SaaS and cloud sources

This article explains how SaaS and cloud services function as data sources in Kaseya SIEM, where their activity becomes visible in the user interface, and how SaaS and cloud telemetry differs from endpoint or network data.

Use this article to understand how application‑level and cloud activity appears in alerts and investigations, not how individual SaaS integrations are configured or authenticated.

This article explains:

What SaaS and cloud sources represent in Kaseya SIEM
How SaaS and cloud services are associated with an organization
Where SaaS and cloud activity appears in the UI
What types of telemetry these sources contribute
How to tell, based on UI behavior, that SaaS and cloud ingestion is working

What are SaaS and cloud sources?

SaaS and cloud sources are services that generate telemetry through APIs or service‑level integrations rather than through agents or log forwarding.

These sources typically include:

SaaS applications that record user activity and configuration changes
Cloud services that emit security‑relevant or audit events
Application‑level activity that does not run on customer‑managed hosts

Unlike endpoints or network devices, SaaS and cloud sources do not represent individual systems. Instead, they represent activity occurring within an application or service.

How SaaS and cloud sources are connected

SaaS and cloud sources are connected by associating an application or integration that represents the service with an organization.

Depending on the workflow used:

An application may be added from within an organization
An integration may be created from Settings and mapped to an organization

Once connected, the service begins providing telemetry for the associated organization. There is no agent deployment and no host‑level installation.

Detailed connection steps, permissions, and data scope for individual SaaS or cloud services are documented in their corresponding integration‑specific articles.

Where SaaS and cloud activity appears in the UI

SaaS and cloud sources do not appear as endpoints, systems, or devices.

Instead, their presence is reflected through application‑level activity surfaced in alerts and investigations.

You will see SaaS and cloud activity in the following places:

Alert details: Alert details may include application context, user activity, or service‑level events originating from SaaS or cloud sources.
Analysis > Investigation results: Related activity across SaaS, endpoints, network, and other sources is correlated and displayed during investigation.

Applications tab (organization view): Connected SaaS and cloud services are visible as applications associated with the organization.

SaaS and cloud visibility in Kaseya SIEM is activity‑driven. The service itself does not appear as a host or asset.

How SaaS and cloud sources differ from other data sources

SaaS and cloud sources differ from endpoint and network sources in several important ways:

They do not generate host‑based telemetry
They do not appear as systems or infrastructure
Their activity is tied to users, configurations, and service actions rather than processes or files

For this reason, SaaS and cloud activity is surfaced through alerts and investigations, not through a system or device inventory.

SaaS and cloud sources commonly contribute:

User activity and authentication events
Administrative or configuration changes
Application‑level security signals
Service‑specific behavior relevant to investigation

This telemetry is correlated with:

Endpoint activity
Network and syslog data
Other application sources

Correlation allows investigations to follow activity across domains, even when no endpoint is directly involved.

What you will see when SaaS and cloud ingestion is working

When SaaS and cloud ingestion is functioning correctly:

Alerts begin surfacing application‑ or user‑level activity
SaaS and cloud context appears in investigation results
Activity from these services can be correlated with other data sources

There may not be a continuous event stream visible to users. Successful ingestion is reflected through alerted activity and investigation context, rather than raw event listings.

Relationship to other data source workflows

SaaS and cloud sources fit into the overall ingestion model as follows:

Connecting data sources and integrations explains how SaaS services are associated with organizations
Endpoint and infrastructure sources explains agent‑based systems
Network and syslog ingestion explains log‑based infrastructure sources
Configuring application behavior explains how ingested data is evaluated and tuned

Each data source category contributes a different layer of visibility.

Key takeaway

SaaS and cloud sources provide visibility into application‑level and service‑level activity in Kaseya SIEM. Their presence is reflected through alerts, investigations, and application context rather than through hosts, agents, or infrastructure inventories.

Integration‑specific setup articles

The following articles provide step‑by‑step instructions, permissions, and authorization details for connecting individual SaaS and cloud services.

These articles focus on how to complete the connection, not on how SaaS telemetry behaves once ingested.

Examples include:

Connecting Microsoft 365 to Kaseya SIEM
Connecting Google Workspace to Kaseya SIEM
Connecting Okta to Kaseya SIEM
Connecting Duo to Kaseya SIEM

Use these articles after you understand how SaaS and cloud activity appears in Kaseya SIEM and where it becomes visible for investigation.

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.