how alerts surface activity or how investigations are performed, start with Using Kaseya SIEM before working in this section.

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.