Overview

Azure Monitor and Microsoft Sentinel are related as Sentinel leverages Azure Monitor's infrastructure for log management and data collection. Azure Monitor provides the foundational platform, including Log Analytics and the Azure Monitor Agent, on which Sentinel is built. Sentinel then uses this data for security information and event management (SIEM) capabilities.

Keeper supports event streaming directly into Azure Monitor Log Analytics Workspace tables using the Azure Logs Ingestion API. As of January 2025, this is the preferred method and API used for streaming event data into Azure logs.

Setup Instructions

Go to the to begin the setup.

Step 1. Create an App Registration

The Azure App Registration is used to authenticate API requests to the Logs Ingestion API.

• Navigate to > New Registration.

Fill out the form:

• Name: KeeperLogging

• Supported Account Types: Use the default option (Single tenant).

• Leave Redirect URI blank for now.

• Click Register.

After registering:

• Click on "Expose an API"

• Click "Set" for the Application ID URI

• Accept the default suggested URI (it should be something like api://[client-id])

Step 2. Create Client Secret

From the section of Azure, go to Manage > Certificates & Secrets > New Client Secret.

• Add a description and expiration period.

• Copy the generated "Value" and store it in your Keeper vault.

• Save this value for the last step ("Client Secret Value").

On the "Overview" screen, also note the Tenant ID and Display Name.

Step 3. Create Log Analytics Workspace

A Log Analytics Workspace is the core resource where Azure Monitor collects and stores log data. If you already have one, you can skip this step.

• From Azure, go to

• Click Create and configure:

  • Subscription: Choose your Azure subscription.

  • Resource Group: Create a new resource group or select an existing one.

Step 4. Assign Role to App Registration

You need to assign the KeeperLogging application with the role of "Log Analytics Contributor" to the Log Analytics Workspace. From the Log Analytics Workspace:

• Click on the Workspace (e.g. KeeperDemo1)

• Select Role assignments

• Click Add > Add role assignment

• Type "Log Analytics Contributor" and select that role

Step 5. Create a Data Collection Endpoint (DCE)

The Data Collection Endpoint is required before you can create a Data Collection Rule.

• From Azure, open (DCE)

• Search for "Data Collection Endpoints" and click Create.

Configure the following:

• Subscription: Select your Azure subscription.

• Resource Group: Use the same resource group you plan to use for the DCR.

• Region: Choose a region

• Name: Give it a meaningful name (e.g., KeeperLogsEndpoint

Note the "Logs Ingestion URL" which is used later.

Example: keeperlogsendpoint-mcag.eastus-1.ingest.monitor.azure.com

Step 6. Create a Table and DCR

From the Log Analytics workspaces, open the Keeper workspace and select "Tables" and Create a new table.

• Select "New custom log (DCR-based)".

• In this example, we are calling it "KeeperLogs".

• Create a new Data Collection Rule

• Save the below JSON as a file on your computer

Review the change and submit the request to create the table.

In this example, it shows up as KeeperLogs_CL (Azure appends the _CL).

Step 7. Assign App Permissions to DCR

From the (DCR) area of Azure:

• Click on the DCR (e.g. KeeperDCR)

• Select Role assignments

• Click Add > Add role assignment

• Type "Monitoring Metrics Publisher" and select that role

Repeat this process and add "Monitoring Contributor" and "Monitoring Reader".

Step 8. Assign App Permissions to DCE

From the (DCE) area of Azure:

• Click on the DCE (e.g. KeeperLogsEndpoint)

• Select Role assignments

• Click Add > Add role assignment

• Type "Monitoring Metrics Publisher" and select that role

Repeat this process and add "Monitoring Contributor".

At this point, everything is configured on the Azure side. Next, set up the Admin Console.

Step 9. Update Admin Console

In the , login as the Keeper Administrator. Then go to Reporting & Alerts and select "Azure Monitor Logs".

Provide the following information from above into the Admin Console:

• Azure Tenant ID: You can find this from Azure's "Subscriptions" area.

• Application (client) ID: This is located in the App registration (KeeperLogging) overview screen

• Client Secret Value: This is the Client Secret Value from the app registration secrets.

• Endpoint URL: This is a URL that is created in the following specific format: https://

To assemble the Endpoint URL:

• <Collection URL> This comes from above

• <DCR_ID> From the Data Collector Rule, copy the "Immutable Id" value, e.g. dcr-xxxxxxx

• <TABLE> This is the table name created by Azure, e.g. Custom-KeeperLogs_CL

Setup Complete!

When SIEM logs are sent from Keeper to Azure Monitor, the data will begin to populate in the Custom Logs table in a few minutes.

Troubleshooting

Just for the purpose of testing, you can generate a Bearer Token and send an API request to Azure Monitor API to understand how the process works.

Get a Bearer Token

Replace the following:

<Tenant_ID> Your Tenant ID from Step 9 above

<Application_ID> The Application (client) ID from Step 9 above

<Client_Secret_Value> This is this Client Secret Value from Step 9 above

Executing this curl request will produce a token:

{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"xxxxx"}

Use the token and send a Curl request for a Keeper event log in the next step.

Send SIEM Events

Send a Curl request as seen below, Replace the below:

<ENDPOINT_URL> The constructed URL from above.

<TOKEN> The Bearer token from above

Note: The bearer token will expire after 1 hour.

The events will show up in Log Analytics Workspace after a few minutes.

Overview

Keeper supports event streaming into Azure Sentinel / Log Analytics environments. This document describes the legacy method of streaming logs, which is being deprecated in 2025. Use the or method instead.

To proceed with this method... in Azure, go to Log Analytics workspaces > Select Workspace > Classic "Agents Management". From here you can retrieve a Workspace ID and Key. Provide these two fields to Keeper to start streaming logs to your selected workspace.

Keeper will immediately start sending event data to the designated Azure Log Analytics workspace, under a custom table named Keeper_CL.

To view the logs, open the Log Analytics Workspace > Logs > select the Keeper_CL table.

Troubleshooting

If you need to troubleshoot the event log APIs, the below Python script will simulate the Keeper backend system sending event logs to your Azure environment. Replace the Workspace ID and Workspace Key before testing it.

Overview

This guide walks you through the step-by-step installation and configuration process for the Keeper Security SIEM integration with Microsoft Sentinel. Keeper Security is available in the Content Hub section of Microsoft Sentinel as an out-of-the-box integration in the Commercial and Government regions.

Commercial: https://portal.azure.com/#create/keepersecurity.keeper-security-integrationkeeper-security-sentinel-1

Azure Government: https://portal.azure.us/#create/keepersecurity.keeper-security-integrationkeeper-security-sentinel-1

1. Select Subscription and Plan

• Choose your Azure Subscription.

• Select the plan: Keeper Security Integration.

• Click the Create button.

2. Configure Basic Project Details

• Select the Resource Group where the solution should be deployed.

• Choose the Log Analytics Workspace where the logs will be ingested.

• Ensure the subscription is correctly selected.

3. Review and Create

• Review your selections including:

  • Name

  • Preferred email and phone number

  • Subscription

4. Access Content Hub in Microsoft Sentinel

• Open Microsoft Sentinel.

• Select your workspace (e.g., Keeper301-final).

• Go to Content Management > Content Hub.

• Locate Keeper Security and confirm it’s installed.

5. Manage Installed Content

• Click the Keeper Security row.

• On the right panel, click Manage to see content details.

6. View Installed Content Items

You will find the following components:

• Keeper Security Push Connector (Data Connector)

• Password Changed (Analytics Rule)

• User MFA Changed (Analytics Rule)

• Keeper Security Dashboard (Workbook)

Click on Keeper Security Push Connector to configure Entra integration.

7. Generate Entra Configuration

• Click the button: Deploy push connector to set the App Registration Secret.

• This automatically generates:

  • Tenant ID (Directory ID)

  • Application (Client) ID

8. Configure Keeper Admin Console

Navigate to the Keeper Admin Console → Reporting & Alerts → Azure Monitor Logs and input the details from :

• Azure Tenant ID

• Application (Client) ID

• Client Secret Value

• Endpoint URL (assembled as shown below)

Logs Ingestion URL Format Example:

• DCR_ID: Use the Immutable ID from the Data Collector Rule.

• Custom-KeeperSecurityEventNewLogs: This is the table created by Azure.

9. Optional: Enable Analytics Rule - Master Password Changed

You can optionally enable an Analytics Rule in Microsoft Sentinel to automatically detect when a Keeper user changes their Master Password.

Step 1. Access Installed Content

• In Microsoft Sentinel, go to Content Hub → Keeper Security SIEM Integration.

• Under Installed content items, locate Keeper Security – Password Changed (Analytics Rule).

• Click on it to start configuration.

Step 2. Open the Rule Template

• Select the rule template Keeper Security – Password Changed.

• On the right panel, click Create rule.

• This will launch the Analytics Rule Wizard.

Step 3. Configure General Settings

• Name: Keeper Security – Password Changed (default).

• Description: Creates an informational incident when a Keeper Security Password Changed event is detected.

• Severity: Informational.

• MITRE ATT&CK: Select Persistence (T1556).

Step 4. Define Rule Logic

• Use the following query:

⚠️ Note: Ensure that the table KeeperSecurityEventNewLogs_CL exists (it is created automatically when Keeper logs start flowing into Sentinel). If logs are not yet ingested, the query may return an error during validation.

• Under Event grouping, select Trigger an alert for each event.

• Click Next: Incident settings.

Step 5. Configure Incident Settings

• Enable: Create incidents from alerts triggered by this rule.

• Alert grouping: Disabled (recommended for password events to capture each one individually).

• Click Next: Automated response.

Step 6. Optional – Add Automated Response

• You may attach a Logic App playbook if you want automated response actions (e.g., notify security team via Teams or email).

• Otherwise, leave automation rules empty.

• Click Next: Review + create.

Step 7. Review and Create

• Confirm all details:

  • Rule Name

  • Query

  • Severity

10. Optional: Enable Analytics Rule – User MFA Changed

You can optionally enable an Analytics Rule in Microsoft Sentinel to automatically detect when a Keeper user changes their multi-factor authentication (MFA) settings. This provides visibility whenever users enable or disable two-factor authentication.

Step 1. Access Installed Content

• In Microsoft Sentinel, go to Content Hub → Keeper Security SIEM Integration.

• Under Installed content items, select Keeper Security – User MFA Changed.

• Click on it to view the details.

Step 2. Open the Rule Template

• Select Keeper Security – User MFA Changed.

• On the right panel, click Create rule.

• This will launch the Analytics Rule Wizard.

Step 3. Configure General Settings

• Name: Keeper Security – User MFA Changed (default).

• Description: Creates an informational incident when MFA settings change in Keeper Security.

• Severity: Informational.

• MITRE ATT&CK: Select Persistence (T1556).

Step 4. Define Rule Logic

Use the following query:

• Under Event grouping, select Trigger an alert for each event.

• Click Next: Incident settings.

Step 5. Configure Incident Settings

• Enable: Create incidents from alerts triggered by this rule.

• Alert grouping: Disabled (each MFA change will create a separate incident).

• Click Next: Automated response.

Step 6. Optional – Add Automated Response

• You may attach a Logic App playbook if you want automated response actions (e.g., notify the SOC team in Teams, Slack, or email).

• Otherwise, leave automation rules empty.

• Click Next: Review + create.

Step 7. Review and Create

• Confirm all details:

  • Rule Name

  • Query

  • Severity

11. Optional: Enable Workbook – Keeper Security Dashboard

You can optionally enable the Keeper Security Dashboard workbook in Microsoft Sentinel to visualize Keeper event data. The dashboard provides insights into password changes, MFA events, privileged activity, and overall Keeper usage trends.

Step 1. Access Installed Content

• In Microsoft Sentinel, navigate to Content Hub → Keeper Security SIEM Integration.

• Under Installed content items, select Keeper Security Dashboard.

Step 2. Save the Workbook Template

• From the Workbook view, select Keeper Security Dashboard.

• In the right-hand panel, click Save.

• The template will now be added to your personal workbooks list.

Step 3. Open the Saved Workbook

• Once saved, go to Workbooks.

• Select Keeper Security Dashboard from the list.

• Click View saved workbook to open it.

Step 4. Visualize Keeper Events

The Keeper Security Dashboard includes prebuilt charts and insights, such as:

• Password Changes (audit trail of users changing their master password).

• MFA Events (tracking when MFA is turned on/off).

• User Activity (logins, session usage, record access).

• Security Alerts (policy changes, privileged actions, anomaly patterns).

✅ Success

Once configured properly, you should see logs appearing in Microsoft Sentinel under the table:

You have now successfully integrated Keeper with Microsoft Sentinel using the Azure Monitor Logs ingestion method.