SaaS Cloud Monitoring with Obsidian Security

Organizations regardless of vertical are more dependent on Software as a Service (SaaS) tools and data than ever before. Many CEOs don’t truly appreciate how fundamentally their organizations have changed in the past decade. M365, Google Workspace, GitHub, Slack, Atlassian, Salesforce, and the HR IT stack are now standard, while AI tools demand connections to data increasingly stored in your SaaS cloud.

Executives are often surprised that traditional security information and event management systems don’t handle SaaS data well without significant customization work. Your SIEM sees network traffic, endpoint activity, and infrastructure logs. It often doesn’t see what’s happening inside your SaaS applications where most of your business operates.

Leaving you blind to some significant data, information, and intelligence.

Conflict Statement

I have no financial interest in Obsidian Security nor do I receive referral fees from any product, software, or SaaS vendor.

The Gap In Your Security Posture

Traditional SIEM and SaaS posture management tools are highly complementary and often the only way to catch early attack indicators. Correlating outputs from configuration monitoring, mobile device management, compliance systems, SIEM, identity providers, and other tools with SaaS telemetry is increasingly a business requirement.

Consider signals your SIEM can’t correlate without normalized SaaS telemetry: mass anomalous downloads from Salesforce or Google Workspace, data transfers exceeding normal patterns, workspace DLP triggers, impossible travel alerts or sudden network configuration changes wholly within SaaS environments. Each could be benign (for example, a legitimate user may have activated a VPN). But when correlated with other network activity, they can reveal active attacks or pre-attack indicators.

During threat modeling, security teams should consider which attack scenarios could be detected based on SaaS application signals. A user account downloading thousands of customer records at 3 AM from a new location, followed by large outbound data transfers, tells a story your SIEM alone can’t see.

The Terrible Feeling You Can Avoid

Being informed by Salesforce, or worse, a government agency, that you have a supply chain breach in your SaaS cloud is terrible and avoidable.

I’ve been using Obsidian Security to monitor SaaS applications including Google Workspace, Salesforce, Duo Security, Slack, NextDNS, GitHub, and other platforms, plus output from CrowdStrike, Vanta, Jamf, Okta, and other signal providers in our network. Obsidian helps organized infosec teams address identity threats, configuration drift, excessive privileges, and risky third-party integrations that traditional security tools can miss.

The approach correlates identity, configuration, location, network, and application activity data across your SaaS estate, tracking user behavior, application configurations, OAuth token usage, and integration patterns to detect threats as they develop rather than after damage occurs.

It handles both SaaS Security Posture Management (hardening configurations proactively) and Identity Threat Detection and Response (detecting active threats in near real time).

Why This Matters Now

The attack surface has shifted. Token theft, malicious or suddenly-malicious integrations from supply chain breaches, and privilege escalation through SaaS applications are rising. Organizations often discover breaches after data is gone because their security stack doesn’t see SaaS activity.

Traditional security controls were designed for on-premises infrastructure and perimeter defense. They stop at the edge of your SaaS applications, blind to what happens inside or between them.

If you’re responsible for security at an organization dependent on SaaS tools, consider whether your monitoring covers this gap. The question isn’t whether SaaS security monitoring matters, but whether you’ll implement it before or after someone tells you about your breach.