LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Forcefield
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Admin Policy Changes
  • User Management and Security Changes
  • Breached Passwords Detected
  • Admin Console Logins
  • New Events

Was this helpful?

Export as PDF

Recommended Alerts

Best Practices and Recommended Alerts for Advanced Reporting System

PreviousOn-site Commander PushNextWebhooks

Last updated 1 year ago

Was this helpful?

Keeper's Advanced Reporting System provides built-in Alerting capabilities that will notify users and Administrators for important events. As a best practice, Keeper has created a list of recommended alerts that can be configured by the Keeper Administrator.

To create an alert, login to the Admin Console and visit Reporting & Alerts > Alerts.

Alerts is only available to customers who subscribe to Advanced Reporting & Alerts module. To upgrade, please contact your Keeper customer success representative.

Admin Policy Changes

It is important that the Keeper Admin is notified when any administrative changes are made on the Keeper Admin Console which can affect the security and usage of the platform. We recommend selecting all "Policy Change" events.

Critical system events in this category include the following:

Event

Threat / Description

Created Node

Ensure this action is approved.

Deleted Node

Ensure this action is approved.

Created Role

Ensure this action is approved.

Deleted Role

Ensure this action is approved.

Created Team

Ensure this action is approved.

Deleted Team

Deleting a team could also removed Shared Folder access. Ensure this action is approved.

Changed Role Policy

Role enforcement policies can affect many different threat vectors

Set 2FA Configuration

Duo or RSA integration could be interrupted.

Created Alert

Admin created an alert in the Advanced Reporting system

Deleted Alert

An Admin deleted an alert which could prevent detection - ensure that this was an expected action.

Paused Alert

An Admin has paused an alert which could prevent detection - ensure that this was an expected action.

License reached maximum

Notifies if you are reaching your maximum user count, will ensure that new users can be onboarded to the platform.

User Management and Security Changes

We recommend that the Keeper Admin (and the user who performs the action) is notified when any User-Specific changes occur. At minimum, we recommend generating alerts on several key events within the "Security" category.

Critical User Management and Security Change events include the following:

Event

Threat / Description

Invited User

Ensure that only approved users are invited to the platform.

Created User

Ensure that users who join the Enterprise are approved.

Deleted User

Ensure that user deletion is approved. Note this action also deletes all vault contents.

Locked User

Admin has locked a user from the platform. Ensure this action is approved.

Disabled 2FA By Admin

A user's 2FA has been turned off by the Keeper Admin. Ensure this action is approved.

Device Approved

A user has signed into a new device. This event may generate a lot of alerts depending on number of users.

Admin approval for device requested

User may need assistance to approve a new device. Login to the Admin Console to approve.

Transferred vault

The user's vault has been transferred to another user account. Ensure that this action is approved.

Granted Admin Permission

The user has been added to a role with Administrative permission. Ensure that this user is approved for administrative duties.

Breached Passwords Detected

BreachWatch provides organizations oversight of the vulnerabilities of user's passwords through active monitoring of dark web breach data. Users and administrators are notified if any of their passwords in a record have been used in publicly known breach that could leave your organization vulnerable to a credential stuffing attack or an account takeover.

Before you configure the alert, ensure that BreachWatch events are configured to flow through the Advanced Reporting & Alerts module. This is disabled by default.

Go to the Role of the users affected by the policy > Enforcement Policies > Vault Features and turn the setting to ON.

In the Alerts section of the Advanced Reporting & Alerts module, create an alert with all 3 event types within the BreachWatch category.

Critical BreachWatch events include the following:

Event

Threat / Description

BreachWatch detected high-risk record password

The user has either created a record or imported data with weak passwords or a password known to be breached on the Dark Web.

User ignored detected high-risk record password

The user has clicked "Ignore" on a detected breached password.

User resolved detected high-risk record password

The user has successfully changed a password that was previously flagged by BreachWatch as a breached password.

Admin Console Logins

Depending how many Keeper Administrators you have in the organization, you may want to be alerted every time an Admin Console login occurs.

Event

Threat/Description

Console Login

Ensure that the user should be granted Administrative rights.

New Events

Note that new Keeper events are added on a monthly basis as the functionality and features of the platform are enhanced. Therefore, we recommend reviewing the latest event types on a regular basis to ensure that you are informed of the latest capabilities.

Reporting and Alerts
Alerts Tab in Reporting & Alerts
Policy Change Alert
User Management and Security Alerts
Enable BreachWatch events to ARAM
BreachWatch Event Alerts
Admin Console Logins