Integrating Datto EDR with Kaseya MDR

This article explains how to connect Datto EDR to Kaseya MDR, how organizations are mapped during setup, and how Datto EDR activity becomes available for investigation and correlation.

Use this article to understand how Datto EDR is connected once at the partner level and then mapped to customer organizations during onboarding. This article does not describe detection logic, response actions, SOC workflows, or Datto EDR administration beyond API access.

How Datto EDR integration works in Kaseya MDR

Datto EDR is an MSP‑managed endpoint security platform. When connected to Kaseya MDR, Datto EDR provides endpoint activity that can be associated with one or more organizations for investigation and correlation.

Datto EDR is not connected separately for each customer. Instead:

  • Datto EDR is connected once, at the partner level.

  • Customer onboarding is handled through organization mapping.

  • Mapping determines where Datto EDR activity is visible in Kaseya MDR.

Kaseya MDR observes Datto EDR–generated activity. It does not manage Datto EDR policies, agents, or enforcement settings.

Entry points for connecting Datto EDR

Datto EDR can be connected to Kaseya MDR from either of the following entry points:

  • Settings > Integrations > Datto EDR

  • Organizations > Edit organization > Applications > + New application > Datto EDR

Both entry points use the same Datto EDR connection workflow and organization‑mapping steps. If a Datto EDR connection already exists, Kaseya MDR may prevent creating an additional connection and instead expects you to manage organization mapping within the existing connection.

Central (integration‑level) entry point

When you start from Settings > Integrations, you are typically working at a platform or MSP level. This entry point is used to:

  • Define or manage the single Datto EDR connection

  • Update credentials for the existing Datto EDR connection

  • Manage organization mapping within that connection

If you start here, you may be probably asking: How is Datto EDR connected to SIEM at the partner level?

Organization‑specific entry point

When users start from Organization > Edit organization > Applications, they are typically onboarding or updating a specific customer organization. This entry point is used to:

  • Confirm that the customer organization is mapped to Datto EDR

  • Add or update organization mapping as part of customer onboarding

This entry point does not create a new Datto EDR integration. It associates the selected organization with the existing partner‑level Datto EDR connection.

Users starting here are usually asking: Is Datto EDR mapped and active for this customer?

Important: Single Datto EDR connection (partner‑level)

Kaseya MDR supports a single active Datto EDR connection.

If a Datto EDR connection already exists, attempting to connect the same Datto EDR instance again can result in duplicate events and alerts. For this reason:

  • Datto EDR should be connected only once, at the partner level.

  • Do not create a new Datto EDR integration for each customer.

  • Customer onboarding is performed using organization mapping, not repeated connections.

If you attempt to create an additional Datto EDR connection, Kaseya MDR may display a warning indicating that a connection already exists.

Using Datto EDR during customer onboarding

Although Datto EDR appears in onboarding checklists alongside other endpoint security tools, the Datto EDR connection itself is not repeated per customer.

During each customer onboarding:

  • Do not create a new Datto EDR integration.

  • Confirm that the Datto EDR integration already exists.

  • Use organization mapping to include the customer organization.

  • Verify that Datto EDR activity appears for that organization after synchronization.

In onboarding checklists, the step “Connect / Map Datto EDR” refers to mapping the organization, not creating a new Datto EDR connection.

Requirements

Before connecting Datto EDR to Kaseya MDR:

  • You must have administrative access to Datto EDR.

  • You must be able to create an API token in Datto EDR.

  • You must have permission to manage integrations or organization applications in Kaseya MDR.

Datto EDR–specific configuration and administration are performed in Datto EDR, not in Kaseya MDR.

Creating an API token in Datto EDR

  1. Sign in to Datto EDR.

  2. Open the user menu and select Admin.

  3. Go to Users & Tokens > API Tokens.

  4. Select Create new token.

  5. Enter a token description and click Create.

  6. Copy the token and store it securely.

IMPORTANT  The token is shown only once and cannot be retrieved later.

Connecting Datto EDR to Kaseya MDR

  1. Open the Datto EDR Connection Wizard using either:

    • Settings > Integrations > Datto EDR > click Connect

    • Edit organization > Applications > + New application > Datto EDR

    NOTE  If you see a warning indicating that a Datto EDR connection already exists, do not create another connection. Open the existing Datto EDR integration and manage organization mapping instead.

  2. Enter the following credentials:

    • Client Domain (the URL, for example, yourcompany.infocyte.com, from your address bar)

    • API Token

  3. Select Next to continue to organization mapping.

Organization mapping

Organization mapping is the supported way to control which organizations receive Datto EDR telemetry within the single Datto EDR connection.

User activity organization

  • Select a User Activity Organization.

  • User‑related activity from Datto EDR is logged against this organization and provides the security context for user activity in SIEM.

Device organization mapping

  • Map Datto EDR organizations to SIEM organizations.

  • Device‑related activity is associated only when a Datto EDR organization is mapped.

  • Datto EDR organizations that remain unmapped are not included.

  • You can:

    • Accept suggested matches

    • Manually select mappings

    • Enable automatic mapping when names match exactly (optional)

  • Select Finish to save the mapping.

After completing the connection

Once mapping is saved:

  • Datto EDR telemetry is associated with the mapped organizations

  • Activity becomes available for investigation and correlation

  • Synchronization is not immediate

NOTE  It can take up to 15 minutes for organizations and devices to update after mappings are added or changed, even after the connection shows as successful.

Connection status and synchronization

After Datto EDR is connected, the Integrations list shows a high‑level connection status (for example, Connected). Selecting View details displays the current synchronization stage.

The detailed view shows a connection status panel that reflects the current synchronization stage. This may include steps such as initializing the connection, checking permissions, retrieving users, processing security data, or refreshing authentication tokens.

A status of Done indicates that the connection process has completed. It does not mean that all users or devices have finished synchronizing. Organization and device data may continue to update in the background after the connection is marked complete.

Accounts tab

After Datto EDR is connected, the integration details include an Accounts tab.

The Accounts tab displays the list of accounts and identities associated with the Datto EDR integration. This view provides visibility into which accounts are included and how they are categorized and displayed within Kaseya MDR.

From the Accounts tab, you can:

  • View accounts associated with the Datto EDR integration

  • Search and filter the account list

  • Export the list for review

  • See account attributes and status indicators as shown in the UI

The Accounts tab is informational and administrative. It does not control Datto EDR detection behavior, alert generation, response actions, or SOC workflows.

Verifying the connection

After completing the mapping, follow these steps to ensure data is flowing correctly:

  • Check the Connection Status: Navigate to Settings > Integrations. The Datto EDR card should display a Green "Connected" status.

  • Verify Organization Mapping: Go to the organization and select the Unify tab. Ensure the correct Datto EDR organization is listed as "Mapped."

  • Confirm Identity Sync: Open the Accounts tab within the integration details. You should see a list of user identities being pulled from Datto EDR. If this list is populated, the API is communicating correctly.

  • Monitor the Analysis Logs: Navigate to the Analysis screen. Look for events where the Source is listed as Datto EDR. (Note: It may take 15–30 minutes for the first set of events to appear after initial mapping).

  • Test "Unify" Correlation: Open a recent login alert for a mapped customer. Under the Device section of the alert details, you should now see telemetry (such as the hostname or OS version) pulled directly from Datto EDR, confirming the cloud-to-endpoint link is active.

Where Datto EDR activity appears in Kaseya MDR

After synchronization:

  • Datto EDR activity appears as context within alerts and investigations

  • Data is scoped according to the organization mappings you defined

  • Datto EDR does not appear as an endpoint management UI within SIEM

Refer to Datto EDR documentation for Datto EDR–specific configuration and administration.

Disconnecting Datto EDR from Kaseya MDR

Datto EDR can be disconnected from Kaseya MDR by selecting Disconnect Application and confirming the action.

Disconnecting Datto EDR:

  • Removes the association between Datto EDR and Kaseya MDR

  • Stops Datto EDR activity from being associated with organizations in SIEM

  • Does not delete or uninstall Datto EDR

  • Does not change Datto EDR configuration outside SIEM

If Datto EDR is configured at the partner level, disconnecting it affects all organizations mapped to that connection.

The integration can be reconnected later using the same workflow if needed.

Troubleshooting common mapping issues

Customer Organization does not appear in the mapping dropdown

Cause: The organization has not been created in Datto EDR, or the API hasn't refreshed the list yet.

Solution: Ensure the customer exists as a distinct Organization in Datto EDR (not just a Group or Location). If it was recently created, click the Refresh or Sync button in the Kaseya MDR integration settings to force a new pull of the organization list.

All devices are showing up under a "Default RMM Org"

Cause: Datto EDR is configured using a flat structure (Locations/Groups) rather than the multi-tenant "Organization" structure.

Solution: To gain granular visibility, you must move those devices into a specific Organization within the Datto EDR console. Kaseya MDR requires the Organization-level boundary to map telemetry to the correct client tenant.

Connection status says "Connected" but no data is appearing

Cause: The API Token may have insufficient permissions or the initial sync is still in progress.

Solution: Verify the API Token in Datto EDR has Admin or Full Read permissions.

Wait at least 30 minutes for the initial handshake and data ingestion to complete.

Check the Accounts tab; if it is empty, the SIEM is not receiving identity data from the EDR.

"Duplicate Event" alerts are appearing in the SOC

Cause: Datto EDR was accidentally added as a "New Application" at the Organization level while the Partner-level connection was also active.

Solution: Delete the application from the individual Organization > Applications list. Ensure you are only using the Mapping tab to link the client to the master connection.