IT Service Descriptions

SaaS Alerts

Ntiva SaaS Alerts is an automated, SaaS security threat detection and response tool, which exposes advanced threats and immediately takes action to keep clients SaaS environments safe.

Ntiva SaaS Alerts is an automated SaaS security threat detection and response tool that exposes advanced threats and immediately takes action to keep clients' SaaS environments safe. This solution allows Ntiva to react promptly to any potential SaaS security incidents that may disrupt a client’s business operations. Ntiva’s SaaS Alerts monitoring and automatic remediation capabilities will enhance our clients' security posture for their SaaS applications. Document the current state workflow and diagnose problems/pain points.


Ntiva’s SaaS alerts is a product responsible for handling alerts generated by the platform's monitoring and alerting system. This product is designed to log, alert and potentially respond automatically to alerts promptly and effectively, ensuring that any issues or problems are addressed quickly.

The SaaS Alerts Product includes the following features:


Ntiva SaaS Alerts will collect logs for over 200 different events that occur within the supported SaaS applications. This information will be retained for 365 days of the event date to help diagnose issues and conduct forensics. This allows Ntiva to search and filter alert logs based on various criteria, such as severity level, User, or time frame, to quickly identify and address issues.


Ntiva SaaS Alerts offers unified, 24/7 real-time monitoring to protect against data theft, data-at risk and bad actors. This feature sends notifications to Ntiva’s NOC when an alert is triggered via ConnectWise Manage via an API integration. This feature helps prioritize alerts based on severity and impact, allowing the response team to focus on critical issues first. This will also manage the response to an alert by tracking the status of the incident, assigning tasks to team members, and providing a centralized location for communication and collaboration.


Ntiva’s SaaS alerts respond module is a component that is responsible for responding to detected threats within seconds of a breach with pre-configured steps to stop bad actors from inflicting damage. If a breach is deemed highly likely, the user's account will automatically be blocked and a ticket will be created for Ntiva to act.


Ntiva SaaS Alerts reporting of user behavior and SaaS application events provides a comprehensive and timely view of the current state of SaaS security for our clients. The reporting functionality of a Ntiva SaaS Alerts system includes reports for SaaS Cyber Assessment, SaaS Risk Reports, Account Details, External Shared Files, File Share Events, Alerts, and MFA Settings report. These reports can be run ad hoc or scheduled to be sent to specific groups of people (internal and external) on a regular basis.

Ntiva’s SaaS Alerts also include an Interactive risk dashboard that provides a visual representation of alert data through interactive dashboards, allowing system administrators to easily view and analyze data.


This solution creates the ability to deeply monitor, alert and respond to compatible SaaS based solutions 24 hours a day. Ntiva SaaS Alerts uses approved API connections to establish secure access to SaaS solutions. This connection allows the ability to read logs and respond to potential breaches based on predefined conditions.

Our tool will categorize and store all the log entries into three thresholds:

Low Alerts

Low alerts are gathered for reporting purposes as well as the ability to analyze past actions. These are deemed non-actionable alerts and will not generate a ticket into ConnectWise Manage. An example of a Low alert is successful login from a know and approved location. These alerts are maintained in Ntiva's SaaS Alerts solution for 365 days.

Medium Alerts

These are considered an actionable alert that requires investigation to determine if an actional breach is occurring. These are deemed a P1 for priority and will create a ticket on the NOC board for action. An example of a medium alert is an email rule being created. While this can be a typical action by a user it is also an action taken by bad actors after a user breach has occurred. Ntiva will validate with the user that this was a valid action as well as use locations of successful authentications to determine if a user has been compromised.


Critical Alerts

These are considered actionable alerts that require investigation to determine if an actional breach is occurring. These are deemed a P1 for priority and will create a ticket on the NOC board for action.

An example of a critical alert is a user being elevated to administrative privileges. While this could be a valid action, Ntiva will investigate this alert to verify this should have occurred. As you will note, there is little difference between Critical and Medium alerts, as they both create a ticket for immediate action.

Ntiva SaaS Alerts also have the ability to take immediate action if pre-defined conditions occur within the SaaS solutions logs. See below:


Will analyze events that occur within a supported SaaS solution and if certain conditions occur in the pre-defined time period, a set of actions will automatically be performed. Example of available actions are:

  • Expire Account logins  –Logs out all connections for the user within the SaaS solutions.
  • Change User Password – Automatically change a user’s password.
  • Setup User MFA – Enable MFA to be setup for the user.
  • Block Sign-in – Blocks any new authentications for the user’s account.

This provides the ability to proactively secure the users account while a critical ticket is created and added to the NOC’s board within ConnectWise Manage.


Example of a Respond Condition:



This rule will automatically log out all current connections and block future logins if an account is accessed outside the approved locations and is a new device for that user, which is deemed highly likely a breach has occurred.


Ntiva’s SaaS Solution will be deployed by the onboarding team for any new or renewed client agreements. Any Ad Hoc additions outside new or renewal contracts for Ntiva’s SaaS Alert protection will be configured by the Product Management Team.


Ntiva’s SaaS Alerts solution provides robust reporting that can help clients understand the importance of further security enhancements. The reporting will also help educate the client on current usage of their SaaS based solutions. Reporting can be requested from the Product Management team to be sent to the Account Manager, VCISO or VCIO on an ad hoc or scheduled occurrence.









IAM Event-Multi- Factor Authentication Disabled


MFA has been turned OFF by a user.






System Compliance Event-Email Limit


Email size limit exceeds "xyz" amount.






System Compliance Event-Unusual Sending Activity


Items are being sent from an unfamiliar location in MSFT.





A mailbox permission to view




Add Mailbox

or send an email on behalf of





an user was added in Microsoft










A new recipient permission




Add Recipient

was added to have full access,





read or sent emails on behalf of





another user.




Custom Compliance Event-Medium


Medium O365 Custom Compliance Event violated.





IAM Event-Multi- Factor Authentication Enabled


MFA has been turned ON by a user.





IAM Event-Multiple Account Locks


User account has been locked more than 3 times in one hour.





IAM Event-User

This user is successfully logged





in from an area outside an




Approved Location

approved location set within





SaaS Alerts. This is critical!!











Policy Event-Security Group Change


This user's security group has changed.






Custom Compliance Event-Low


Low O365 Custom Compliance event violated.






Data Loss Prevention Event


Prevented DLP event.






IAM Event - Unknown Actor Is Attempting To Access Domain


An unknown actor is trying to guess the account name format for this domain.






File Event-Download


A file has been downloaded.






File Event-Emptied From Recycle Bin


All deleted files were removed from the Recycle Bin.






File Event-Permanent Deletion


A file was deleted permanently, and cannot be restored from Recycle Bin.






File Event-Moved

A file was moved to a different location.







File Share Event- External


A file has been opened.













File Share Event- Internal


A file has been shared within the organization.






Email Event- Forwarding Rule Changed


Event forwarding rule has been changed.





Email Event- Forwarding Rule Deleted


Event forwarding rule has been deleted.






IAM Event- Authentication Success


User successfully authenticated when logging into their account.





IAM Event-Multiple


A user is logged into multiple




Login Connections

SaaS apps at the same time,




From Different IP

resulting in an impossible travel





type scenario.





IAM Event-Password Reset


The users password has been reset one time within an hour.






Ready to Experience the Difference? Get Started with SaaS Alerts Today!

Take control of your software-as-a-service landscape and ensure seamless operations with our powerful monitoring platform. Empower your team and make downtime a thing of the past.