Azure Monitor
Integration of Keeper ARAM events with Azure Monitor
Last updated
Was this helpful?
Integration of Keeper ARAM events with Azure Monitor
Last updated
Was this helpful?
Keeper supports event streaming directly into Azure Monitor Log Analytics Workspace tables using the Azure . As of January 2025, this is the preferred method and API used for streaming event data into Azure logs.
Go to the to begin the setup.
The Azure App Registration is used to authenticate API requests to the Logs Ingestion API.
Navigate to > New Registration.
Fill out the form:
Name: KeeperLogging
Supported Account Types: Use the default option (Single tenant).
Leave Redirect URI blank for now.
Click Register.
After registering:
Click on "Expose an API"
Click "Set" for the Application ID URI
Accept the default suggested URI (it should be something like api://[client-id])
Add a description and expiration period.
Copy the generated "Value" and store it in your Keeper vault.
Save this value for the last step ("Client Secret Value").
On the "Overview" screen, also note the Tenant ID and Display Name.
A Log Analytics Workspace is the core resource where Azure Monitor collects and stores log data. If you already have one, you can skip this step.
Click Create and configure:
Subscription: Choose your Azure subscription.
Resource Group: Create a new resource group or select an existing one.
Name: Give your workspace a meaningful name (e.g., KeeperLogsWorkspace).
Region: Choose a region
Click Review + Create and then Create.
You need to assign the KeeperLogging application with the role of "Log Analytics Contributor" to the Log Analytics Workspace. From the Log Analytics Workspace:
Click on the Workspace (e.g. KeeperDemo1)
Select Role assignments
Click Add > Add role assignment
Type "Log Analytics Contributor" and select that role
Click "+Select members" and select the KeeperLogging application from the list
Assign it to the "KeeperLogging" application
The Data Collection Endpoint is required before you can create a Data Collection Rule.
Search for "Data Collection Endpoints" and click Create.
Configure the following:
Subscription: Select your Azure subscription.
Resource Group: Use the same resource group you plan to use for the DCR.
Region: Choose a region
Name: Give it a meaningful name (e.g., KeeperLogsEndpoint
).
Note the "Logs Ingestion URL" which is used later.
Example: keeperlogsendpoint-mcag.eastus-1.ingest.monitor.azure.com
From the Log Analytics workspaces, open the Keeper workspace and select "Tables" and Create a new table.
Select "New custom log (DCR-based)".
In this example, we are calling it "KeeperLogs".
Create a new Data Collection Rule
Save the below JSON as a file on your computer
When prompted, upload the below JSON file as a Data Sample:
Review the change and submit the request to create the table.
In this example, it shows up as KeeperLogs_CL (Azure appends the _CL).
Click on the DCR (e.g. KeeperDCR)
Select Role assignments
Click Add > Add role assignment
Type "Monitoring Metrics Publisher" and select that role
Click "+Select members" and select the KeeperLogging application from the list
Assign it to the "KeeperLogging" application
Repeat this process and add "Monitoring Contributor" and "Monitoring Reader".
Click on the DCE (e.g. KeeperLogsEndpoint)
Select Role assignments
Click Add > Add role assignment
Type "Monitoring Metrics Publisher" and select that role
Click "+Select members" and select the "KeeperLogging" application from the list
Assign it to the "KeeperLogging" application
Repeat this process and add "Monitoring Contributor".
At this point, everything is configured on the Azure side. Next, set up the Admin Console.
Azure Tenant ID: You can find this from Azure's "Subscriptions" area.
Application (client) ID: This is located in the App registration (KeeperLogging) overview screen
Client Secret Value: This is the Client Secret Value from the app registration secrets.
Endpoint URL: This is a URL that is created in the following specific format: https://<collection_url>/dataCollectionRules/<dcr_id>/streams/<table>?api-version=2023-01-01
To assemble the Endpoint URL:
<DCR_ID> From the Data Collector Rule, copy the "Immutable Id" value, e.g. dcr-xxxxxxx
<TABLE> This is the table name created by Azure, e.g. Custom-KeeperLogs_CL
When SIEM logs are sent from Keeper to Azure Monitor, the data will begin to populate in the Custom Logs table in a few minutes.
Just for the purpose of testing, you can generate a Bearer Token and send an API request to Azure Monitor API to understand how the process works.
Replace the following:
<Tenant_ID> Your Tenant ID from Step 9 above
<Application_ID> The Application (client) ID from Step 9 above
<Client_Secret_Value> This is this Client Secret Value from Step 9 above
Executing this curl request will produce a token:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"xxxxx"}
Use the token and send a Curl request for a Keeper event log in the next step.
Send a Curl request as seen below, Replace the below:
<TOKEN> The Bearer token from above
Note: The bearer token will expire after 1 hour.
The events will show up in Log Analytics Workspace after a few minutes.
From the section of Azure, go to Manage > Certificates & Secrets > New Client Secret.
From Azure, go to
From Azure, open (DCE)
From the (DCR) area of Azure:
From the (DCE) area of Azure:
In the , login as the Keeper Administrator. Then go to Reporting & Alerts and select "Azure Monitor Logs".
Provide the following information from above into the Admin Console:
<Collection URL> This comes from above
<ENDPOINT_URL> The constructed URL from above.