Endpoint and infrastructure sources
This article explains how endpoints and infrastructure systems function as data sources in Kaseya MDR, where host‑based activity becomes visible in the platform, and what types of telemetry these systems contribute once ingestion is established.
Use this article to understand how real systems—endpoints and servers—participate in MDR detection and investigation, not how agents are installed, deployed, or configured on individual machines.
This article explains:
-
What endpoint and infrastructure sources represent in Kaseya MDR
-
How these sources become active after agent deployment or host integration
-
Where endpoint and server activity appears in the MDR interface
-
What types of telemetry these sources contribute
-
How to tell, based on alerts and investigations, that endpoint ingestion is working
What are endpoint and infrastructure sources?
Endpoint and infrastructure sources are host‑based systems that generate security telemetry through an installed agent or supported host‑level integration.
These sources typically include:
-
User endpoints (workstations and laptops)
-
Servers (physical or virtual)
-
Infrastructure hosts running monitored workloads or services
Once active, these systems generate continuous security‑relevant telemetry that is evaluated by MDR detection logic and reviewed by the managed SOC.
Endpoint and infrastructure sources form the primary signal surface for Kaseya MDR.
How endpoint and infrastructure sources become active
Endpoint and infrastructure sources become active in Kaseya MDR after a host successfully reports telemetry.
Unlike application‑ or integration‑based sources:
-
There is no Add Application workflow
-
There is no application‑level connection status
-
Visibility is established when the agent begins reporting
Association with an organization occurs during agent deployment or assignment. Once the endpoint checks in successfully, it becomes an active MDR data source for that organization.
For deployment methods, platform requirements, and onboarding procedures, see the agent deployment articles referenced from this section.
Where endpoint and infrastructure activity appears in Kaseya MDR
Endpoint and infrastructure systems do not appear as configurable applications or services. Their presence is reflected through alert context and investigation evidence.
You will encounter endpoint and infrastructure activity in:
-
Alert details
-
Host‑based process, file, network, or operating‑system activity is included when an endpoint contributes to a detection
-
Analysis > Investigations
-
Activity from endpoints, servers, identity signals, and network sources is correlated to support investigation and validation
Endpoint visibility in Kaseya MDR is alert‑driven, not inventory‑driven. Systems become visible through the alerts and investigations they participate in, not through an asset list.
How endpoint and infrastructure sources differ from other MDR data sources
-
Endpoint and infrastructure sources differ from other MDR telemetry in important ways:
-
They are host‑centric, not service‑centric
-
They generate continuous behavioral telemetry
-
They are the primary basis for process‑ and behavior‑based detections
By contrast:
-
Identity and cloud activity contributes authentication and account‑level context
-
Network and log‑based sources contribute infrastructure and traffic signals
-
MSP and IT operations tools provide operational and workflow context
Endpoint telemetry anchors MDR investigations in observable system behavior.
What telemetry endpoint and infrastructure sources provide
Endpoint and infrastructure sources commonly contribute:
-
Process creation and execution activity
-
File system and registry activity
-
Network connections originating from the host
-
Operating system and security‑relevant events
-
Behavioral indicators associated with common attack techniques
This telemetry is evaluated alongside data from identity, network, and log‑based sources to validate risk and scope.
Endpoint detections may include contextual metadata such as mapped attack techniques (TTPs) or operating system event identifiers derived from host activity.
What you will see when endpoint ingestion is working
When endpoint and infrastructure ingestion is functioning correctly:
-
Alerts include host‑based activity and context
-
Endpoint activity appears consistently in investigations
-
Process, network, and operating‑system details are attached to detections
There may not be a single “connected” indicator. Successful ingestion is confirmed through ongoing alert and investigation visibility, not a status badge.
Relationship to other data source workflows
-
Endpoint and infrastructure sources fit into the broader MDR ingestion model as follows:
-
Connecting data sources and integrations explains how sources are associated with organizations
-
Identity and cloud security activity explains how account and authentication context complements endpoint detections
-
Network and log‑based ingestion explains how infrastructure telemetry extends visibility
-
Application Configurations explains how certain MDR behaviors are tuned after ingestion
Each source type contributes a different layer of signal.
Key takeaway
Endpoint and infrastructure sources are where real systems—endpoints and servers—become visible in Kaseya MDR. They appear through alerts and investigation context, not as configurable applications or inventories, and their presence is confirmed through continuous host‑based telemetry.
Integration‑specific endpoint sources
Endpoint and infrastructure telemetry in Kaseya MDR often originates from deployed agents or supported endpoint security platforms.
For tool‑specific deployment and setup instructions, see the relevant integration articles. These articles explain how each tool is connected and scoped. This article focuses on how endpoint and infrastructure sources behave in Kaseya MDR once ingestion is active.
Documentation for Datto EDR and Datto RMM is available at launch. Additional integration documentation will be introduced as the Kaseya MDR experience is provisioned and supported integrations become available.
