Onboarding a new customer in Kaseya SIEM

This article is intended for MSPs and partners onboarding customers into an existing Kaseya SIEM environment. It provides a recommended order of operations for repeatable customer onboarding, followed by optional post‑onboarding checks.

This checklist assumes platform access and any cross‑product account associations have already been explicitly completed. It does not assume inheritance from other tenants or products.

This article is intentionally concise and task‑based, and acts as a checklist and navigation aid. Each step links to more detailed documentation with configuration guidance based on your environment, enabled integrations, and security stack.

Some setup steps may also be guided in‑product. This checklist consolidates required and optional activities for organization onboarding, including steps that may not appear in the in-app guidance.

The order prioritizes organizational context and signal quality before connecting data sources and deploying agents.

Initial setup

Complete the following steps for each new customer you onboard.

Create the organization: Create an organization manually or import it from a supported PSA. For step-by-step instructions, see Managing organizations.
Configure alert delivery or notifications: Configure PSA integrations or email notifications to ensure alerts are routed to the appropriate operational channels. See Notification, PSA, and external communications.
Configure Power Filters: Configure Power Filters early to reduce noise and ensure alerts and events are relevant as data sources begin ingesting. For additional guidance, see Power Filters and allowlisting logic.
Connect identity providers: Connect Microsoft 365 and/or Google Workspace to ingest identity, authentication, and activity telemetry. See Integrating Microsoft 365 with Kaseya SIEM and Integrating Google Workspace with Kaseya SIEM.
Deploy MDR agents (if applicable): If MDR is enabled for the organization, deploy agents using your preferred method (for example, GPO, macOS, Linux, or RMM). See Deploying agents.
Connect organization SaaS applications: Connect supported SaaS applications used by the organization (for example, Zoom or Dropbox). See SaaS and Cloud sources.
Connect and map endpoint security: Ensure the organization is mapped to existing endpoint security integrations (such as Datto EDR, Bitdefender, Webroot, or other supported platforms). See Endpoint and Infrastructure sources.
Connect and map email security (optional): If the organization uses email security products, connect them to extend email-related detections and investigations. See SaaS and Cloud sources.
Connect dark web monitoring (optional): If applicable, connect supported dark web monitoring sources to surface exposed credentials or related risks.
Connect vulnerability scanning (optional): If applicable, connect a supported vulnerability scanner to include vulnerability data in investigations and reporting.
Map the organization to your RMM (if used): If RMM mapping is used, map the organization or site to ensure accurate device and organizational context. See Unify configuration and context association.
Integrate firewall or network devices (optional): If applicable, integrate supported firewall or network device telemetry to expand network visibility. See Network and syslog ingestion.

Post‑onboarding checks

After initial setup is complete, review and tune the environment.

Review alerts and tune filtering: Review real‑time alerts for the organization and adjust filters or suppressions as needed. See Working with alerts and Managing noise and signal.
Configure IOC and Respond automations (if used): Build and refine automations or notifications for recurring or high‑risk activity. See Indicators of compromise (IOCs) and Using the Respond module.
Review Fortify (if enabled): If Fortify is enabled, review security posture insights and recommended configuration changes. Fortify operates independently of alert ingestion, severity, and delivery. See Fortify configuration.
Review Unify mappings: Validate mappings and improve confidence where applicable (for example, identity‑based mappings). See Unify configuration and context association.
Audit accounts: Review and audit accounts to identify stale or unnecessary access. See How billing and monitoring apply to accounts.

Continuous operations

Perform the following on an ongoing basis:

Continue reviewing and tuning alerts and Power Filters
Adjust suppressions as organization environments change
Review reports to identify gaps that can be remediated through investigation, response, or configuration changes

Onboarding completion check

Before considering onboarding complete, confirm the following:

You can see events or activity from at least one connected data source
Alerts are being created and routed as expected
Ticketing or notification integrations are functioning (if configured)
Required integrations and agents are deployed for the customer’s scope

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.