Kaseya SIEM processes security data

Kaseya SIEM processes security activity by collecting telemetry from across your environment, standardizing that data, and correlating related activity before surfacing it for investigation. This helps you start with context across systems, rather than piecing together isolated events.

This article explains the core functions involved and, most importantly, how these functions show up in practice when you investigate activity that spans endpoints, network infrastructure, and cloud services.

What this means for you: investigations in Kaseya SIEM typically begin with alerts that already include related endpoint, network, and cloud activity, instead of starting from individual logs. This helps you understand scope and relationships earlier in the investigation process.

This investigation model is explained in more detail in Alert‑centric vs event‑centric security, which describes why alerts—not raw events—act as the starting point for investigation in Kaseya SIEM.

The processing model: from data to investigation

Kaseya SIEM follows a common SIEM processing model made up of five core functions: log ingestion, normalization, correlation, alerting, and reporting.

Together, these functions transform raw security activity into investigation‑ready signals and views.

Log ingestion: bringing security activity into one place

Log ingestion is the process of collecting security‑relevant data from across your environment. Kaseya SIEM ingests telemetry from multiple sources—such as endpoints, infrastructure, and cloud services—so activity can be reviewed in broader context rather than in isolation.

Because data sources generate events in different formats and levels of detail, ingestion is what makes it possible to analyze activity centrally and trace security issues that span systems over time.

Normalization: making different data sources comparable

Different systems record activity using different formats and terminology. Normalization transforms incoming data into a consistent structure so it can be analyzed uniformly across otherwise incompatible sources.

In practice, this means Kaseya SIEM can treat common attributes—such as users, devices, IP addresses, and timestamps—in a consistent way, which supports meaningful correlation and investigation.

Correlation: how Kaseya SIEM connects activity across domains

Correlation is where isolated events become investigation context.

In Kaseya SIEM, correlation connects related activity across endpoints, network infrastructure, and cloud services so you can review it as part of a unified pattern instead of manually assembling it from separate logs and tools.

For example, authentication failures, endpoint actions, and cloud access events may appear low‑risk individually. When correlated together, they can indicate a coordinated attack or compromised account.

What this means for you: correlation is reflected in how activity is grouped and presented for investigation, helping you see relationships and timelines more clearly at the start of triage.

This same correlation logic is extended across SaaS, endpoint, and network activity in Cross‑domain correlation, where related signals from different environments are reviewed together during investigation.

Alerting (from events to alerts): turning correlation into an investigation entry point

When correlated activity meets defined conditions or thresholds, Kaseya SIEM generates alerts.

Alerts are designed to represent combined signals rather than individual events, which supports prioritization during investigation. Alert context may include information about affected users, devices, or services to help you assess scope and potential impact earlier in the investigation.

What this means for you: alerts are meant to be the starting point for investigation, not a raw event stream. Investigation workflows build on alert context rather than replacing it.

How alerts are reviewed, validated, and prioritized during daily operations is covered in Working with alerts.

Reporting and visibility: understanding outcomes and trends over time

Kaseya SIEM provides reporting and visibility into security activity to support operational needs and audit/compliance requirements. Reporting helps you review trends, assess investigation outcomes, and generate evidence for governance and compliance workflows.

Integrating endpoint, network, and cloud security

Modern security incidents rarely remain confined to a single domain. Attacks may begin on an endpoint, move through network infrastructure, and ultimately impact cloud services.

Kaseya SIEM acts as a unifying layer by bringing together telemetry from:

Endpoint security: process execution, file activity, and user logins
Network security: authentication events, access patterns, and lateral movement
Cloud security: SaaS activity, API usage, and configuration changes

By normalizing and correlating data across these domains, Kaseya SIEM helps you follow activity across an end‑to‑end path that would otherwise appear fragmented across separate tools. This cross‑domain visibility is a key enabler for investigation‑driven decisions.

From detection to response: where investigation leads

Kaseya SIEM supports investigation and decision‑making by providing context across users, devices, and services. Response actions may be manual or automated depending on enabled products, integrations, and how your rules are configured. How response logic is structured and executed is explained in Creating Respond rules and Respond actions, which build on investigation outcomes rather than replacing them.

Rather than responding to isolated alerts, you can review correlated activity and understand how events relate to one another before taking action. This ensures response decisions are informed by investigation context rather than single signals.

This investigation‑first flow is formalized in Detect > Investigate > Respond lifecyle, which describes how detection, investigation, and response stages relate to one another.

What this means in practice

By correlating activity across endpoints, network infrastructure, and cloud services, Kaseya SIEM supports investigation by bringing related activity together to help you understand what happened, assess impact, and decide how to respond. More detailed examples of investigation workflows, response behavior, and reporting outcomes are covered in later sections of this documentation.

Alert‑centric vs event‑centric security: Learn how this processing model shapes the way investigations begin in Kaseya SIEM
Detect > Investigate > Respond lifecycle: See how processed and correlated activity flows through the full investigation and response lifecycle
Working with alerts: See how alerts act as entry points during day‑to‑day operations

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.