Identity and cloud security activity

This article explains how identity and cloud security activity contributes to detection and investigation in Kaseya MDR, where that activity becomes visible in the platform, and how it differs from endpoint or network telemetry.

In Kaseya MDR, identity and cloud systems do not function as general‑purpose telemetry sources. Instead, supported integrations provide security‑relevant signals that are evaluated as part of managed detection and response workflows.

Use this article to understand how identity and cloud activity appears in alerts and investigations—not how individual SaaS or cloud integrations are configured or authorized.

What identity and cloud activity represents in Kaseya MDR

In Kaseya MDR, identity and cloud activity represents security‑relevant signals related to authentication, access, and account behavior, rather than raw SaaS or cloud audit logs.

These signals typically originate from supported identity and cloud services, such as Microsoft identity platforms, and are used to help detect scenarios like:

Account compromise
Suspicious sign‑in behavior
Anomalous access patterns
Identity misuse correlated with endpoint or network activity

Unlike endpoint or infrastructure sources, identity and cloud activity in MDR does not represent systems, applications, or services as standalone assets. It represents events and behaviors that may indicate risk and require investigation.

How identity and cloud activity is connected

Identity and cloud security activity becomes available in Kaseya MDR when a supported integration is authorized and associated with an organization.

Depending on the integration:

Authorization may be completed by an administrator or customer tenant
Permissions determine which security signals are available
No agent deployment or host‑level installation is required

Detailed authorization steps and permissions are documented in the corresponding integration‑specific articles.

Where identity and cloud activity appears in the MDR interface

Identity and cloud activity does not appear as:

Endpoints
Devices
Hosts
Application inventories

Instead, its presence is reflected through alert context and investigation evidence.

You will encounter identity and cloud activity in:

Alert details: Alerts may include authentication context, user information, or identity‑related signals that contributed to the detection.

Investigations: Identity activity is correlated with endpoint, network, or other signals to help explain who performed an action and how access occurred.

Visibility is alert‑driven, not event‑driven. MDR surfaces identity and cloud activity when it is relevant to detection and investigation.

How identity and cloud activity differs from other MDR data sources

Identity and cloud activity differs from endpoint and network telemetry in several important ways:

It does not generate host‑level or process‑level events
It does not produce a continuous browseable event stream
It is evaluated as input to detections, not as raw telemetry

Identity and cloud signals typically contribute:

Authentication and sign‑in indicators
Account activity associated with investigations
Context used to validate or escalate detections

This data is most meaningful when correlated with other MDR sources, such as endpoints or network telemetry.

What you will see when identity and cloud ingestion is working

When identity and cloud ingestion is functioning correctly:

MDR alerts include identity or authentication context where relevant
Investigations reference identity activity alongside other signals
SOC analysis incorporates identity signals when validating threats

You may not see a steady stream of identity activity on its own. Successful ingestion is reflected by contextual enrichment, not raw activity listings.

Relationship to other data source workflows

Identity and cloud activity fits into the MDR ingestion model as follows:

Connecting data sources and integrations: Explains how identity integrations are authorized and associated with organizations.
Endpoint and infrastructure sources: Explains how endpoint telemetry provides the primary detection surface.
Network and log‑based sources: Explains how infrastructure telemetry complements investigations.

Each category provides a different layer of signal, with identity and cloud activity supplying context and confirmation, not standalone monitoring.

Key takeaway

In Kaseya MDR, identity and cloud services provide security signals, not general SaaS telemetry. Their activity is surfaced through alerts and investigations when it is relevant to managed detection and response, and is used alongside endpoint and network data to identify and validate threats.

Integration‑specific setup articles

Step‑by‑step instructions for authorizing supported identity and cloud integrations are provided in their corresponding integration‑specific articles. These articles focus on connecting the service, not on how identity signals behave once ingested.

Use those articles after you understand how identity and cloud activity contributes to detection and investigation in Kaseya MDR.

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.