search

ARAM Events

Retrieve enterprise audit and security event data via the Admin REST API

hashtag
Description

The ARAM Events endpoint provides programmatic access to enterprise audit logs and security events captured by Keeper's Advanced Reporting and Alerts Module (ARAM)arrow-up-right. This endpoint enables administrators and security teams to retrieve, filter, and export audit event data for compliance monitoring, security analysis, and SIEM integration.

ARAM captures over 200 distinct event types across the Keeper platform, including authentication events, administrative actions, record operations, sharing activities, and KeeperPAM privileged access events. The Audit Events endpoint exposes this data through a RESTful interface, allowing integration with custom applications, automation workflows, and third-party security tools.

hashtag
Overview

The Admin REST API Audit Events endpoint delivers real-time and historical audit event data from your Keeper Enterprise environment. This capability supports several critical security and compliance use cases:

Security Monitoring Retrieve event data for security incident investigation, anomaly detection, and threat hunting. Events include contextual information such as IP addresses, geolocation, client versions, and timestamps.

SIEM Integration Feed audit events into Security Information and Event Management platforms for centralized visibility. The endpoint returns data in JSON format compatible with Splunk, Microsoft Sentinel, Elastic, and other SIEM solutions.

Compliance Auditing Generate audit reports for SOX, ISO 27001, SOC 2, and other regulatory frameworks requiring detailed access logs and administrative action tracking.

hashtag
Prerequisites

hashtag
Event Categories

The endpoint returns events across the following categories:

Category
Description

Security Events

Login attempts, 2FA changes, master password modifications, failed authentications

Administrative Actions

User provisioning, role assignments, policy changes, node management

Record Operations

Record creation, updates, deletions, and access events

Sharing Activities

Record sharing, shared folder operations, team membership changes

KeeperPAM Events

Privileged session recordings, connection events, secret access

Secrets Manager Events

KSM application access, secret retrieval, rotation events

BreachWatch Events

High-risk password detection, resolution tracking

hashtag
Configuration

hashtag
Get Audit Events

get

Retrieves a paginated list of audit events for a specific enterprise between two dates. This endpoint is primarily used for SIEM integrations (e.g., Azure Sentinel) and is compatible with other log aggregation tools.

Results are returned in pages. Use the continuation_token from the response to retrieve the next page. When there are no more results, continuation_token will be null and has_more will be false.

Example:

curl --location 'https://keepersecurity.com/api/rest/public/events?start_date=2025-11-24T00%3A00%3A00Z&limit=20&end_date=2025-11-26T23%3A59%3A59Z' --header 'x-api-token: Bearer YOUR_API_TOKEN'

Authorizations
x-api-tokenstringRequired
Query parameters
start_datestring · date-timeRequired
end_datestring · date-timeRequired
limitinteger · min: 1 · max: 1000OptionalDefault: 100
continuation_tokenstringOptional
Responses
chevron-right
200

A paginated list of audit events

application/json
get
/public/events

Endpoint

Purpose Retrieve audit events within a specified date range for your enterprise.

Authentication Send your API token in the x-api-token header: x-api-token: Bearer <API_TOKEN>

hashtag
Query parameters

Name
Type
Required
Description

start_date

ISO 8601

Yes

Start of the date range (e.g., 2024-07-09T00:00:00Z).

end_date

ISO 8601

Yes

End of the date range (e.g., 2025-07-10T19:45:00Z).

continuation_token

String

Only for pagination

Use the token returned by the API to fetch the next page of events.

hashtag
Headers

Header
Example

x-api-token

Bearer <API_TOKEN>

hashtag
Example requests

Without pagination

With pagination

hashtag
Example success response (200)

hashtag
Error codes

Code
Message
Cause

400

Missing start date

start_date query parameter is missing

400

Missing end date

end_date query parameter is missing

401

Unauthorized

Invalid or missing API token

500

Internal Server Error

Unexpected server error

hashtag
Security Notes

  • Treat API tokens like passwords; rotate them on a schedule.

  • Restrict permissions to the minimum required roles and actions.

  • Prefer short expirations; use never only for special automation cases.

  • Store tokens in a secure location (e.g., Keeper Vault).

hashtag
Appendix: Quick Reference (Commander)

PreviousAdmin REST APINextRisk Management

Last updated

Was this helpful?