A user state tracking and anomaly detector for multi-tenant SaaS applications operates in association with a log management solution, such as a SIEM. A given SaaS application has many user STATES, and the applications often have dependencies on one another that arise, for example, when a particular application makes a request (typically on behalf of a user) to take some action with respect to another application. The detector includes a mapper that maps the large number of user STATES to a reduced number of mapped states (e.g., “red” and “green”), and a dependency module that generates user-resource dependency graphs. Using a dependency graph, a SaaS modeler in the detector checks whether a particular dependency-based request associated with a SaaS application is valid. State and dependency information generated by the mapper and dependency module are reported back to the log management solution to facilitate improved logging and anomaly detection.