# Salesforce ITSM

{% hint style="info" %} This integration is coming soon. ETA end of **February 2026** {% endhint %} ## Overview Salesforce managed package that automatically converts Keeper Security alerts into Service Cloud Cases for streamlined incident management. When security events occur in your Keeper environment (such as failed logins, vault transfers, or BreachWatch alerts), the package automatically creates Salesforce Cases for your IT and security teams to investigate and resolve. ### Key Features * **Guided Setup Wizard** - Step-by-step setup assistant with progress tracking and auto-detection * **Automated Case Creation** - Security alerts from Keeper automatically create Cases in Salesforce * **Flexible Field Mapping** - Map Keeper alert data to any Case field (standard or custom) * **Priority Rules** - Configure priority rules based on event types and categories * **Secure Authentication** - Token-based webhook authentication * **Admin Configuration UI** - Easy-to-use configuration interface for admins *** ## Installation ### Prerequisites Before installing, ensure you have: * Salesforce Enterprise, Performance, Unlimited, or Developer Edition * System Administrator profile or equivalent permissions * An active Keeper Security Enterprise subscription ### Install the Package 1. Navigate to the AppExchange listing for **Keeper ITSM** 2. Click **Get It Now** 3. Select your Salesforce org (Production or Sandbox) 4. Choose **Install for Admins Only** (recommended) 5. Click **Install** and wait for confirmation {% hint style="info" %} Installation typically takes 2-5 minutes. You will receive an email when complete. {% endhint %} *** ## What Gets Installed The package automatically creates the following components in your org: ### Components Auto-Created on Install

Component	Description
Custom Fields on Case	8 Keeper-specific fields for capturing alert data
Custom Objects	`Keeper_Field_Mapping__c`, `Keeper_Priority_Mapping__c` for configuration
Custom Settings	`Keeper_Webhook_Settings__c` for secure token storage
Permission Sets	Keeper ITSM Admin, Keeper ITSM User, Keeper Webhook User
Apex Classes	Webhook controller, incident service, mapping controllers
Aura Component	Configuration UI (`KeeperConfigApp`)
Custom Tab	Keeper ITSM Config
Lightning App	Keeper Security ITSM
Page Layouts	Case layouts with Keeper fields pre-configured
Site Definition	KeeperWebhook site for receiving external webhooks
Site Guest Profile	Configured with minimal permissions for webhook processing

### Custom Fields on Case

Field Label	API Name	Type
Keeper Alert Name	`Keeper_Alert_Name__c`	Text (255)
Keeper Event Type	`Keeper_Event_Type__c`	Text (255)
Keeper Username	`Keeper_Username__c`	Text (255)
Keeper Alert Timestamp	`Keeper_Alert_Timestamp__c`	Date/Time
Keeper IP Address	`Keeper_IP_Address__c`	Text (50)
Keeper Category	`Keeper_Category__c`	Text (100)
Keeper Alert Description	`Keeper_Alert_Description__c`	Long Text Area
Keeper Client Version	`Keeper_Client_Version__c`	Text (100)

### Permission Sets

Permission Set	Purpose
Keeper ITSM Admin	Full access to configuration UI, field mappings, priority mappings
Keeper ITSM User	Read access to Keeper Case fields
Keeper Webhook User	Used by site guest user for webhook processing

*** ## Post-Installation Setup After the package is installed, complete the configuration using the **Guided Setup** wizard or follow the manual steps below. {% hint style="success" %} **Recommended:** Use the **Guided Setup** tab in the Keeper ITSM Config page. It provides step-by-step instructions with automatic progress tracking and will detect which steps are already complete. {% endhint %} ### Using Guided Setup (Recommended) 1. Open the **App Launcher** (9-dot grid icon) 2. Search for and select **Keeper ITSM Config** 3. The **Guided Setup** tab opens by default, showing your setup progress 4. Follow the numbered steps - completed steps show a green checkmark 5. Click the action buttons to complete each step The Guided Setup wizard automatically detects: * Whether the Salesforce Site is active * Whether an authentication token has been generated * How many field mappings are configured * How many priority rules are configured #### Setup Steps

Step	Name	Description	Auto-Detected
1	Assign Permission Sets	Grant non-admin users access to configuration (optional)	Yes
2	Activate Salesforce Site	Ensure the webhook endpoint is accessible	Yes
3	Generate Authentication Token	Create a secure token for webhook authentication	Yes
4	Configure Field Mappings	Map Keeper alert fields to Case fields (recommended)	Yes
5	Configure Priority Rules	Set Case priority based on event types (recommended)	Yes
6	Configure Keeper Admin Console	Add webhook URL in Keeper (external step)	No
7	Test Integration	Verify the integration by creating a test Case	Manual

#### Progress Tracking * The progress ring shows the percentage of core steps completed (Steps 2-5) * Completed steps display a green checkmark * Pending steps show a numbered icon * Optional steps are marked with an "Optional" badge #### Testing from Guided Setup Click the **Run Test** button in Step 7 to create a test Case directly from the wizard. This verifies that: * The Salesforce Site is properly configured * Field mappings are working correctly * Priority rules are being applied {% hint style="info" %} The test creates an actual Case record with Origin "Keeper Security" that you can view and delete afterward. {% endhint %}

*** ### Manual Setup Steps If you prefer manual configuration, follow these steps: #### Step 1: Assign Permission Set to Admins (Optional) {% hint style="info" %} **System Administrators** already have full access to the configuration page. This step is only needed if you want non-admin users to manage the Keeper ITSM configuration. {% endhint %} Assign the **Keeper ITSM Admin** permission set to users who need to configure the integration: 1. Go to **Setup** → **Permission Sets** 2. Click **Keeper ITSM Admin** 3. Click **Manage Assignments** → **Add Assignments** 4. Select the administrator users and click **Assign**

#### Step 2: Activate and Configure the Salesforce Site The webhook endpoint requires an active Salesforce Site. Configure it as follows: 1. Go to **Setup** → **Sites** 2. Locate the **KeeperWebhook** site (or create one if not auto-created) 3. Click **Activate** if the site is not already active 4. Note the **Site URL** - you'll need this for the Keeper Admin Console {% hint style="warning" %} The Site URL varies by org. It typically follows this format: `https://[your-domain].my.salesforce-sites.com/keeper` {% endhint %} **Verify Site Guest User Permissions** 1. Go to **Setup** → **Sites** → **KeeperWebhook** → **Public Access Settings** 2. Verify the guest user profile has: * **Apex Class Access**: `KeeperWebhookController`, `KeeperIncidentService`, `KeeperTokenService` * **Object Permissions**: Create on Case, Read on `Keeper_Field_Mapping__c`, Read on `Keeper_Priority_Mapping__c` #### Step 3: Generate Authentication Token 1. Open the **App Launcher** (9-dot grid icon) 2. Search for and select **Keeper ITSM Config** 3. On the **Webhook Setup** tab, click **Generate New Token** 4. Click **Reveal** to view the token, then **Copy** it

{% hint style="danger" %} Store the token securely. You'll need it to configure the Keeper Admin Console. {% endhint %} #### Step 4: Configure Keeper Admin Console 1. Log in to the [Keeper Admin Console](https://keepersecurity.com/console/#login) 2. Navigate to **Reporting & Alerts** 3. Go to **Alerts** → **Add Alert** and select the alert types to monitor 4. Go to **Alerts** → **Add Recipient** 5. Select **Webhook** as the recipient type 6. Enter the full URL with token: ``` https://[your-site-url]/services/apexrest/keeper/webhook?token=YOUR_TOKEN_HERE ``` 7. Save the configuration #### Optional: Assign Page Layout If you want to use the package's pre-configured Case layout with Keeper fields: 1. Go to **Setup** → **Object Manager** → **Case** → **Page Layouts** 2. Click **Page Layout Assignment** 3. Assign the **Case Layout** (with Keeper fields) to relevant profiles 4. Click **Save** {% hint style="info" %} Alternatively, add the Keeper custom fields to your existing Case page layouts manually. {% endhint %} *** ## Configuration Access the configuration page by opening the **App Launcher** and searching for **Keeper ITSM Config**. The page has four tabs: Guided Setup, Webhook Setup, Field Mapping, and Priority Mapping. {% hint style="info" %} You must have the **Keeper ITSM Admin** permission set or **System Administrator** profile to access the configuration page. {% endhint %} ### Webhook Setup The Webhook Setup tab provides the URL and authentication token needed to configure Keeper to send alerts to Salesforce. #### Webhook URL The webhook URL is displayed on the configuration page. Copy this URL to use in the Keeper Admin Console. **URL Format:** ``` https://[your-domain].my.salesforce-sites.com/keeper/services/apexrest/keeper/webhook ``` #### Authentication Token * Click **Reveal** to display the full token * Click **Copy** to copy the token to clipboard * Click **Generate New Token** to create a new token {% hint style="danger" %} Generating a new token immediately invalidates the previous token. Update the Keeper Admin Console with the new token right away to avoid service interruption. {% endhint %} #### Full Webhook URL with Token Append the token as a query parameter: ``` https://[your-site-url]/services/apexrest/keeper/webhook?token=YOUR_TOKEN_HERE ``` ### Field Mapping Field Mapping allows you to control which Keeper alert data populates which Salesforce Case fields. #### Available Keeper Fields

Keeper Field	API Name	Description
Alert Name	`alert_name`	Name of the alert rule that triggered
Audit Event Type	`audit_event`	Event type code (e.g., `login_failure`)
Username	`username`	User who triggered the event
Description	`description`	Alert description text
Timestamp	`timestamp`	When the event occurred (ISO 8601)
Remote IP Address	`remote_address`	IP address of the request origin
Category	`category`	Event category
Client Version	`client_version`	Keeper client version

#### Adding a Field Mapping 1. Navigate to the **Field Mapping** tab 2. Select a **Keeper Field** from the dropdown 3. Select a **Salesforce Case Field** from the dropdown 4. Click **Add Mapping**

{% hint style="warning" %} Each Salesforce field can only be mapped to one Keeper field. Adding a duplicate mapping will replace the existing one. {% endhint %} #### Recommended Mappings | Keeper Field | Recommended Case Field | | ----------------- | ------------------------ | | Alert Name | Keeper Alert Name | | Audit Event Type | Keeper Event Type | | Username | Keeper Username | | Timestamp | Keeper Alert Timestamp | | Remote IP Address | Keeper IP Address | | Category | Keeper Category | | Description | Keeper Alert Description | | Client Version | Keeper Client Version | #### Managing Mappings * **Toggle Active/Inactive** - Use the toggle switch to enable or disable a mapping * **Search** - Use the search box to filter mappings * **Delete** - Click the delete icon to remove a mapping * **Pagination** - Navigate through mappings using the page controls #### Default Behavior (No Mappings Configured) If no field mappings are configured, the package applies these defaults:

Field	Default Value
Subject	`[Alert Name]: [Event Type]`
Description	Full alert details in text format
Origin	`Keeper Security`
Status	`New`
Priority	Determined by Priority Mapping rules (default: Low)

### Priority Mapping Priority Mapping allows you to automatically set Case priority based on the type of security event. #### How Priority Matching Works When a Keeper alert arrives, the system: 1. Checks for an **exact match** with configured event patterns 2. If no exact match, checks for **partial/contains matches** 3. If no match found, assigns default priority: **Low** #### Adding Priority Rules **Method 1: Category + Event Selection** 1. Navigate to the **Priority Mapping** tab 2. Select a **Category** from the dropdown 3. Optionally select a specific **Event** (leave empty to map ALL events in that category) 4. Select the **Priority** 5. Click **Add Rule** {% hint style="info" %} Leave the Event field empty to map ALL events in the selected category at once. This is useful for quickly setting up priority rules for entire categories. {% endhint %} **Method 2: Quick Add Buttons** Use the Quick Add buttons to add common security rules:

Button	What it Creates
Security → High	BreachWatch alerts, vault transfers, user deletions, 2FA failures, KeeperAI critical/high risks
Login Failures → High	Failed logins, failed console logins, IP blocks, auth failures
Role Changes → Medium	Role additions/removals, team changes, permission changes, user locks
Normal Ops → Low	Normal logins, record operations, password copies, exports/imports

#### Event Categories Reference The package supports 17 event categories with over 300 events from Keeper Security. For the complete list of event types and their descriptions, refer to [Reporting, Alerts & SIEM](https://docs.keeper.io/enterprise-guide/event-reporting#event-descriptions) {% hint style="info" %} The Salesforce ITSM package includes all event types from Keeper's Event Reporting documentation as of the current package version. {% endhint %} #### Recommended Priority Configuration

Event Types	Recommended Priority
Vault transfers, Account deletions, 2FA failures, IP blocks	High
Login failures, BreachWatch detections, KeeperAI alerts	High
Role changes, Permission changes, User locks	Medium
Record views, Password copies, Normal logins	Low

*** ## Testing the Integration ### Option 1: Use the Built-in Test (Recommended) The easiest way to test the integration: 1. Go to **Keeper ITSM Config** → **Guided Setup** tab 2. Scroll to **Step 7: Test Integration** 3. Click **Run Test** 4. If successful, a test Case will be created and a link will appear This creates a Case with: * Subject: "Guided Setup Test Alert: test\_event" * Origin: "Keeper Security" * All configured field mappings applied ### Option 2: Send a Test Webhook via cURL/Postman Use cURL or Postman to send a test webhook: ```bash curl -X POST \ 'https://[your-site-url]/services/apexrest/keeper/webhook?token=YOUR_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "alert_name": "Test Alert", "audit_event": "login_failure", "username": "test.user@example.com", "description": "Test alert from manual trigger", "timestamp": "2025-01-30T10:30:00Z", "remote_address": "192.168.1.100", "category": "Login", "client_version": "16.10.0" }' ```

### Expected Responses **Success (HTTP 200):** ```json { "success": true, "caseId": "500XXXXXXXXXXXX" } ``` **Authentication Error (HTTP 401):** ```json { "success": false, "errorCode": "ERR_001", "message": "Unauthorized" } ``` **Invalid Payload (HTTP 400):** ```json { "success": false, "errorCode": "ERR_002", "message": "Invalid request format" } ``` **Processing Error (HTTP 500):** ```json { "success": false, "errorCode": "ERR_003", "message": "An error occurred processing the request" } ``` *** ## Troubleshooting ### Cases Not Being Created

Issue	Solution
Webhook URL incorrect	Verify the full URL includes `/services/apexrest/keeper/webhook`
Token invalid	Generate a new token and update Keeper Admin Console
Site not active	Go to Setup → Sites and activate the KeeperWebhook site
Guest user permissions	Verify the site guest profile has access to required Apex classes

### "Access Denied" on Configuration Page **Cause:** User doesn't have the required permission set. **Solution:** 1. Go to **Setup** → **Permission Sets** → **Keeper ITSM Admin** 2. Click **Manage Assignments** → **Add Assignment** 3. Select the user and click **Assign** ### Field Data Not Appearing on Cases

Issue	Solution
Mapping not active	Ensure the toggle is ON for the mapping
Field not in allowed list	Only whitelisted fields can be mapped (see `KeeperIncidentService`)
FLS permissions	Verify the guest user profile has create permission on the field

### Incorrect Priority Being Assigned **Priority matching order:** 1. Exact match rules are evaluated first 2. Partial/contains matches are evaluated second 3. Default priority is **Low** if no rules match **Tip:** Create specific event rules before broad category rules. ### "Closed" Status Not Showing on Cases **Cause:** By default, Salesforce hides closed statuses from the Case Status picklist to prevent accidental closure. **Solution:** 1. Go to **Setup** → **Support Settings** 2. Find the setting **"Show Closed Statuses in Case Status Field"** 3. Check the box to enable it 4. Click **Save** {% hint style="info" %} This is a Salesforce org-wide setting that affects all Cases, not just those created by Keeper ITSM. {% endhint %} *** ## Security Considerations ### Token Security * Tokens are generated using cryptographically secure AES-128 random generation * Tokens are stored in protected custom settings (not visible in standard queries) * Regenerate tokens periodically as a security best practice * Never share tokens in unsecured channels ### Data Security * All webhook requests require valid token authentication * Error messages are sanitized to prevent information disclosure * CRUD/FLS checks are enforced on all database operations * Field mapping uses a whitelist approach for allowed fields ### Audit Trail * All webhook requests are logged in Salesforce debug logs * Cases created via webhook have `Origin = Keeper Security` for identification * Failed authentication attempts are logged for security review ### Guest User Security The site guest user profile is configured with minimal permissions: * **Apex Access**: Only webhook-related classes * **Object Access**: Create-only on Case, Read-only on mapping objects * **Field Access**: Limited to required Case fields *** ## FAQ **Q: Can I use this with Salesforce sandbox?** A: Yes, install the package in sandbox for testing. Use separate tokens for sandbox and production environments. **Q: How do I upgrade to a new package version?** A: Install the new version from AppExchange. Your configurations (mappings, tokens) are preserved during upgrades. **Q: What Keeper events can trigger alerts?** A: Any event type configured in Keeper Admin Console's Reporting & Alerts section. **Q: Is the webhook endpoint secure?** A: Yes. All requests require a valid authentication token. The endpoint uses HTTPS, and error messages don't expose internal system details. **Q: Can I customize the Case Subject format?** A: Currently, the default format is `[Alert Name]: [Event Type]`. Map the `alert_name` or `audit_event` fields to the Subject field for custom behavior. **Q: What happens if the token is compromised?** A: Immediately generate a new token from the Webhook Setup tab. The old token is invalidated instantly. Update the Keeper Admin Console with the new token.