Keeper's Advanced Reporting and Alerts Module (ARAM) provides advanced event logging to meet compliance requirements.
Keeper's Advanced Reporting & Alerts Module ("ARAM") is a critical component of the Keeper Security platform which provides Keeper Administrators and Compliance teams tools for monitoring overall usage and adherence to policies.
Reporting Engine Run custom time-based reports with 100+ different event types that are broken down by category (e.g. Security Events, Administrative Actions, General Usage, etc). Filter on User, Event Type, Attribute (e.g. Record UID, Shared Folder UID, Geolocation).
Alerts Set alert triggers which can send email, SMS or Webhook notifications based on specific event types (For example, notify Admins upon any policy changes).
External Logging Integrate with any existing SIEM solution such as Splunk, Sumo or LogRhythm.
BreachWatch monitoring Get notified and track BreachWatch events (user notified of high risk password, resolved high risk password).
Commander CLI / SDK Integration Keeper Commander can perform customized reporting and automation.
Compliance Auditing Generate reports specifically to address SOX, ISO, SOC compliance auditing requirements.
The Reporting & Alerts dashboard provides an overview of the top 5 events, two built-in reports and your custom reports. The "Recent Activity" report is a built-in report that provides basic event tracking for the last 1,000 events across 16 event types. Customers can upgrade to the Advanced Reporting and Alerts module to track over 100 event types and generate custom reports and alert notifications.
The "Recent Activity" and "All Security Events" reports are provided in all Keeper Business and Enterprise subscriptions. Custom reporting and alerts is a feature of the Advanced Reporting and Alerts Module (ARAM). To take advantage of this capability, please contact your Keeper Security account manager or upgrade your subscription through the Secure Add Ons interface of the Admin Console.
Additionally, a user status report is available via the dashboard. See the Dashboard section in this guide.
Admins can also create custom reports by clicking Add Custom Report.
Preview the results by clicking Apply, and if you want to use the report in the future, click the Save button. You can export the events as a file in JSON, CSV or SysLog formats.
New events generated by Keeper vault devices can take up to 15 minutes to appear in the reporting module.
Accuracy of geolocation based on IP address varies depending on the database used to identify the user's location. The precision of geolocation data depends on several factors. Most importantly is how well registries validate the data they receive. If information connected with an IP address is incorrect, it reduces its usefulness. Geolocation is incredibly challenging in the case of mobile phone usage where IP address changes are frequently and mobile carriers use centralized gateways that users reach the internet. Additionally, if users are using proxies or VPN's the location data will invariably be incorrect.
Keeper subscribes to one of the industries most reliable providers who performs quality assurance by validating data quality against known IP addresses sourced from the public on a regular basis.
The Timeline Chart provides a chart of events over a 24-hour, 7-day and 30-day period. Clicking on any event row will open a report containing all events from the time period.
The Alert module allows you to create event-based triggers that will generate either email or SMS-based alerts.
New alerts are created similarly to new reports, by clicking Add Alert and specifying a name and a filter criteria. You can add one or more recipients using email address, phone number (for SMS) or both. Recipients don't have to be a part of your enterprise and any email address or phone number can be provided. The first recipient is predefined to be the user who generated the event. This will be "off" by default, and you will need to toggle it "on" to enable sending the alerts (email only) to the originator.
Specifying a broad event and attribute filter could generate a lot of alerts. Adjust alert frequency and set narrow event types and filters to reduce alert noise.
To prevent the recipients from receiving too many emails or SMS, alerts can be throttled. One way to throttle is to specify Alert Frequency. For example, if you set the frequency to "Once Per Time Period" with a period of 1 hour than all events matching the alert filter will still trigger the alert "occurrence" but the message will be sent only if 1 hour has passed since the time of the previous message. Another way to throttle the alert is to pause it using the toggle switch. Paused alert will also accumulate "occurrences" without sending the actual messages. When resumed, the very next event matching the alert will trigger sending the message which will contain the number of events that happened while being on pause.
Below is an example of an email alert:
You can view the alert history in the Alerts Sent tab, with the ability to drill down to see the individual events:
If you are utilizing a 3rd party SIEM solution, the Keeper Admin Console can be configured to automatically feed live event data into external SIEM products. Currently supported systems include:
Event data is transmitted from Keeper's servers to the destination SIEM collector. Only one method of the external sync can be active at a time.
Click Setup to activate the external logging solution. Setup is easy on each logging platform and typically only requires a few attributes to integrate.
Within the Admin Console, the default "Recent Activity" report contains 16 event types. Keeper's Advanced Reporting and Alert module supports ~ 100 event types.
The events captured by Keeper Enterprise are visible in the drop-down menus for report and alert configuration.
By default, BreachWatch events from the end-user devices are not collected and transmitted to the Advanced Reporting & Alerts module. These events are managed by the Role policy. To activate this feature, visit the Role > Enforcement Policies > Vault Features and toggle Send BreachWatch events to Reporting & Alerts and connected external logging systems "on".
A list of all available events captured by the Keeper Advanced Reporting and Alert Module are provided in the chart below. The Event Code is utilized in the user interface and within the Keeper Commander CLI command parameters. The "Message" field is utilized for the Alerting module.
Within each event, there may be additional attributes such as Record UID, Shared Folder UID, Team UID, Username, etc. These attributes will appear within the event description and they are also provided to the 3rd party SIEM provider in the format as specified by the destination.
Below are examples of 2 events in JSON format that are sent. Note that Record UID is provided with the "record_update" event since it relates to a specific record.
Below is an example of a Syslog-format event that can be exported via Keeper Commander or into the 3rd party SIEM solution:
Note that "enterprise_id" is useful for distinguishing different Keeper Enterprise tenants within the same SIEM collector.
The event data references several types of UID values such as Record UID, Shared Folder UID and Team UID. The Record UID and Shared Folder UID can be found either through the Keeper Commander CLI or through the Web Vault user interface.
The Keeper Commander CLI provides command-line and SDK integration into Keeper's reporting system for more advanced use cases. The event data can be used for generating actionable reports.
Please see the following reporting related commands for more information:
Details on what triggers each event
A list of all available events captured by the Keeper Advanced Reporting and Alert Module are provided in the chart below. The Event Code is utilized in the user interface and within the Keeper Commander CLI command parameters. The "Message" field is utilized for the Alerting module.
Within each event, there may be additional attributes such as Record UID, Shared Folder UID, Team UID, Username, etc. These attributes will appear within the event description and they are also provided to the 3rd party SIEM provider in the format as specified by the destination.
Integrating Keeper SIEM push to Splunk Enterprise
Keeper supports event streaming into Splunk Cloud and Splunk Enterprise deployments. External logging is real-time, and new events will appear almost immediately.
An example configuration is displayed below. Note that Host field should only contain the domain portion of the collector URL.
Keeper supports the HTTP Event Collector (HEC) feature of Splunk Cloud deployments.
The standard form for the HEC URL in self-service Splunk Cloud is as follows:
In Keeper, you only need to supply the domain portion of the URL. For example:
Host: input-prd-p-2dm85a8f6db.cloud.splunk.com Port: 8088 Token: HEC token generated in Splunk
Keeper supports the HTTP Event Collector (HEC) feature of Splunk Managed Cloud deployments. The standard form for the HEC URL in managed Splunk Cloud is as follows:
In Keeper, you only need to supply the domain portion of the URL. For example:
Host: http-inputs-prd-p-2dm85a8f6db.splunkcloud.com Port: 443 Token: HEC token generated in Splunk
Ensure that your endpoint has the "Indexer Acknowledgement" feature disabled.
Keeper supports the HTTP Event Collector (HEC) feature of Splunk Enterprise and Splunk Cloud deployments. To configure Keeper with Splunk, a few things to note:
Instructions on creating a HEC for Keeper can be found on Splunk's documentation here: https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/UsetheHTTPEventCollector
Keeper requires that the collector endpoint uses SSL with a valid certificate signed by a certificate authority. If the collector is not using SSL, Keeper will reject the connection.
The collector endpoint URI needs to be accessible from Keeper's servers. See the AllowList section below for a list of IP addresses.
(1) On the Spunk interface, create a new HEC or select an existing collector.
(2) Generate a token and store it for Step 4.
(3) In the Global Settings, ensure that "Enable SSL" is selected and ensure that the collector is configured to use SSL.
(4) On Keeper, plug in the endpoint Host, Port and Token from the HEC. In Keeper, you only need to supply the domain portion of the URL.
(5) Click on "Test Connection" to ensure that the connection is successful. If it's successful, the "Save" button will become active. If there is a communications error, nothing will happen or you will receive an error message.
(6) Click "Save" to activate the collector. Keeper will then show the active status.
If the status shows "Paused", it could mean that there was a communications error when transmitting events to the Splunk server. A common reason for this is because the HEC is not using SSL with a valid certificate signed by a certificate authority (CA).
As stated above, the HEC in Splunk Enterprise must be secured with SSL having a certificate that is signed by a certificate authority. As a way to check this from a Mac or Linux command line, type the following (replacing your endpoint URI and Token):
If you receive an error about the SSL certificate like below, then it's not configured correctly.
If you add a "-k" to the curl request to ignore the certificate, you may receive a successful response. This is a good indicator that the HEC certificate is not valid.
To configure Splunk Enterprise for SSL on the collector, refer to the documentation. The local/server.conf file should be modified to include the [sslConfig] section that enables SSL on the splunkd service with a bundled certificate file chain.
The certificate file chain (my_bundle.pem) can be created by concatenating the certificate, private key and CA certs such as below:
For additional details, see the Splunk Enterprise documentation related to securing Splunk with SSL: https://docs.splunk.com/Documentation/Splunk/8.1.1/Security/AboutsecuringyourSplunkconfigurationwithSSL https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Securingyourdeploymentserverandclients
Once activated, the event logs will stream automatically from Keeper's backend servers to the Splunk HEC. As seen in the screenshot below, the event logs will contain the event type, client application version, IP address, timestamp and username of the Keeper user.
Ensure that your Firewall allows traffic from Keeper servers. See Firewall Configuration page.
Integrating Keeper SIEM push to Sumo Logic
Keeper supports event streaming into Sumo Logic deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.
The Sumo Logic integration requires a single sync URL.
To configure an HTTP Logs and Metrics Source:
In Sumo Logic, select Manage Data > Collection > Collection.
In the Collectors page, click Add Source next to a Hosted** **Collector.
Select HTTP Logs & Metrics.
Enter a Name to display for the Source in the Sumo web application. Description is optional.
(Optional) For Source Host and Source Category, enter any string to tag the output collected from the source. (Category metadata is stored in a searchable field called _sourceCategory.)
SIEM Processing. This option is present if Cloud SIEM Enterprise (CSE) is enabled. Click the checkbox to to send the logs collected by the source to CSE.
Fields. Click the +Add Field link to define the fields you want to associate, each field needs a name (key) and value.
A green circle with a check mark is shown when the field exists in the Fields table schema.
An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
When the URL associated with the source is displayed, copy the URL so you can use it to upload data.
When you are finished configuring the Source, click Save.
Processing Rules. Configure any desired filters, such as allowlist, denylist, hash, or mask, as described in Create a Processing Rule. Processing rules are applied to log data, but not to metric data.
Integrating Keeper SIEM push to LogRhythm
Keeper supports event streaming into LogRhythm deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.
LogRhythm uses a standard "Syslog" push capability over TCP.
Ports TCP Ports 514 and 6514 (TLS)
Fields Exported "audit_event", "username", "client_version", "remote_address", "channel", "result_code", "email", "to_username", "client_version_new","username_new", "file_format", "record_uid", "folder_uid", "folder_type", "shared_folder_uid", "attachment_id", "team_uid", "role_id"
Payload Format Pipe-delimited, e.g. "audit_event=login|username=bob@foo.com|..."
Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate. Also, ensure that your LogRythm server allows traffic from Keeper servers. See Firewall Configuration page.
Integrating Keeper SIEM push to standard Syslog endpoints
Keeper supports event streaming into standard TCP Syslog collectors. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.
Keeper supports a standard "Syslog" push capability over TCP.
Ports TCP Ports 514 and 6514 (TLS)
Fields Exported "audit_event", "username", "client_version", "remote_address", "channel", "result_code", "email", "to_username", "client_version_new","username_new", "file_format", "record_uid", "folder_uid", "folder_type", "shared_folder_uid", "attachment_id", "team_uid", "role_id"
Example Payload
Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate.
Also, ensure that your syslog server allows traffic from Keeper servers. See Firewall Configuration page.
Integrating Keeper SIEM event pushes to IBM QRadar
Keeper supports event streaming into IBM QRadar deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.
QRadar uses a standard "Syslog" push capability over TCP.
Ports TCP Ports 514 and 6514 (TLS)
Fields Exported "audit_event", "username", "client_version", "remote_address", "channel", "result_code", "email", "to_username", "client_version_new","username_new", "file_format", "record_uid", "folder_uid", "folder_type", "shared_folder_uid", "attachment_id", "team_uid", "role_id"
Example Payload
Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate. Also, ensure that your QRadar server allows traffic from Keeper servers. See Firewall Configuration page.
Integrating Keeper SIEM event pushes to Azure Sentinel and Log Analytics
Keeper supports event streaming into Azure Sentinel / Log Analytics environments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.
In Azure, go to Log Analytics workspaces > Select Workspace and then "Agents Management". From here you can retrieve a Workspace ID and Key. Provide these two fields to Keeper to start streaming logs to your selected workspace.
Integrating Keeper SIEM push to an Amazon S3 bucket endpoint
Keeper supports event streaming into an Amazon S3 bucket. Setup instructions are below.
(1) In AWS, create an S3 bucket and of course ensure that all permissions are locked down.
(2) Create a user account without console access and assign a basic role policy which can only put files within the bucket. Example below.
(3) Generate Access Key and Secret Key, provide those to the Admin Console user interface along with the Bucket Name. You can select different time intervals for the file uploads. You can also select the file format which includes:
JSON
Syslog
CSV
For the Bucket Name, provide a full ARN that includes the region. For example:
arn:aws:s3:us-west-2::my-keeper-events
Files will be posted only when events occur during the interval. In the example below, the json files are posted every hour when there is activity in the system.
If you set the time frame to a "day", all events will accumulate until the day has ended (using UTC clock) and then a new file containing all day events will be added to your S3 bucket.
Integrating Keeper SIEM push to Devo
Keeper supports event streaming into Devo deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.
Devo uses a standard "Syslog" push capability over TCP.
Ports TCP Ports 514 and 6514 (TLS)
Fields Exported "audit_event", "username", "client_version", "remote_address", "channel", "result_code", "email", "to_username", "client_version_new","username_new", "file_format", "record_uid", "folder_uid", "folder_type", "shared_folder_uid", "attachment_id", "team_uid", "role_id"
Payload Format Pipe-delimited, e.g. "audit_event=login|username=bob@foo.com|..."
Important: Ensure that the endpoint is using a valid signed SSL certificate. Keeper's systems will refuse to connect to an invalid or self-signed endpoint. Also, ensure that your Devo server allows traffic from Keeper servers. See Firewall Configuration page.
Integrating Keeper SIEM push to Datadog
Keeper supports event streaming into Datadog deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.
The Datadog integration requires two fields:
URL (For example: datadoghq.com or datadoghq.eu)
API Key
To retrieve an API Key, please follow the below instructions
In the Datadog interface, go to Organization Settings > API Keys
Create a new API key
Ensure that your API Key matches up with the destination server where your Datadog environment is hosted.
Integrating Keeper SIEM push to Logz.io
Keeper supports event streaming into Logz.io deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.
Logz.io uses their HTTPS listener method.
The connection to Logz.io requires two fields:
Host (e.g. mycompany.logz.io)
Token
Please refer to your Logz.io documentation for generating a security token.
Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate. Also, ensure that your Logz.io server allows traffic from Keeper servers. See Firewall Configuration page.
Integrating Keeper SIEM push to Elastic
Keeper supports event streaming into Elastic deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.
Elastic integration uses a TCP push to the destination endpoint. The fields required are:
Host (e.g. mycompany.gcp.cloud.us.io:9243)
Search Index (e.g. keeper)
API Key
Please refer to the Elastic documentation for generating an API key:
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html
Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate. Also, ensure that your Elastic server allows traffic from Keeper servers. See Firewall Configuration page.
If Keeper is unable to connect to your Elastic instance, please check the following:
In the host field, do not type http or https
Make sure to include the port
If you are using a "Space", add the space name to the end of the Host field after the port. For example: example-elastic01.us-east.found.io:9243/s/spacename
Make sure any firewall in front of Elastic is configured per this page
Ingress Requirements for direct SIEM push
Event logs configured through the Keeper Admin Console are pushed from Keeper's backend logging system through a static set of IP addresses. For added security, you can lock down your SIEM HTTP collector to the specific IP/ports listed below.
For customers who are receiving inbound requests from the Keeper production environment, use the below IP addresses. This applies to SIEM event reporting and SSO Cloud Automator.
34.194.242.137/32
18.235.39.229/32
54.208.20.102/32 (Connection verification only)
34.203.159.189/32 (Connection verification only)
54.246.149.209/32
34.250.37.43/32
52.210.163.45/32 (Connection verification only)
54.246.185.95/32 (Connection verification only)
54.206.253.126/32
52.64.85.78/32
3.106.40.41/32 (Connection verification only)
54.206.208.132/32 (Connection verification only)
18.253.101.55/32
18.253.102.58/32
18.252.135.74/32 (Connection verification only)
18.253.212.59/32 (Connection verification only)
CA / Canada Hosted Customers
35.182.155.224/32
35.182.216.11/32 (Connection verification only)
15.223.136.134/32 (Connection verification only)
JP / Tokyo Hosted Customers
35.74.131.237/32
54.150.11.204/32 (Connection verification only)
52.68.53.105/32 (Connection verification only)
After external logging is established, it might be automatically put on pause if the external system becomes unavailable and the number of the events in the queue reaches a threshold of 50. If this happens, you will have to manually resume the external logging after correcting the issue. We recommend setting up an alert for the "Paused Audit log Sync" event so you get notified if the external logging is paused.
SIEM event push to local or on-prem endpoints using Keeper Commander
In addition to using the user interface for generating custom reports, Keeper supports a command-line interface (CLI) and Python SDK to programmatically generate reports. Keeper Commander is an open source tool that provides command-line access and automation / integration capabilities.
Learn about Keeper Commander here: https://docs.keeper.io/secrets-manager/commander-cli
For example, below is a screenshot of the "audit-report" command usage which can be used to generate custom reports through the CLI:
Keeper Commander also integrates into 3rd party SIEM solutions that operate on-premise. For a comprehensive look at how Keeper Commander can be utilized in your environment, please visit the Documentation Portal for Keeper Commander SDK. If you require assistance with Keeper Commander, please contact commander@keepersecurity.com.