IOC‑driven detection model

In Kaseya SIEM, detections can be driven by Indicators of Compromise (IOCs), observable artifacts that may indicate malicious or suspicious activity.

This article explains how IOC‑driven detection fits into the Kaseya SIEM detection model, what role IOCs play in generating alerts, and how IOC‑based detections are reflected during investigation. It focuses on system behavior and investigation context rather than configuration or rule setup.

This detection approach builds on Kaseya SIEM’s correlation‑first investigation model, where alerts are generated based on related activity rather than isolated signals, as described in Alert‑centric vs event‑centric security.

What an IOC represents in Kaseya SIEM

An Indicator of Compromise (IOC) is a known signal associated with malicious or risky behavior, such as a suspicious IP address, domain, file hash, or behavioral pattern.

In Kaseya SIEM, IOCs are used as detection inputs, not as standalone alerts by default. For details on how IOC rules are defined, evaluated, and managed in the product, see Indicators of compromise, which covers IOC rule behavior and configuration in depth.

An IOC becomes meaningful when it is evaluated in context with related activity.

This means:

Seeing an IOC match does not automatically imply a confirmed security threat
IOC matches are assessed alongside other signals before alerts are generated

This design helps ensure that threat intelligence informs investigation without forcing response decisions based on a single indicator.

How IOC‑driven detection works conceptually

IOC‑driven detection in Kaseya SIEM follows a detection‑first, correlation‑aware model:

Security telemetry is evaluated against known IOCs
IOC matches are considered alongside related activity
Correlation determines whether the combined signals represent a condition worth alerting on

IOCs help identify what to look for, while correlation helps determine whether it matters in context. This mirrors how Kaseya SIEM processes and correlates security data before surfacing alerts for investigation.

Where IOC‑driven detection appears in the experience

IOC‑driven detection is reflected in how alerts and investigations are constructed:

Alerts may reference activity associated with known indicators
Investigations may include IOC‑related signals alongside other contextual data
Timelines may show IOC matches as part of broader activity sequences

IOC information is presented as supporting evidence, not as isolated findings.

What this means for you: IOC matches help explain why an alert was generated, but they are rarely the only reason an alert exists. During investigation, IOCs provide additional context about known threats, confirmation signals when combined with behavior, and clues about intent or threat type. This helps you focus on understanding the overall security condition rather than reacting to a single indicator in isolation.

IOC‑driven detection vs event‑driven detection

IOC‑driven detection is different from purely event‑driven detection:

Event‑driven models focus on individual actions
IOC‑driven models evaluate known indicators in context
Kaseya SIEM combines IOC matching with correlation before alerting

This approach is intended to reduce false positives while still benefiting from threat intelligence.

How IOC‑driven detection supports cross‑domain visibility

IOCs are not limited to a single domain. The same indicator may appear in:

Endpoint activity
Network traffic
SaaS or cloud access

Kaseya SIEM evaluates IOC matches across domains, allowing indicators to contribute to cross‑domain investigations rather than triggering disconnected alerts. This behavior aligns with the broader Cross‑domain correlation model, where related activity from different environments is reviewed together during investigation.

When IOC‑driven detection is most valuable

IOC‑driven detection is especially useful when:
Investigating known threat campaigns
Validating suspicious behavior against threat intelligence
Supporting incident response or forensic review
Explaining why an alert represents known risk

In these cases, IOCs provide supporting evidence without replacing broader investigation logic or decision-making.

The following articles build on this model and show how IOC‑driven detection is used during investigation and response:

Detect > Investigate > Respond lifecyle: Understand how investigation flows from detection to response
Using Kaseya SIEM: Learn how to work with alerts during day‑to‑day operations
Detection, IOCs & Respond Rules: Learn how IOCs are defined, managed, and used as inputs for detection and response logic
Creating high‑confidence alerts with Respond rules: Learn how correlated signals and IOC context are combined into meaningful alerts before response actions are considered
Analyzing a Respond trigger: Review why a Respond rule fired, what activity contributed to the trigger, and whether the outcome matched expectations

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.