ARAM Events

Retrieve enterprise audit and security event data via the Admin REST API

Description

The ARAM Events endpoint provides programmatic access to enterprise audit logs and security events captured by Keeper's Advanced Reporting and Alerts Module (ARAM). This endpoint enables administrators and security teams to retrieve, filter, and export audit event data for compliance monitoring, security analysis, and SIEM integration.

ARAM captures over 200 distinct event types across the Keeper platform, including authentication events, administrative actions, record operations, sharing activities, and KeeperPAM privileged access events. The Audit Events endpoint exposes this data through a RESTful interface, allowing integration with custom applications, automation workflows, and third-party security tools.

Overview

The Admin REST API Audit Events endpoint delivers real-time and historical audit event data from your Keeper Enterprise environment. This capability supports several critical security and compliance use cases:

Security Monitoring Retrieve event data for security incident investigation, anomaly detection, and threat hunting. Events include contextual information such as IP addresses, geolocation, client versions, and timestamps.

SIEM Integration Feed audit events into Security Information and Event Management platforms for centralized visibility. The endpoint returns data in JSON format compatible with Splunk, Microsoft Sentinel, Elastic, and other SIEM solutions.

Compliance Auditing Generate audit reports for SOX, ISO 27001, SOC 2, and other regulatory frameworks requiring detailed access logs and administrative action tracking.

Prerequisites

Active Keeper Enterprise subscription
Advanced Reporting and Alerts Module (ARAM) add-on enabled
Administrative privileges with reporting permissions
Valid API authentication credentials

Event Categories

The endpoint returns events across the following categories:

Configuration

Get Audit Events

Retrieves a paginated list of audit events for a specific enterprise between two dates. This endpoint is primarily used for SIEM integrations (e.g., Azure Sentinel) and is compatible with other log aggregation tools. Results are returned in pages. Use the `continuation_token` from the response to retrieve the next page. When there are no more results, `continuation_token` will be `null` and `has_more` will be `false`. Example: curl --location 'https://keepersecurity.com/api/rest/public/events?start_date=2025-11-24T00%3A00%3A00Z&limit=20&end_date=2025-11-26T23%3A59%3A59Z' \ --header 'x-api-token: Bearer YOUR_API_TOKEN'

{"openapi":"3.0.3","info":{"title":"Keeper Integration API","version":"1.0.0"},"servers":[{"url":"https://keepersecurity.com/api/rest","description":"Production environment"}],"security":[{"ApiTokenAuth":[]}],"components":{"securitySchemes":{"ApiTokenAuth":{"type":"apiKey","in":"header","name":"x-api-token"}}},"paths":{"/public/events":{"get":{"summary":"Get Audit Events","description":"Retrieves a paginated list of audit events for a specific enterprise between two\ndates. This endpoint is primarily used for SIEM integrations (e.g., Azure Sentinel)\nand is compatible with other log aggregation tools.\n\nResults are returned in pages. Use the `continuation_token` from the response\nto retrieve the next page. When there are no more results, `continuation_token`\nwill be `null` and `has_more` will be `false`.\n\nExample:\n\ncurl --location 'https://keepersecurity.com/api/rest/public/events?start_date=2025-11-24T00%3A00%3A00Z&limit=20&end_date=2025-11-26T23%3A59%3A59Z' \\\n--header 'x-api-token: Bearer YOUR_API_TOKEN'\n","tags":["Audit Events"],"parameters":[{"name":"start_date","in":"query","required":true,"schema":{"type":"string","format":"date-time"}},{"name":"end_date","in":"query","required":true,"schema":{"type":"string","format":"date-time"}},{"name":"limit","in":"query","required":false,"schema":{"type":"integer","minimum":1,"maximum":1000,"default":100}},{"name":"continuation_token","in":"query","required":false,"schema":{"type":"string"}}],"responses":{"200":{"description":"A paginated list of audit events","content":{"application/json":{"schema":{"type":"object","properties":{"continuation_token":{"type":"string","nullable":true},"has_more":{"type":"boolean"},"events":{"type":"array","items":{"type":"object","properties":{"audit_event":{"type":"string"},"remote_address":{"type":"string"},"category":{"type":"string"},"client_version":{"type":"string"},"enterprise_id":{"type":"integer"},"username":{"type":"string"},"timestamp":{"type":"integer"}}}}}}}}},"400":{"description":"Bad request"},"401":{"description":"Unauthorized"},"500":{"description":"Server error"}}}}}}

Endpoint

GET /api/rest/public/events

Purpose Retrieve audit events within a specified date range for your enterprise.

Authentication Send your API token in the x-api-token header: x-api-token: Bearer <API_TOKEN>

Query parameters

Name

Type

Required

Description

start_date

ISO 8601

Yes

Start of the date range (e.g., 2024-07-09T00:00:00Z).

end_date

ISO 8601

Yes

End of the date range (e.g., 2025-07-10T19:45:00Z).

continuation_token

String

Only for pagination

Use the token returned by the API to fetch the next page of events.

Headers

Header

Example

x-api-token

Bearer <API_TOKEN>

Example requests

Without pagination

curl --location 'https://keepersecurity.com/api/rest/public/events?start_date=2024-07-09T00%3A00%3A00Z&end_date=2025-07-10T19%3A45%3A00Z' \
  --header 'x-api-token: Bearer <API_TOKEN>'

With pagination

curl --location 'https://keepersecurity.com/api/rest/public/events?start_date=2024-07-09T00%3A00%3A00Z&end_date=2025-07-10T19%3A45%3A00Z&continuation_token=<CONT_TOKEN>' \
  --header 'x-api-token: Bearer <API_TOKEN>'

Example success response (200)

{
  "has_more": true,
  "events": [
    {
      "audit_event": "login_failure",
      "remote_address": "10.15.12.197",
      "category": "ADMIN",
      "client_version": "Commander 17.1.0",
      "enterprise_id": 8560,
      "username": "[email protected]",
      "timestamp": 1751910807587
    }
  ],
  "continuation_token": "vWiXa0eu2edoe_fonw5IJHwEbLmxXOACIvuoQRh7j4XiKuu1"
}

Error codes

Code

Message

Cause

400

Missing start date

start_date query parameter is missing

400

Missing end date

end_date query parameter is missing

401

Unauthorized

Invalid or missing API token

500

Internal Server Error

Unexpected server error

Security Notes

Treat API tokens like passwords; rotate them on a schedule.
Restrict permissions to the minimum required roles and actions.
Prefer short expirations; use never only for special automation cases.
Store tokens in a secure location (e.g., Keeper Vault).

Appendix: Quick Reference (Commander)

# List
public-api-key list [--format table|json|csv] [--output <file>]

# Generate
public-api-key generate \
  --name "<name>" \
  --roles "SIEM:1" \
  --expires 24h|7d|30d|1y|never \
  [--format json|csv] [--output <file>]

# Revoke
public-api-key revoke <token_value> [--force]

PreviousAdmin REST API NextRisk Management

Last updated 17 hours ago

Was this helpful?

hashtagDescription

hashtagOverview

hashtagPrerequisites

hashtagEvent Categories

hashtagConfiguration

hashtagGet Audit Events

hashtagQuery parameters

hashtagHeaders

hashtagExample requests

hashtagExample success response (200)

hashtagError codes

hashtagSecurity Notes

hashtagAppendix: Quick Reference (Commander)

Description

Overview

Prerequisites

Event Categories

Configuration

Get Audit Events

Query parameters

Headers

Example requests

Example success response (200)

Error codes

Security Notes

Appendix: Quick Reference (Commander)