Unify in Kaseya MDR

Unify is a correlation capability used by Kaseya MDR to associate identity, device, and activity data across connected platforms and help determine whether observed activity can be associated with a known device tied to a specific account.

You may encounter Unify context across multiple Kaseya products. Depending on your environment, device‑to‑account associations may originate from connected platforms that provide identity, SaaS activity, or device telemetry, and then be surfaced within Kaseya MDR to support investigation.

In Kaseya MDR, Unify works by comparing metadata from multiple sources, including identity data, device visibility, and activity observed across connected platforms. By evaluating this data together, Unify assesses whether the activity and the device are likely related. Rather than making binary decisions, Unify produces a confidence score that reflects how strongly the available signals support a device‑to‑account association.

When sufficient correlation data exists, Unify helps analysts answer investigative questions such as:

  • Did this activity occur on a known device associated with the account?

  • Is the observed activity consistent with the expected user, device, and access context?

  • Is there insufficient or ambiguous data, meaning the device should remain unmapped and be observed further?

Unify evaluates multiple signals over time rather than relying on a single indicator.

Unify does not make enforcement decisions in Kaseya MDR. Its role is to enrich investigation context with device and identity associations so analysts can better evaluate observed activity.

Unify role within Kaseya MDR

Unify acts as a correlation and context layer that complements detection, alerting, and investigation workflows.

Using metadata available from connected platforms, Unify evaluates whether activity can be confidently associated with a specific device and account. When sufficient correlation exists, Unify presents that relationship during investigation so analysts can review activity with greater clarity.

This association is informational only and does not change how events are ingested or evaluated. Unify itself does not enforce actions; however, other modules or workflows may use Unify-derived context as an input when determining how to prioritize or respond to activity.

How Unify works

Unify evaluates whether activity and device context are related by comparing metadata observed across connected platforms. Using available identity data, device visibility, and activity signals, Unify continuously assesses whether an association between an account and a device can be established.

These evaluations occur over time rather than at a single point. As environments change and additional activity is observed, association outcomes may strengthen, weaken, or remain unresolved. This allows Unify to operate effectively in environments where identifiers may be shared or ambiguous, such as corporate networks, VPNs, or standardized device configurations. In these scenarios, activity that appears normal in isolation may become notable when evaluated in the context of known device usage and identity relationships.

Unify uses multiple signals and confidence scoring to determine the strength of an association between a device and an account. Rather than relying on a single indicator, Unify evaluates patterns across available data to determine whether sufficient correlation exists.

When sufficient data is available, Unify may present account suggestions representing likely device‑to‑account associations. When data is limited or ambiguous, devices may remain unmapped until additional signals are observed.

Detailed information about correlation signals, confidence scoring, and suggestion behavior is described in the following sections.

Using Unify in Kaseya MDR with other Kaseya security products

When Kaseya MDR is used alongside other Kaseya security products, Unify context can be shared across those products to support investigation.

You may already be familiar with Unify through other Kaseya security products. In those products, Unify is used to establish trust at the source by correlating activity with known, managed devices.

When Kaseya MDR is used alongside other products, Unify‑derived context becomes available within SIEM investigations. Depending on which products are in use, this context may originate from SaaS Alerts, Kaseya MDR, or both.

IMPORTANT  Whether configuration and response actions are performed in Kaseya MDR or in an individual product depends on whether the organization is licensed for SIEM. Organizations without a SIEM license continue to be configured and managed directly in the originating product.

Regardless of the source, Unify provides user and device context as part of cross‑domain investigation in Kaseya MDR. Investigation and response workflows operate consistently, using available context without requiring different configuration paths based on product combinations.

When Unify becomes available

Before Unify can provide meaningful correlation context, required data sources must be connected and actively providing data.

In Kaseya MDR, this typically requires both identity data and device visibility. Identity data is obtained from connected platforms, while device data depends on endpoints that are onboarded and reporting to Kaseya MDR.

Until sufficient identity and device data are available, Unify may have limited ability to associate activity with specific devices and accounts. In these cases, devices may remain unmapped or have lower confidence scores.

As additional data is collected over time, Unify continuously reassesses available signals and may begin to establish associations automatically without further configuration.

Data sources used for Unify context

Unify derives device and account context from data provided by supported integrated platforms connected to Kaseya MDR. This may include device inventory, identity attributes, and access‑related metadata originating from endpoint, security, and management tools.

In Kaseya MDR, Unify context depends on the availability of both identity data and device visibility. This typically includes identity data from connected platforms (such as directory or access providers) and device data from endpoints that are visible to Kaseya MDR.

If device data is not available (for example, if endpoints are not onboarded or agents are not deployed), or if identity data is limited, Unify may not be able to establish associations or may produce lower confidence results.

The specific data sources available depend on the integrations and configurations in your environment.

Correlation signals and confidence scoring

Unify evaluates multiple data points when associating activity with a device and account by comparing metadata observed across connected platforms. Common signals can include network attributes (such as public IP), device identifiers (such as device name or hostname), and identity-related attributes (such as recently observed user information), along with platform-specific metadata where available.

Based on the strength of matching signals, Unify assigns a confidence score indicating how likely it is that the activity occurred on the associated device.

Higher confidence scores indicate stronger correlation across multiple signals. Lower scores indicate partial or ambiguous matches that may require review.

Confidence scoring affects association decisions only and does not influence alert severity or detection outcomes directly. Other workflows may optionally use this context as an input when determining response behavior.

NOTE  Confidence scores reflect observed correlation based on available data. They are recalculated as new activity is observed and do not expire or decay automatically.

Understanding confidence scores and suggestions

Confidence scores represent the likelihood that observed activity is associated with a specific device based on available data. These scores are probabilistic rather than definitive.

Unify may present account suggestions when sufficient data exists to propose likely associations. A higher confidence score indicates stronger correlation, while lower scores indicate weaker or incomplete matches.

When Unify does not have enough data to meet the confidence threshold for suggestions, it may display No Suggestions. This does not indicate an error or misconfiguration, only that insufficient matching data is currently available.

As additional activity is observed and more correlation signals become available, suggestions may appear automatically without configuration changes.

Shared or ambiguous infrastructure

In environments where devices share common characteristics, such as standardized OS images, shared IP addresses, VPNs, or centralized networks, traditional correlation signals may be insufficient.

Where supported by integrated platforms, Unify can incorporate unique device identifiers (for example, Microsoft Entra device ID or similar identifiers provided by identity platforms) to improve correlation accuracy and reduce incorrect associations in shared or homogeneous environments.

Prerequisites for effective Unify association

For Unify to associate activity with devices and accounts, the following conditions must be met:

  • Relevant data sources are connected and actively providing telemetry

  • Organizations are correctly aligned across integrated platforms

  • Devices are visible to Kaseya MDR through supported integrations

  • Sufficient identity and device metadata exists to support correlation

If these conditions are not met, devices may appear unmapped or have lower confidence scores until additional data becomes available.

Investigation context and practical impact

During investigation, Unify enables analysts to:

  • Review whether activity occurred on a known managed device

  • Understand user‑to‑device relationships across platforms

  • Identify activity that appears legitimate but did not originate from an expected device

  • Highlight activity that would otherwise appear low‑risk

This context is especially valuable when reviewing token misuse, credential abuse, or access that bypasses interactive authentication.

For example, a successful login may appear consistent with expected user activity and location, such as access originating from Cauquenes, Chile. When evaluated with Unify context, the same activity may be identified as originating from a device that is not associated with the account. This additional context can highlight activity that would otherwise appear low risk and support further investigation.

Where to access Unify in the UI

Once required data sources are connected, the Unify experience is available directly from the Kaseya MDR interface:

  1. From the side navigation menu, click Unify.

  2. Within the Unify module, you can access the following views:

  • Unify > Unmapped Devices: Review devices that are not yet confidently associated with an account

  • Unify > Mapped Devices: Review devices that have been confidently associated with one or more accounts

  • Unify > Ignored Devices: Review devices that have been explicitly excluded from correlation

  • Unify > Automation: Configure optional mapping and unmapping automation

These views are read‑only until relevant data sources are connected.

Unify association lifecycle

Unify association behavior follows a consistent lifecycle:

Observation and evaluation

Unify observes device, identity, and activity metadata from connected platforms. Using available signals, Unify evaluates whether a device can be confidently associated with an account:

  • If confidence meets the configured threshold, the device becomes eligible for mapping.

  • If confidence is insufficient or ambiguous, the device remains unmapped.

Mapping

When mapping conditions are met, either through automation or manual action, Unify creates a device‑to‑account association:

  • Mapped status reflects current correlation confidence.

  • Mappings provide investigation context only and may change as new data is observed.

Device correlation (propagation layer)

Device correlation evaluates whether multiple devices are logically equivalent based on shared metadata.

When enabled:

  • A mapping applied to one device can propagate to all correlated devices.

  • An unmapping action applied to one device can propagate to all correlated devices.

Device Correlation does not create mappings by itself; it synchronizes outcomes produced by mapping and unmapping rules.

Unmapping

Unify may remove mappings automatically when configured unmapping conditions are met, such as:

  • Confidence for the mapped account drops below the defined threshold.

  • The device has not checked in within the defined time window.

  • A correlated device triggers a propagated unmapping action.

Unmapping returns the device to an unmapped state unless the device is explicitly ignored.

Ignored state (explicit exclusion)

If a device is ignored, it is removed from the association lifecycle entirely.

  • No correlation is performed

  • No mapping or unmapping occurs

  • Device Correlation does not apply

Ignoring a device is an administrative decision and can be reversed.

Together, these components ensure Unify maintains accurate, consistent investigation context as environments and data change.

Unify views and device states

Unify presents device association status through dedicated views. These views are designed to support review and judgment, not to indicate errors.

The Unmapped Devices tab lists devices for which Unify does not currently have enough correlation data to associate the device with a specific account.

Devices appear here when Unify has observed activity, but the available signals do not meet the configured confidence threshold required to create an association.

Unmapped devices are not errors and do not indicate misconfiguration by default. They reflect the current state of observed data and correlation confidence.

What it means when a device is unmapped

A device may appear as unmapped for several reasons, including:

  • Insufficient identity or device metadata

  • New or recently observed devices

  • Shared or ambiguous environments (for example, VPNs, shared IPs, or standardized images)

  • Correlation signals that do not exceed the required confidence threshold

  • Device data that exists but cannot yet be reliably matched to a single account

In many environments, leaving a device unmapped is expected and may be sufficient until stronger correlation signals are observed.

As additional activity is observed and more correlation signals become available, unmapped devices may become eligible for association automatically.

Reviewing unmapped devices

To view unmapped devices:

  1. Navigate to Unify from the side navigation menu.

  2. Select the Unmapped Devices tab.

  3. Select the organization scope if applicable.

  4. Select Retrieve Unmapped Devices.

The table displays devices that currently do not have an accepted device‑to‑account association.

Columns in the Unmapped Devices view

Each row provides correlation context to help understand why the device is unmapped.

  • Device: The device identifier as reported by connected platforms. This may be a hostname, device name, or platform‑specific identifier.

  • Organization: The organization the device is associated with based on available integration data.

  • Recent Public IP(s): The most recently observed public IP address associated with the device, if available.

  • Product: The source platform providing device data (for example, endpoint, RMM, or security product).

  • Recent User(s): The most recently observed user associated with activity on the device, if available. If no consistent user has been observed, this field may display Not Provided.

  • Confidence: Displays the current confidence level assigned to potential associations. Not Provided indicates that Unify does not yet have sufficient correlation signals to calculate a meaningful confidence score.

  • Potential Accounts: Displays whether Unify has identified candidate accounts for association. No Suggestions indicates that available correlation data does not meet the confidence threshold required to propose an account. This does not indicate an error or missing configuration.

Filtering and sorting unmapped devices

The Unmapped Devices view supports filtering and sorting to help prioritize review.

  • Available filters may include:

  • Organization

  • Product

  • Recent user

  • Confidence score

You can also sort by confidence to review devices with the strongest (or weakest) potential correlation first.

Understanding “No Suggestions”

When No Suggestions appears in the Potential Accounts column, it means:

  • Unify evaluated available correlation signals

  • No account met the confidence threshold required to be proposed

  • The device remains unmapped until stronger signals exist

This state is normal in environments with limited recent activity, newly onboarded devices, and shared or non‑unique infrastructure pattern. Suggestions may appear automatically as additional activity is observed.

Manually reviewing account associations

From the Unmapped Devices table, you can open the Account Mapping panel for a device by clicking the pencil icon in the Potential Accounts column.

The Account Mapping panel displays:

  • Device details

  • Source product

  • Recent user activity

  • Available potential accounts and associated confidence values

This view allows you to review correlation results, but actual association behavior depends on the device’s automation mode and global automation settings.

Device automation modes

Each device operates under a defined automation mode, which determines how associations are handled.

Available modes include:

  • Fully Automatic: Unify automatically manages mapping, unmapping, and correlation updates based on confidence scoring

  • Append Only: Unify can add new associations but does not remove existing ones automatically

  • Lock Mappings: Existing associations are preserved and not modified automatically

  • Manual Only: Unify does not change mappings automatically for this device.

The automation mode affects association behavior only and does not influence detection or response.

Ignoring a device

From the Unmapped Devices view, you can choose to ignore a device.

Ignored devices are excluded from automated and manual association workflows. They do not contribute to Unify correlations and do not appear in mapped or unmapped association processing.

Ignoring a device is useful for test systems, non‑managed endpoints, and devices that should never participate in correlation.

Ignored devices can be reviewed later from the Ignored Devices tab.

When to take action vs. wait

In most cases, no immediate action is required for unmapped devices.

Recommended approach:

  • Monitor unmapped devices over time

  • Review devices with repeated activity but no correlation

  • Adjust confidence thresholds only after observing trends

  • Use automation and What If to preview changes before applying them

Unmapped devices often resolve automatically as Unify observes additional activity.

Device Correlation and Unmapped Devices

Unmapped devices may be affected by Device Correlation settings. When device correlation is enabled, Unify evaluates whether an unmapped device is equivalent to another device that already has an accepted association. If sufficient correlation confidence exists, mapping behavior may propagate automatically subject to global automation rules.

For more information on how Unify identifies similar devices and synchronizes association behavior, see Device Correlation.

Key takeaway

The Unmapped Devices tab provides visibility into devices that Unify cannot yet confidently associate with an account. This view exists to support transparency and review—not to indicate failure or misconfiguration.

Unmapped status reflects current correlation confidence and typically improves as more data becomes available.

The Mapped Devices tab lists devices that Unify has successfully associated with one or more accounts based on correlation signals and confidence scoring.

Devices appear in this view once Unify determines that available identity, device, and activity data meets the configured confidence threshold for association.

Mapped status indicates a current, accepted association, not permanent ownership.

What it means when a device is mapped

When a device is mapped:

  • Unify has correlated observed activity to a specific account with sufficient confidence

  • The association is available as contextual information during investigation

  • The association may be maintained or updated automatically, depending on automation settings

A mapped device does not imply:

  • That the association is immutable

  • That the device cannot later become unmapped

  • That detection or response behavior has changed

Unify associations remain informational and adaptive.

Viewing mapped devices

To view mapped devices:

  1. Navigate to Unify from the side navigation.

  2. Select Mapped Devices.

  3. Select an organization from the drop‑down list.

  4. Select Retrieve Mapped Devices.

Until an organization is selected, the table remains empty.

What you see in the Mapped Devices view

The Mapped Devices view focuses on confirmed associations, which is why fewer corrective actions are exposed compared to Unmapped Devices.

Each row represents:

  • A device

  • An associated account (or accounts, where supported)

  • A confidence‑based correlation outcome

This view is primarily used for verification and review, rather than remediation.

Relationship to confidence scoring

Mapped devices meet or exceed the minimum confidence threshold defined in Unify automation settings.

Confidence scores:

  • Reflect the strength of correlation signals at the time of evaluation

  • Are recalculated as new activity is observed

  • May increase or decrease over time as additional data becomes available

If confidence drops below the required threshold, a device may transition back to an unmapped state automatically.

Automation impact on mapped devices

How mapped devices are maintained depends on automation settings and device automation mode:

  • In Fully Automatic mode, Unify can update or remove mappings as correlation confidence changes

  • In Append Only or Lock Mappings modes, existing mappings are preserved according to the selected behavior

  • In Manual Only mode, mappings are not changed automatically.

Changes to global automation settings affect how mapped devices are evaluated going forward.

When to review mapped devices

Review mapped devices when you want to:

  • Validate that Unify is correlating devices as expected

  • Confirm account associations in high‑risk investigations

  • Spot unexpected associations early

  • Monitor environments with shared or changing infrastructure

Routine review helps ensure that Unify associations continue to reflect real usage patterns.

How Mapped Devices differs from Unmapped Devices

Mapped devices Unmapped devices
Association accepted No association yet
Confidence threshold met Confidence threshold not met
Used mainly for verification Used for analysis and decision‑making
Fewer corrective actions Review, ignore, or manual mapping options

For details on why devices remain unmapped and how to act on them, see Unmapped Devices.

Device Correlation and Mapped Devices

Mapped devices may be influenced by Device Correlation settings. When device correlation is enabled, Unify can propagate mapping and unmapping outcomes across devices it considers logically equivalent based on shared metadata. This helps maintain consistent associations when the same endpoint appears in multiple platforms.

For details on how device similarity is determined and how mapping outcomes propagate, see Device Correlation.

Key takeaway

The Mapped Devices tab provides visibility into device‑to‑account associations that Unify considers reliable based on observed data. These associations support investigation context and may evolve over time as environments change.

Mapped status reflects current confidence, not permanence.

The Ignored Devices tab lists devices that have been explicitly excluded from Unify association processing.

When a device is ignored, Unify no longer evaluates it for device‑to‑account correlation and does not attempt to map, unmap, or suggest associations for that device.

Ignoring a device is an intentional administrative action, not an automatic state.

What it means when a device is ignored

When a device is ignored:

  • Unify stops correlation and association processing for the device

  • The device does not appear in Mapped Devices or Unmapped Devices

  • No confidence scores or account suggestions are calculated

  • The device is excluded from automated and manual mapping workflows

Ignoring a device does not:

  • Remove the device from data ingestion

  • Suppress alerts

  • Change detection logic

  • Affect SOC response behavior

Ignore applies only to Unify context and association behavior.

Common reasons to ignore a device

Devices are typically ignored when they should not participate in identity correlation, such as:

  • Test or lab systems

  • Non‑managed endpoints

  • Jump boxes or shared infrastructure

  • Devices with intentionally ambiguous ownership

  • Systems that generate noise without meaningful user association

Ignoring these devices helps reduce unnecessary review and keeps Unify focused on relevant endpoints.

Viewing ignored devices

To view ignored devices:

  1. Navigate to Unify from the side navigation.

  2. Select Ignored Devices.

  3. Select the organization scope if applicable.

  4. Select Retrieve Ignored Devices.

The table displays all devices currently excluded from Unify association processing.

What you see in the Ignored Devices view

Each row represents a device that has been manually ignored.

Typical columns include:

  • Device: The device identifier as reported by connected platforms

  • Organization: The organization the device belongs to

  • Reason: If provided, the context or note associated with the ignore action

  • Last Action Time: When the device was ignored

This view is used primarily for audit and review, not ongoing analysis.

Removing a device from Ignored Devices

A device can be restored to normal Unify processing.

When you choose Remove from ignored:

  • The device becomes eligible for correlation again

  • It may reappear in Unmapped Devices initially

  • It may later transition to Mapped Devices, depending on confidence scoring and automation settings

Removing a device from ignored status does not guarantee immediate mapping.

Relationship to confidence scoring and automation

Ignored devices are excluded regardless of:

  • Confidence score thresholds

  • Automation settings

  • Device automation mode

Automation settings have no effect on ignored devices until they are restored.

Once restored, the device is evaluated according to current automation and confidence configuration.

Ignored Devices vs. Unmapped Devices

Ignored Devices Unmapped Devices
Explicitly excluded by admin Not excluded
No correlation performed Correlation attempted
No confidence score calculated Confidence score may be calculated
No account suggestions Suggestions may appear
Hidden from mapping workflows Actively visible for review

Ignoring a device is a final exclusion, whereas unmapped status is typically temporary and data‑driven.

When to use Ignore vs. Automation exclusions

Use Ignore device when a specific device should never participate in correlation. Use organization exclusions or automation rules when you want broader, reversible control.

Ignored Devices is the most restrictive Unify state.

Key takeaway

The Ignored Devices tab provides administrators with a way to permanently exclude devices from Unify association processing. This is useful for managing noise, special‑purpose systems, and non‑relevant endpoints.

Ignored status affects only Unify context behavior and does not impact detection, alerting, or response workflows.

How this now fits cleanly with the other tabs

  • Mapped Devices: Accepted association

  • Unmapped Devices: Association under evaluation

  • Ignored Devices: Explicit exclusion

Together, these three tabs describe the complete lifecycle of Unify device association.

The Automation tab controls how Unify automatically maps, maintains, and removes device‑to‑account associations over time. These settings determine when Unify creates associations, when it removes them, and how correlation confidence is enforced.

Automation settings are global by default, but individual devices can override these behaviors using device‑specific automation modes.

Unify > Automation

The Automation tab is divided into three sections:

  • Mapping

  • Unmapping

  • Device Correlation

Mapping

The Mapping tab controls when and how Unify creates new device‑to‑account associations automatically.

  • Automatically Map Devices: When enabled, Unify automatically creates device‑to‑account mappings once correlation confidence meets the defined threshold.

    • Applies to devices operating in Fully Automatic mode

    • Uses correlation signals and confidence scoring

    • Does not affect manual or locked devices

    Disabling this option prevents new automated mappings from being created but does not remove existing mappings.

  • Map devices for all organizations: Controls the scope of automated mapping.

    • When enabled, Unify attempts to apply mapping automation across all organizations

    • When disabled, mapping is limited to manually selected organizations

  • Exclude these organization(s): Allows specific organizations to be excluded from automated mapping behavior.

    Excluded organizations:

    • Do not receive automated mappings

    • Continue to appear in Unmapped Devices if correlation data exists

    • Can still be reviewed manually

This is commonly used for test tenants, environments with incomplete integrations, or organizations with atypical infrastructure.

  • Account Mapping Settings: Controls how accounts are selected once confidence thresholds are met.

    Available options include:

    • Single devices

      • Map the highest account over confidence score: Maps the account with the strongest correlation

      • Map account if it is the only account over confidence score: Prevents mapping when multiple accounts exceed the threshold.

    • Shared devices

      • Map all accounts over confidence score: Where supported, this allows multiple accounts to be associated with a single device for environments where devices are intentionally shared.

Availability of shared-device behavior may depend on product version, tenant configuration, and connected data sources.

These settings affect association logic only, not alerting or response.

  • Minimum confidence score: Defines the minimum correlation confidence required before Unify creates a mapping.

  • Higher values reduce incorrect associations

  • Lower values increase coverage but may require review

Confidence scores are evaluated dynamically and recalculated as new activity is observed.

Alerts for automated mappings

These settings control informational alerts generated when automated mappings occur.

  • Alert priority for automated mappings: Low or Medium

    • Medium can generate a ticket in a PSA

    • Low logs the alert without escalation

  • Create alert against:

    • The MSP, or

    • The corresponding organization

  • Send one alert per:

    • Organization, or

    • Device

These alerts are not security incidents and exist to provide visibility into automation behavior.

  • Map RMM(s) Organizations: Controls how organizations discovered through connected RMM platforms are mapped.

When enabled:

  • Existing and new RMM organizations are automatically mapped if the organization name matches exactly (including case, punctuation, and spacing)

  • Reduces the need for manual organization mapping

  • Allows Unify device suggestions to begin populating immediately

This setting affects organization alignment, not device ownership or movement.

Unmapping

The Unmapping section controls when Unify removes existing device‑to‑account associations automatically.

  • Automatically Unmap Devices: When enabled, Unify evaluates existing mappings and removes them when configured conditions are met. This applies only to devices operating in Fully Automatic mode.

  • Unmap Manually Mapped Accounts: When enabled, Unify can remove mappings that were created manually if later correlation data no longer supports the association. This helps keep mappings accurate over time as environments change.

  • Unmap if device has not checked in within: Specifies how long a device can remain inactive before its mapping is removed. Available intervals include:

    • 30 days

    • 60 days

    • 90 days

    • 120 days

    • 180 days

    • 1 year

    This is commonly used to clean up mappings for dormant or retired devices.

  • Add device to Ignore List when unmapping due to check‑in date

    When enabled:

    • Devices that are unmapped due to inactivity are automatically added to Ignored Devices

    • Prevents repeated mapping/unmapping cycles

    • Reduces noise in Unmapped Devices

    This setting is useful in environments with frequent device churn.

  • Unmap if confidence score for mapped account drops below:

    • Defines the confidence threshold below which an existing mapping is removed.

    • Ensures that mappings remain supported by current data

    • Helps prevent outdated or incorrect associations from persisting

Unmapping due to confidence drop does not imply malicious activity.

  • Alerts for automated unmappings

    • Controls alerts generated when Unify removes mappings automatically

    • Options mirror mapping alerts:

      • Priority (Low / Medium)

      • Alert target (MSP or organization)

      • Grouping per organization or device

      These alerts provide change visibility, not incident notification.

    Device Correlation

    The Device Correlation section controls how Unify identifies and treats multiple devices as logically equivalent based on shared metadata. Device correlation allows Unify to synchronize association behavior across devices that are likely the same physical endpoint observed through different platforms or data sources.

    Device correlation affects association consistency, not detection, alerting, or response behavior.

    NOTE  These are global settings. Devices in Manual Only mode are not affected by device correlation rules.

    What device correlation does

    Device correlation determines whether two or more devices are considered equivalent.

    Device‑to‑account mapping determines which account those devices are associated with.

    When device correlation is enabled, Unify can propagate mapping and unmapping outcomes across all devices it considers equivalent.

    Device correlation:

    • Synchronizes association outcomes across similar devices

    • Reduces duplicated mapping effort

    • Improves consistency when the same endpoint appears in multiple systems

    Device correlation does not:

    • Merge devices into a single record

    • Move devices between organizations

    • Change detection logic or alert severity

    • Trigger response actions

    How device similarity is determined

    Unify evaluates available device metadata to identify devices that are likely the same endpoint. This may include matching attributes such as:

    • MAC address

    • Serial number

    • Internal IP address

    When sufficient matching metadata exists and confidence meets the defined threshold, Unify considers the devices correlated.

    • Map similar devices to the same account(s): When enabled, Unify synchronizes mappings across correlated devices.

      If a device is mapped to an account, the same account mapping can be applied to all correlated devices. Mapping behavior still respects global automation rules and confidence thresholds.

      This setting helps maintain consistent identity context when a single endpoint is observed across multiple platforms. This option affects mapping propagation only and does not create associations independently of confidence scoring.

    • Unmap Device Correlated Mapped Accounts: When enabled, unmapping actions propagate across correlated devices. f an account mapping is removed for one device, the same mapping is removed from all correlated devices.This ensures that outdated or incorrect associations do not persist across equivalent endpoints.

      This setting is especially useful in environments where device ownership or usage changes over time.

    • Minimum device detection confidence: The minimum device detection confidence defines how strongly Unify must correlate metadata before treating devices as equivalent.

      • Higher values require stronger similarity signals and reduce incorrect correlation.

      • Lower values increase correlation coverage but may introduce ambiguity.

      This threshold applies only to device correlation, not to device‑to‑account mapping confidence. Correlation confidence is recalculated as new device metadata is observed.

    Relationship to mapping and unmapping automation

    Device correlation does not replace mapping or unmapping rules. Instead, it extends their impact.

    When correlation is enabled:

    • Mapping outcomes can propagate across correlated devices.

    • Unmapping outcomes can propagate across correlated devices.

    If correlation is disabled:

    • Devices are evaluated independently.

    • Mapping and unmapping apply only to the individual device.

    Relationship to alert settings

    Alert settings shown alongside Device Correlation apply to automated mapping and unmapping behavior overall. They are not specific to correlation logic.

    These settings determine:

    • Alert priority (Low or Medium)

    • Whether alerts are created against the MSP or the corresponding organization

    • Whether alerts are grouped per organization or per device

    Alerts generated due to device correlation propagation are informational only and do not indicate security incidents.

    When to enable device correlation

    Device correlation is recommended when:

    • The same endpoint is represented in multiple tools.

    • RMM, endpoint, and security platforms observe the same device independently.

    • Manual mapping effort needs to be reduced.

    • Consistent identity context across systems is required.

    It may be less appropriate in environments with:

    • Highly shared infrastructure

    • Non‑unique or unreliable device identifiers

    • Intentionally separate representations of similar systems

    Key takeaway

    The Device Correlation tab controls how Unify recognizes and treats equivalent devices across platforms. By synchronizing mapping and unmapping behavior, device correlation improves consistency and reduces administrative overhead while preserving Unify’s role as a context‑only feature.

    Device correlation impacts how associations propagate, not whether activity is detected or acted upon.

Related articles