When to use Kaseya SIEM
Kaseya SIEM is designed for situations where visibility in a single tool or isolated domain is not enough, and you need to understand how activity across endpoints, infrastructure, and cloud services fits together.
This article explains when Kaseya SIEM becomes the right place to investigate security activity, especially when context across systems is required.
Use Kaseya SIEM when investigation requires correlation and context
Use Kaseya SIEM when security activity spans multiple domains and needs to be investigated together. Rather than reviewing endpoint, SaaS, or infrastructure data in isolation, Kaseya SIEM brings related telemetry into a single investigation context.
By correlating activity across systems, Kaseya SIEM helps investigators understand how related events fit together, instead of working through large volumes of isolated logs or alerts.
Kaseya SIEM is especially useful when:
-
Activity begins in one area (such as a SaaS login) and continues elsewhere (such as endpoint or network access)
-
You need to trace behavior across users, devices, and services
-
Individual alerts are not meaningful on their own but become relevant when correlated
Use Kaseya SIEM with or without other security products
Kaseya SIEM does not require Kaseya MDR or SaaS Alerts to be useful.
You can use Kaseya SIEM on its own to ingest and analyze telemetry from supported data sources and investigate correlated security activity. When used alongside other Kaseya security products, Kaseya SIEM provides broader context and deeper correlation, but it does not depend on them to function.
How signals and investigations differ across deployment scenarios
| Deployment scenario | Do you get signals and alerts in Kaseya SIEM? | What Kaseya SIEM provides |
|---|---|---|
| Kaseya SIEM only | Yes | Ingestion from supported data sources, correlation across domains, alerts based on correlated activity, and centralized investigation, with SOC‑assisted investigation and response supported |
| Kaseya SIEM + Kaseya MDR | Yes | All SIEM capabilities, with the SOC assuming management of detections and SOC‑led investigation and response for covered endpoint and infrastructure activity |
| Kaseya SIEM + SaaS Alerts | Yes | All SIEM capabilities, with SaaS‑specific detections and SaaS activity context |
|
Kaseya SIEM + Kaseya MDR + SaaS Alerts |
Yes |
The broadest set of signals, correlation, and centralized investigation across endpoint, infrastructure, and SaaS activity |
SIEM expands ingestion and investigation capabilities beyond what Kaseya MDR or SaaS Alerts provide on their own, rather than acting only as a viewer for those products. For a detailed explanation of how these products relate and when it makes sense to combine them, see How Kaseya SIEM fits with Kaseya MDR and SaaS Alerts.
Use Kaseya SIEM for investigation and response workflows
Kaseya SIEM supports both manual investigation and automation. It enables consistent response workflows once investigation patterns are established.
Use Kaseya SIEM to:
-
Investigate activity across multiple sources before taking action
-
Apply automation based on correlated signals rather than single events
-
Support consistent response workflows as part of ongoing security operations
Response behavior depends on configuration, connected data sources, and defined workflows.
Related articles
-
How Kaseya SIEM fits with Kaseya MDR and SaaS Alerts: Gain context on how Kaseya SIEM relates to other Kaseya security products, how telemetry may be shared, and how responsibilities differ across products
-
Getting started with Kaseya SIEM: Overview: Review initial access and setup guidance when you are ready to begin using the platform
