Azure Sentinel

Integrating Keeper SIEM event pushes to Azure Sentinel and Log Analytics

Microsoft is deprecating this logging method sometime in 2025. Please see the Azure Monitor setup.

Overview

Keeper supports event streaming into Azure Sentinel / Log Analytics environments. This document describes the legacy method of streaming logs, which is being deprecated in 2025. Use the Azure Monitor method.

To proceed with this method... in Azure, go to Log Analytics workspaces > Select Workspace > Classic "Agents Management". From here you can retrieve a Workspace ID and Key. Provide these two fields to Keeper to start streaming logs to your selected workspace.

Keeper will immediately start sending event data to the designated Azure Log Analytics workspace, under a custom table named Keeper_CL.

To view the logs, open the Log Analytics Workspace > Logs > select the Keeper_CL table.

Troubleshooting

If you need to troubleshoot the event log APIs, the below Python script will simulate the Keeper backend system sending event logs to your Azure environment. Replace the Workspace ID and Workspace Key before testing it.

import base64
import datetime
import hmac
import hashlib
import requests
import json

# Configuration
workspace_id = 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx'
workspace_key = 'xxxxxx'
log_type = 'Keeper'

# Sample body
body = [
{
  "audit_event": "role_created",
  "remote_address": "11.22.33.44",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "username": "user@company.com",
  "enterprise_id": 6557,
  "timestamp": "2025-01-12T00:03:44.743Z",
  "role_id": "28162100560074"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.55",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-13T00:03:44.743Z",
  "username": "user@company.com",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "RESEND_ENTERPRISE_INVITE_IN_X_DAYS",
  "value": "7"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.66",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-14T00:03:44.776Z",
  "username": "user@company.com",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "SEND_BREACH_WATCH_EVENTS",
  "value": "ON"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.77",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-15T00:03:44.835Z",
  "username": "user@company.com",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "GENERATED_PASSWORD_COMPLEXITY",
  "value": "[{\"domains\":[\"_default_\"],\"length\":20,\"lower-use\":false,\"lower-min\":5}]"
},
{
  "audit_event": "audit_alert_sent",
  "category": "usage",
  "client_version": "Keeper Service.1.2.0",
  "username": "ALERT",
  "enterprise_id": 6557,
  "timestamp": "2025-01-16T01:31:11.123Z",
  "origin": "admin_permission_added",
  "name": "XXX123",
  "recipient": "user@company.com,+19165551212",
  "username_new": true,
  "client_version_new": true
}]

body_json = json.dumps(body)
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body_json)

signature_string = f"{method}\n{content_length}\n{content_type}\nx-ms-date:{rfc1123date}\n{resource}"
decoded_key = base64.b64decode(workspace_key)
signature = base64.b64encode(hmac.new(decoded_key, signature_string.encode('utf-8'), hashlib.sha256).digest()).decode('utf-8')

headers = {
    'Content-Type': content_type,
    'Authorization': f'SharedKey {workspace_id}:{signature}',
    'Log-Type': log_type,
    'x-ms-date': rfc1123date
}

uri = f'https://{workspace_id}.ods.opinsights.azure.com/api/logs?api-version=2016-04-01'

response = requests.post(uri, data=body_json, headers=headers)
print(f"Response code: {response.status_code}")
print(f"Response message: {response.text}")

PreviousAzure Monitor NextAWS S3 Bucket

Last updated 8 days ago

Was this helpful?