Security posture across all managed clients based on RMM alert data and ticket correlation.
Security posture across all managed clients based on RMM alert data and ticket correlation.
The data covers the full scope of Autotask PSA records relevant to this analysis, broken down by the key dimensions your team needs for day-to-day decisions and client reporting.
Who should use this: Security teams, compliance officers, and MSP owners managing risk
How often: Weekly for security posture, monthly for compliance reporting, on-demand for audits
Security posture across all managed clients based on RMM alert data and ticket correlation.
EVALUATE
SUMMARIZECOLUMNS(
'BI_Datto_Rmm_Alerts'[priority],
"total_alerts", COUNTROWS('BI_Datto_Rmm_Alerts'),
"resolved_count", CALCULATE(COUNTROWS('BI_Datto_Rmm_Alerts'), 'BI_Datto_Rmm_Alerts'[resolved] = TRUE()),
"unresolved_count", CALCULATE(COUNTROWS('BI_Datto_Rmm_Alerts'), 'BI_Datto_Rmm_Alerts'[resolved] = FALSE())
)
ORDER BY [total_alerts] DESCThe direct answer: how many alerts exist at each priority level, and what percentage have been resolved
| Metric | Value |
|---|---|
| Total Alerts | 135,387 |
| Devices | 6,953 |
| Online | 3,395 (48.8%) |
| Offline | 3,558 (51.2%) |
EVALUATE ROW("TotalAlerts", COUNTROWS('BI_Datto_Rmm_Alerts'), "TotalDevices", COUNTROWS('BI_Datto_Rmm_Devices'), "OnlineDevices", CALCULATE(COUNTROWS('BI_Datto_Rmm_Devices'), 'BI_Datto_Rmm_Devices'[online] = TRUE()), "OfflineDevices", CALCULATE(COUNTROWS('BI_Datto_Rmm_Devices'), 'BI_Datto_Rmm_Devices'[online] = FALSE()))Resolved alert count per client site, ranked highest to lowest. High volume alone is not a problem if alerts are being closed.
EVALUATE
TOPN(30,
SUMMARIZECOLUMNS(
'BI_Datto_Rmm_Alerts'[site_name],
'BI_Datto_Rmm_Alerts'[resolved],
"alert_count", COUNTROWS('BI_Datto_Rmm_Alerts')
),
[alert_count], DESC
)Clients with the most open alerts. Foster Inc accounts for 29.4% of all unresolved alerts across the entire portfolio.
| Client | Resolved | Unresolved | Total | Resolution Rate | Risk Level |
|---|---|---|---|---|---|
| Foster Inc | 3,994 | 990 | 4,984 | 80.1% | Critical |
| Patterson Hood Perez | 26,859 | ~500 | ~27,359 | 98.2% | Watch |
| Martin Group | 8,801 | ~280 | ~9,081 | 96.9% | Normal |
Foster Inc is the standout risk. With 990 unresolved alerts, this single client holds more open alerts than any other site by a factor of two. Their resolution rate of 80.1% means roughly one in five alerts is being ignored or deprioritized. The rest of the portfolio resolves at 97% or higher. This gap suggests a process failure specific to Foster Inc: a staffing issue, a misconfigured monitoring policy, or alert fatigue from noisy thresholds.
EVALUATE
TOPN(30,
SUMMARIZECOLUMNS(
'BI_Datto_Rmm_Alerts'[site_name],
'BI_Datto_Rmm_Alerts'[resolved],
"alert_count", COUNTROWS('BI_Datto_Rmm_Alerts')
),
[alert_count], DESC
)This is not a volume problem. Foster Inc generates fewer total alerts than Patterson Hood Perez or Martin Group. The issue is that alerts are not being closed. An 80.1% resolution rate at a single site drags the entire portfolio risk profile. Without intervention, these open alerts mask real security events behind a wall of unacknowledged noise.
The 98.7% critical resolution rate looks strong on paper, but 49 open critical alerts still represent potential security exposure. High-priority alerts fare worse at 95.2% resolution, with 70 still open. These 119 combined high-and-critical open alerts should be triaged immediately. Any one of them could represent a compromised endpoint, a failed backup, or an unpatched vulnerability.
Outside of Foster Inc, every top-10 client by volume maintains a resolution rate above 97%. The 96.8% portfolio average is pulled down almost entirely by one outlier. This is good news: the operational process works for the vast majority of clients. The fix is targeted, not systemic.
4 priorities based on the findings above
990 open alerts is not a backlog. It is a blind spot. Pull the full list of unresolved alerts for Foster Inc, filter by priority, and triage the critical and high items first. Determine whether these are legitimate security events being ignored, stale alerts from decommissioned devices, or noisy thresholds that need adjustment. Until this is resolved, you cannot credibly claim this client is secure.
Critical alerts exist for a reason. Each one represents a condition that your monitoring policy flagged as urgent. Pull the list of all 49 unresolved critical alerts, identify which clients and devices they belong to, and close or escalate each one within 48 hours. A 98.7% resolution rate on critical alerts should be 100%.
Information alerts make up 87.3% of all alerts (118,217 out of 135,387). While 97.4% are resolved, the sheer volume creates noise that can mask higher-priority events. Review whether your Information-level monitoring policies are generating actionable data or just filling dashboards. Reducing noise at this tier makes it easier to spot the alerts that matter.
Run this same query at the start of each month. Track whether Foster Inc's backlog is shrinking, whether the 49 critical open alerts get closed, and whether any new client starts developing a similar pattern. A monthly cadence turns this from a one-time snapshot into an early warning system.
Datto RMM generates alerts based on monitoring policies configured per device and site. These alerts are pulled into Proxuma Power BI through the RMM connector. The AI then runs DAX queries against the BI_Datto_Rmm_Alerts table to count alerts by priority, resolution status, and site name. No data is modified during this process.
An alert is marked resolved when the resolved field in Datto RMM is set to TRUE. This happens either when a technician manually resolves the alert, when an automated policy clears it, or when the underlying condition returns to normal. Alerts that are still open or have not been acknowledged remain marked as FALSE.
This report identifies the gap but does not diagnose the root cause. Common reasons include: overly sensitive monitoring policies generating alert fatigue, devices that have been decommissioned but not removed from RMM, understaffing on the team assigned to this client, or a misconfigured auto-resolution policy. Investigating the specific alert types at Foster Inc will reveal the answer.
Information alerts are the lowest severity tier. Most are status updates rather than actionable security events. However, 3,033 unresolved Information alerts still add noise. If these are being left open because they are not worth resolving, consider adjusting the monitoring policy to suppress them entirely. If they should be resolved, build an auto-resolution rule.
Yes. Connect Proxuma Power BI to your Datto RMM and Autotask accounts, add an AI tool (Claude, ChatGPT, or Copilot) via MCP, and ask the same question. The AI writes the DAX queries, runs them against your real alert data, and produces a report like this in under fifteen minutes.
Connect Proxuma Power BI to your PSA, RMM, and M365 environment, use an MCP-compatible AI to ask questions, and generate custom reports - in minutes, not days.
See more reports Get started