LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Overview
  • Setup Instructions
  • (1) Create an App Registration
  • (2) Create Client Secret
  • (3) Create Log Analytics Workspace
  • (4) Assign Role to App Registration
  • (5) Create a Data Collection Endpoint (DCE)
  • (6) Create a Table and DCR
  • (7) Assign App Permissions to DCR
  • (8) Assign App Permissions to DCE
  • (9) Update Admin Console
  • (10) Setup Complete
  • Troubleshooting
  • Get a Bearer Token
  • Send SIEM Events

Was this helpful?

Export as PDF
  1. Reporting, Alerts & SIEM

Azure Monitor

Integration of Keeper ARAM events with Azure Monitor

PreviousQRadarNextAzure Sentinel

Last updated 28 days ago

Was this helpful?

Overview

Keeper supports event streaming directly into Azure Monitor Log Analytics Workspace tables using the Azure . As of January 2025, this is the preferred method and API used for streaming event data into Azure logs.

Setup Instructions

Go to the to begin the setup.

(1) Create an App Registration

The Azure App Registration is used to authenticate API requests to the Logs Ingestion API.

  • Navigate to > New Registration.

Fill out the form:

  • Name: KeeperLogging

  • Supported Account Types: Use the default option (Single tenant).

  • Leave Redirect URI blank for now.

  • Click Register.

After registering:

  • Click on "Expose an API"

  • Click "Set" for the Application ID URI

  • Accept the default suggested URI (it should be something like api://[client-id])

(2) Create Client Secret

  • Add a description and expiration period.

  • Copy the generated "Value" and store it in your Keeper vault.

  • Save this value for the last step ("Client Secret Value").

On the "Overview" screen, also note the Tenant ID and Display Name.

Save the following entries for later:

  • Application (client) ID

  • Client Secret ID

  • Client Secret Value

  • Directory (tenant) ID on the App registrations page.

(3) Create Log Analytics Workspace

A Log Analytics Workspace is the core resource where Azure Monitor collects and stores log data. If you already have one, you can skip this step.

  • Click Create and configure:

    • Subscription: Choose your Azure subscription.

    • Resource Group: Create a new resource group or select an existing one.

    • Name: Give your workspace a meaningful name (e.g., KeeperLogsWorkspace).

    • Region: Choose a region

    • Click Review + Create and then Create.

(4) Assign Role to App Registration

You need to assign the KeeperLogging application with the role of "Log Analytics Contributor" to the Log Analytics Workspace. From the Log Analytics Workspace:

  • Click on the Workspace (e.g. KeeperDemo1)

  • Select Role assignments

  • Click Add > Add role assignment

  • Type "Log Analytics Contributor" and select that role

  • Click "+Select members" and select the KeeperLogging application from the list

  • Assign it to the "KeeperLogging" application

(5) Create a Data Collection Endpoint (DCE)

The Data Collection Endpoint is required before you can create a Data Collection Rule.

  • Search for "Data Collection Endpoints" and click Create.

Configure the following:

  • Subscription: Select your Azure subscription.

  • Resource Group: Use the same resource group you plan to use for the DCR.

  • Region: Choose a region

  • Name: Give it a meaningful name (e.g., KeeperLogsEndpoint).

Note the "Logs Ingestion URL" which is used later.

Example: keeperlogsendpoint-mcag.eastus-1.ingest.monitor.azure.com

(6) Create a Table and DCR

From the Log Analytics workspaces, open the Keeper workspace and select "Tables" and Create a new table.

  • Select "New custom log (DCR-based)".

  • In this example, we are calling it "KeeperLogs".

  • Create a new Data Collection Rule

  • Save the below JSON as a file on your computer

  • When prompted, upload the below JSON file as a Data Sample:

[
  {
    "TimeGenerated": "2025-01-23T01:31:11.123Z",
    "audit_event": "some_event",
    "remote_address": "10.15.12.192",
    "category": "some_category_id",
    "client_version": "EMConsole.17.0.0",
    "username": "email@company.com",
    "enterprise_id": 1234,
    "timestamp": "2025-01-23T01:31:11.123Z",
    "data": {
      "node_id": "abc12345",
      "record_uid": "B881237126",
      "folder_uid": "BCASD12345",
      "some_flag": true
    }
  },
  {
    "TimeGenerated": "2025-01-23T01:31:11.124Z",
    "audit_event": "some_event",
    "remote_address": "10.15.12.192",
    "category": "some_category_id",
    "client_version": "EMConsole.17.0.0",
    "username": "email@company.com",
    "enterprise_id": 1234,
    "timestamp": "2025-01-23T01:31:11.123Z",
    "data": {
      "node_id": "abc12345",
      "record_uid": "B881237126",
      "folder_uid": "BCASD12345",
      "some_flag": true
    }
  },
  {
    "TimeGenerated": "2025-01-23T01:31:11.125Z",
    "audit_event": "some_event",
    "remote_address": "10.15.12.192",
    "category": "some_category_id",
    "client_version": "EMConsole.17.0.0",
    "username": "email@company.com",
    "enterprise_id": 1234,
    "timestamp": "2025-01-23T01:31:11.123Z",
    "data": {
      "node_id": "abc12345",
      "record_uid": "B881237126",
      "folder_uid": "BCASD12345",
      "some_flag": true
    }
  }
]

Review the change and submit the request to create the table.

In this example, it shows up as KeeperLogs_CL (Azure appends the _CL).

(7) Assign App Permissions to DCR

  • Click on the DCR (e.g. KeeperDCR)

  • Select Role assignments

  • Click Add > Add role assignment

  • Type "Monitoring Metrics Publisher" and select that role

  • Click "+Select members" and select the KeeperLogging application from the list

  • Assign it to the "KeeperLogging" application

Repeat this process and add "Monitoring Contributor" and "Monitoring Reader".

(8) Assign App Permissions to DCE

  • Click on the DCE (e.g. KeeperLogsEndpoint)

  • Select Role assignments

  • Click Add > Add role assignment

  • Type "Monitoring Metrics Publisher" and select that role

  • Click "+Select members" and select the "KeeperLogging" application from the list

  • Assign it to the "KeeperLogging" application

Repeat this process and add "Monitoring Contributor".

At this point, everything is configured on the Azure side. Next, set up the Admin Console.

(9) Update Admin Console

  • Azure Tenant ID: You can find this from Azure's "Subscriptions" area.

  • Application (client) ID: This is located in the App registration (KeeperLogging) overview screen

  • Client Secret Value: This is the Client Secret Value from the app registration secrets.

  • Endpoint URL: This is a URL that is created in the following specific format: https://<collection_url>/dataCollectionRules/<dcr_id>/streams/<table>?api-version=2023-01-01

To assemble the Endpoint URL:

  • <DCR_ID> From the Data Collector Rule, copy the "Immutable Id" value, e.g. dcr-xxxxxxx

  • <TABLE> This is the table name created by Azure, e.g. Custom-KeeperLogs_CL

https://<Collection_URL>/dataCollectionRules/<DCR_ID>/streams/<TABLE>?api-version=2023-01-01

(10) Setup Complete

When SIEM logs are sent from Keeper to Azure Monitor, the data will begin to populate in the Custom Logs table in a few minutes.


Troubleshooting

Just for the purpose of testing, you can generate a Bearer Token and send an API request to Azure Monitor API to understand how the process works.

Get a Bearer Token

Replace the following:

<Tenant_ID> Your Tenant ID from Step 9 above

<Application_ID> The Application (client) ID from Step 9 above

<Client_Secret_Value> This is this Client Secret Value from Step 9 above

curl -X POST 'https://login.microsoftonline.com/<Tenant_ID>/oauth2/v2.0/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<Application_ID>' \
--data-urlencode 'client_secret=Client_Secret_Value' \
--data-urlencode 'scope=https://monitor.azure.com/.default'

The scope must change based on the environment:

  • Azure public cloud: https://monitor.azure.com

  • Azure US Government cloud: https://monitor.azure.us

Executing this curl request will produce a token:

{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"xxxxx"}

Use the token and send a Curl request for a Keeper event log in the next step.

Send SIEM Events

Send a Curl request as seen below, Replace the below:

<TOKEN> The Bearer token from above

curl -X POST "<ENDPOINT_URL>" \
-H "Authorization: Bearer <TOKEN>" \
-H "Content-Type: application/json" \
-d '[
    {
      "TimeGenerated": "2025-01-23T01:31:11.123Z",
      "audit_event": "event_one",
      "remote_address": "10.15.12.192",
      "category": "msp",
      "client_version": "EMConsole.17.0.0",
      "username": "email@company.com",
      "enterprise_id": 1234,
      "timestamp": "2025-01-23T01:31:11.123Z",
      "data": {
        "node_id": "abc12345",
        "record_uid": "B881237126",
        "folder_uid": "BCASD12345",
        "some_flag": true
      }
    },
    {
      "TimeGenerated": "2025-01-23T01:31:11.124Z",
      "audit_event": "event_two",
      "remote_address": "10.15.12.192",
      "category": "general",
      "client_version": "EMConsole.17.0.0",
      "username": "email@company.com",
      "enterprise_id": 1234,
      "timestamp": "2025-01-23T01:31:11.123Z",
      "data": {
        "node_id": "abc12345",
        "record_uid": "B881237126",
        "folder_uid": "BCASD12345",
        "some_flag": true
      }
    },
    {
      "TimeGenerated": "2025-01-23T01:31:11.125Z",
      "audit_event": "event_three",
      "remote_address": "10.15.12.192",
      "category": "security",
      "client_version": "EMConsole.17.0.0",
      "username": "email@company.com",
      "enterprise_id": 1234,
      "timestamp": "2025-01-23T01:31:11.123Z",
      "data": {
        "node_id": "abc12345",
        "record_uid": "B881237126",
        "folder_uid": "BCASD12345",
        "some_flag": true
      }
    }
  ]'

Note: The bearer token will expire after 1 hour.

The events will show up in Log Analytics Workspace after a few minutes.

From the section of Azure, go to Manage > Certificates & Secrets > New Client Secret.

From Azure, go to

From Azure, open (DCE)

From the (DCR) area of Azure:

From the (DCE) area of Azure:

In the , login as the Keeper Administrator. Then go to Reporting & Alerts and select "Azure Monitor Logs".

Provide the following information from above into the Admin Console:

<Collection URL> This comes from above

<ENDPOINT_URL> The constructed URL from above.

Logs Ingestion API
Azure Portal
App registrations
App Registrations
Log Analytics Workspaces
Data Collection Endpoint
Data collection rules
Data collection endpoints
Keeper Admin Console
Step 2
Step (5)
Step 9