Managing noise and signal

Kaseya MDR is designed to reduce noise by surfacing actionable alerts supported by investigation context, rather than requiring you to sift through raw events. When you first begin using the platform, it is common to see more alerts than expected while monitoring is established and your environment’s normal activity patterns become visible.

If you use multiple Kaseya security products (such as SaaS Alerts, Kaseya MDR, and Kaseya SIEM), some alert noise may come from overlapping evaluation of the same underlying telemetry. In these cases, similar alerts can appear in more than one product. In Kaseya MDR, managing noise focuses on deciding how future alert behavior should change after investigation confirms a recurring, low‑risk pattern.

Over time, you can refine alert behavior so investigation remains focused on activity that materially affects decisions. The goal is not to silence alerts, but to ensure Kaseya MDR supports consistent investigation and response without overwhelming your team.

This article explains how to manage noise in Kaseya MDR, including how to identify recurring patterns, how to choose the least disruptive noise‑reduction approach, and how to validate changes safely.

This article helps you decide whether and how alert behavior should change after investigation. It does not provide step‑by‑step instructions for tuning or suppression. For implementation details, refer to the linked articles under each option below.

How alert behavior decisions fit together

Use the articles in this section together as a deliberate decision ladder:

1. Start with the alert

   Review the alert and understand what it represents before taking action.

   See Working with alerts

2. Investigate before changing behavior

   Use the Analysis page to validate context, scope, and impact.

   See Investigating activity using the Analysis page

3. Decide how (or whether) alert behavior should change

   Determine whether tuning, suppression, or no action is appropriate based on investigation results.

   See Managing noise and signal; Managing repeated alerts

4. Apply the selected change in the correct place

   Severity or detection tuning > global prioritization changes.
   See: Managing alert severity and detection tuning

   Suppression rules > scoped exceptions for specific conditions.
   See Suppressing alerts from Events; Alert suppression

   Each article in this set is intentionally scoped to one step in this process.

Avoid skipping steps. Changing alert behavior without investigation can hide meaningful security activity and reduce confidence in response decisions.

Timing for noise management

Consider noise management only after you have:

• Reviewed alerts and identified recurring patterns

• Investigated at least one representative example using the Analysis page

• Confirmed the recurring activity is expected, acceptable, or low risk in a clearly defined context

IMPORTANT  Do not manage noise as an initial step. Tuning or suppression before you understand alert behavior can hide meaningful security activity.

Noise‑management decisions should only be made after investigation confirms that reducing escalation will not change investigation outcomes or response decisions.

Signal and noise definitions

In Kaseya MDR:

• Signal is security‑relevant activity that generates alerts and can change investigation outcomes or response decisions.

• Noise is expected or low‑risk activity that may still be visible for context but does not require repeated attention.

Seeing fewer alerts does not automatically mean reduced coverage. Noise reduction should preserve visibility for investigation and audit needs while lowering unnecessary escalation.

Step 1: Identify noisy patterns using Analysis

Before changing alert behavior, use the Analysis page to understand patterns over time:

1. From the side navigation menu, open the Analysis page.

2. Scope the view to a relevant organization and a primary subject (such as a user, device, or IP address).

3. Look for:

• Alerts that recur frequently

• Alerts that consistently lead to the same benign outcome

• Patterns that appear ‘loud’ but do not change investigation or response decisions

Ask one question: If this alert keeps firing—either repeatedly in Kaseya MDR or alongside similar alerts from other products—does it ever change what we do?

If the answer is consistently no, the alert is a candidate for noise reduction.

This step ensures decisions are evidence‑based, not driven by alert volume alone.

Step 2: Choose the least disruptive noise‑reduction option

After identifying a noisy pattern, choose the approach that reduces distraction without removing investigation context.

Option A: Severity or detection tuning (global behavior)

Use tuning when an alert is valid but consistently low urgency across your environment.

Tuning is appropriate when you want to:

• Preserve visibility and investigation context

• Reduce repeated escalation for the same type of activity

• Improve signal quality without introducing rule exceptions

Severity tuning is performed globally from Settings > Customize Alert Severity and affects how alert types are prioritized going forward.

Option B: Scenario‑based handling for repeated alerts (best for decision‑making)

Use this approach when an alert is generally valid but becomes noise in a known scenario (for example, a specific user, service account, location, or maintenance window).

For investigation‑first decision‑making specific to repeated alerts, including when suppression, tuning, or no action is appropriate, see Managing repeated alerts.

Option C: Suppression rules (best for scoped exceptions)

Use suppression when:

• The activity is expected only under specific conditions

• The alert remains valuable in other situations

• Conditions can be clearly defined (such as product, event type, user, location, or time window)

Suppression is intended for scoped exceptions, not global fixes. For full rule configuration, see Alert suppression.

If you are starting from a real alert or investigation context and want a scenario‑based suppression workflow, see Suppressing alerts from Events (investigation‑based suppression).

Step 3: Apply the change in the appropriate place

Use the method that matches the change you are making:

• Tuning changes (severity/detection logic): Apply via the tuning controls available in your environment (See Managing alert severity and detection tuning).

• Scenario‑based repeated alerts: Follow the workflow in Managing repeated alerts to ensure your decision is grounded in investigation context.

• Suppression rules: Configure suppression under Events > Suppression Rules, using the scoping and best‑practice guidance in Alert suppression.

Step 4: Validate results (Analysis > change > Analysis)

After making changes, return to the Analysis page to validate outcomes.

Confirm that:

• Repeated escalations are reduced as intended

• Relevant activity remains visible for investigation

• Similar alerts still trigger outside the intended scope

• You did not introduce unintended blind spots (especially if anything is hidden from Analysis)

This validation loop is essential for managing noise safely.

What to avoid

When managing noise and signal:

• Do not tune or suppress alerts before investigating a representative example

• Do not assume fewer alerts mean reduced protection

• Do not apply broad suppressions to reduce downstream workload

• Do not hide activity from Analysis unless you have a clear operational reason and audit implications are understood

• Do not treat automation as fully autonomous response (always validate what triggers and under what conditions)

All noise‑management actions should be deliberate, scoped, and reversible.

Daily workflow alignment

Use the pages together as follows:

• Use Working with alerts to review alerts and decide what needs attention

• Use Analysis to validate scope, context, and intent

• Use this article to decide how future alerts should behave

• Use suppression only when you can clearly define the exception conditions

Each step uses a different part of the platform for a different purpose.

Related articles

• Managing repeated alerts: Review and handle alerts that fire frequently due to expected behavior. Learn how to reduce repeated alert noise safely after investigating representative examples

• Alert suppression: Learn how suppression works in Kaseya MDR, when to use it, and how to configure scoped rules without disabling investigation visibility

• Managing alert severity and detection tuning: Learn how to adjust severity and detection logic to improve signal quality when alerts are consistently low value across your environment

• Creating high‑confidence alerts with Respond rules: Learn how to combine multiple signals into higher‑confidence alerts and define when automated or assisted response should occur