Azure Monitor

Integration of Keeper ARAM events with Azure Monitor

Overview

Keeper supports event streaming directly into Azure Monitor Log Analytics Workspace tables using the Azure Logs Ingestion API. As of January 2025, this is the preferred method and API used for streaming event data into Azure logs.

Setup Instructions

Go to the Azure Portal to begin the setup.

(1) Create an App Registration

The Azure App Registration is used to authenticate API requests to the Logs Ingestion API.

Fill out the form:

  • Name: KeeperLogging

  • Supported Account Types: Use the default option (Single tenant).

  • Leave Redirect URI blank for now.

  • Click Register.

After registering:

  • Click on "Expose an API"

  • Click "Set" for the Application ID URI

  • Accept the default suggested URI (it should be something like api://[client-id])

(2) Create Client Secret

From the App Registrations section of Azure, go to Manage > Certificates & Secrets > New Client Secret.

  • Add a description and expiration period.

  • Copy the generated "Value" and store it in your Keeper vault.

  • Save this value for the last step ("Client Secret Value").

On the "Overview" screen, also note the Tenant ID and Display Name.

Save the following entries for later:

  • Application (client) ID

  • Client Secret ID

  • Client Secret Value

  • Directory (tenant) ID on the App registrations page.

(3) Create Log Analytics Workspace

A Log Analytics Workspace is the core resource where Azure Monitor collects and stores log data. If you already have one, you can skip this step.

  • From Azure, go to Log Analytics Workspaces

  • Click Create and configure:

    • Subscription: Choose your Azure subscription.

    • Resource Group: Create a new resource group or select an existing one.

    • Name: Give your workspace a meaningful name (e.g., KeeperLogsWorkspace).

    • Region: Choose a region

    • Click Review + Create and then Create.

(4) Assign Role to App Registration

You need to assign the KeeperLogging application with the role of "Log Analytics Contributor" to the Log Analytics Workspace. From the Log Analytics Workspace:

  • Click on the Workspace (e.g. KeeperDemo1)

  • Select Role assignments

  • Click Add > Add role assignment

  • Type "Log Analytics Contributor" and select that role

  • Click "+Select members" and select the KeeperLogging application from the list

  • Assign it to the "KeeperLogging" application

(5) Create a Data Collection Endpoint (DCE)

The Data Collection Endpoint is required before you can create a Data Collection Rule.

Configure the following:

  • Subscription: Select your Azure subscription.

  • Resource Group: Use the same resource group you plan to use for the DCR.

  • Region: Choose a region

  • Name: Give it a meaningful name (e.g., KeeperLogsEndpoint).

Note the "Logs Ingestion URL" which is used later.

Example: keeperlogsendpoint-mcag.eastus-1.ingest.monitor.azure.com

(6) Create a Table and DCR

From the Log Analytics workspaces, open the Keeper workspace and select "Tables" and Create a new table.

  • Select "New custom log (DCR-based)".

  • In this example, we are calling it "KeeperLogs".

  • Create a new Data Collection Rule

  • Save the below JSON as a file on your computer

  • When prompted, upload the below JSON file as a Data Sample:

[
  {
    "TimeGenerated": "2025-01-23T01:31:11.123Z",
    "audit_event": "some_event",
    "remote_address": "10.15.12.192",
    "category": "some_category_id",
    "client_version": "EMConsole.17.0.0",
    "username": "email@company.com",
    "enterprise_id": 1234,
    "timestamp": "2025-01-23T01:31:11.123Z",
    "data": {
      "node_id": "abc12345",
      "record_uid": "B881237126",
      "folder_uid": "BCASD12345",
      "some_flag": true
    }
  },
  {
    "TimeGenerated": "2025-01-23T01:31:11.124Z",
    "audit_event": "some_event",
    "remote_address": "10.15.12.192",
    "category": "some_category_id",
    "client_version": "EMConsole.17.0.0",
    "username": "email@company.com",
    "enterprise_id": 1234,
    "timestamp": "2025-01-23T01:31:11.123Z",
    "data": {
      "node_id": "abc12345",
      "record_uid": "B881237126",
      "folder_uid": "BCASD12345",
      "some_flag": true
    }
  },
  {
    "TimeGenerated": "2025-01-23T01:31:11.125Z",
    "audit_event": "some_event",
    "remote_address": "10.15.12.192",
    "category": "some_category_id",
    "client_version": "EMConsole.17.0.0",
    "username": "email@company.com",
    "enterprise_id": 1234,
    "timestamp": "2025-01-23T01:31:11.123Z",
    "data": {
      "node_id": "abc12345",
      "record_uid": "B881237126",
      "folder_uid": "BCASD12345",
      "some_flag": true
    }
  }
]

Review the change and submit the request to create the table.

In this example, it shows up as KeeperLogs_CL (Azure appends the _CL).

(7) Assign App Permissions to DCR

From the Data collection rules (DCR) area of Azure:

  • Click on the DCR (e.g. KeeperDCR)

  • Select Role assignments

  • Click Add > Add role assignment

  • Type "Monitoring Metrics Publisher" and select that role

  • Click "+Select members" and select the KeeperLogging application from the list

  • Assign it to the "KeeperLogging" application

Repeat this process and add "Monitoring Contributor" and "Monitoring Reader".

(8) Assign App Permissions to DCE

From the Data collection endpoints (DCE) area of Azure:

  • Click on the DCE (e.g. KeeperLogsEndpoint)

  • Select Role assignments

  • Click Add > Add role assignment

  • Type "Monitoring Metrics Publisher" and select that role

  • Click "+Select members" and select the "KeeperLogging" application from the list

  • Assign it to the "KeeperLogging" application

Repeat this process and add "Monitoring Contributor".

At this point, everything is configured on the Azure side. Next, set up the Admin Console.

(9) Update Admin Console

In the Keeper Admin Console, login as the Keeper Administrator. Then go to Reporting & Alerts and select "Azure Monitor Logs".

Provide the following information from Step 2 above into the Admin Console:

  • Azure Tenant ID: You can find this from Azure's "Subscriptions" area.

  • Application (client) ID: This is located in the App registration (KeeperLogging) overview screen

  • Client Secret Value: This is the Client Secret Value from the app registration secrets.

  • Endpoint URL: This is a URL that is created in the following specific format: https://<collection_url>/dataCollectionRules/<dcr_id>/streams/<table>?api-version=2023-01-01

To assemble the Endpoint URL:

  • <Collection URL> This comes from Step (5) above

  • <DCR_ID> From the Data Collector Rule, copy the "Immutable Id" value, e.g. dcr-xxxxxxx

  • <TABLE> This is the table name created by Azure, e.g. Custom-KeeperLogs_CL

https://<Collection_URL>/dataCollectionRules/<DCR_ID>/streams/<TABLE>?api-version=2023-01-01

(10) Setup Complete

When SIEM logs are sent from Keeper to Azure Monitor, the data will begin to populate in the Custom Logs table in a few minutes.

Troubleshooting

Just for the purpose of testing, you can generate a Bearer Token and send an API request to Azure Monitor API to understand how the process works.

Get a Bearer Token

Replace the following:

<Tenant_ID> Your Tenant ID from Step 9 above

<Application_ID> The Application (client) ID from Step 9 above

<Client_Secret_Value> This is this Client Secret Value from Step 9 above

curl -X POST 'https://login.microsoftonline.com/<Tenant_ID>/oauth2/v2.0/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<Application_ID>' \
--data-urlencode 'client_secret=Client_Secret_Value' \
--data-urlencode 'scope=https://monitor.azure.com/.default'

The scope must change based on the environment:

  • Azure public cloud: https://monitor.azure.com

  • Azure US Government cloud: https://monitor.azure.us

Executing this curl request will produce a token:

{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"xxxxx"}

Use the token and send a Curl request for a Keeper event log in the next step.

Send SIEM Events

Send a Curl request as seen below, Replace the below:

<ENDPOINT_URL> The constructed URL from Step 9 above.

<TOKEN> The Bearer token from above

curl -X POST "<ENDPOINT_URL>" \
-H "Authorization: Bearer <TOKEN>" \
-H "Content-Type: application/json" \
-d '[
    {
      "TimeGenerated": "2025-01-23T01:31:11.123Z",
      "audit_event": "event_one",
      "remote_address": "10.15.12.192",
      "category": "msp",
      "client_version": "EMConsole.17.0.0",
      "username": "email@company.com",
      "enterprise_id": 1234,
      "timestamp": "2025-01-23T01:31:11.123Z",
      "data": {
        "node_id": "abc12345",
        "record_uid": "B881237126",
        "folder_uid": "BCASD12345",
        "some_flag": true
      }
    },
    {
      "TimeGenerated": "2025-01-23T01:31:11.124Z",
      "audit_event": "event_two",
      "remote_address": "10.15.12.192",
      "category": "general",
      "client_version": "EMConsole.17.0.0",
      "username": "email@company.com",
      "enterprise_id": 1234,
      "timestamp": "2025-01-23T01:31:11.123Z",
      "data": {
        "node_id": "abc12345",
        "record_uid": "B881237126",
        "folder_uid": "BCASD12345",
        "some_flag": true
      }
    },
    {
      "TimeGenerated": "2025-01-23T01:31:11.125Z",
      "audit_event": "event_three",
      "remote_address": "10.15.12.192",
      "category": "security",
      "client_version": "EMConsole.17.0.0",
      "username": "email@company.com",
      "enterprise_id": 1234,
      "timestamp": "2025-01-23T01:31:11.123Z",
      "data": {
        "node_id": "abc12345",
        "record_uid": "B881237126",
        "folder_uid": "BCASD12345",
        "some_flag": true
      }
    }
  ]'

Note: The bearer token will expire after 1 hour.

The events will show up in Log Analytics Workspace after a few minutes.

PreviousQRadarNextAzure Sentinel

Last updated

Was this helpful?