Salesforce ITSM

Overview

Salesforce managed package that automatically converts Keeper Security alerts into Service Cloud Cases for streamlined incident management.

When security events occur in your Keeper environment (such as failed logins, vault transfers, or BreachWatch alerts), the package automatically creates Salesforce Cases for your IT and security teams to investigate and resolve.

Key Features

• Guided Setup Wizard - Step-by-step setup assistant with progress tracking and auto-detection

• Automated Case Creation - Security alerts from Keeper automatically create Cases in Salesforce

• Flexible Field Mapping - Map Keeper alert data to any Case field (standard or custom)

• Priority Rules - Configure priority rules based on event types and categories

• Secure Authentication - Token-based webhook authentication

• Admin Configuration UI - Easy-to-use configuration interface for admins

Installation

Prerequisites

Before installing, ensure you have:

• Salesforce Enterprise, Performance, Unlimited, or Developer Edition

• System Administrator profile or equivalent permissions

• An active Keeper Security Enterprise subscription

Install the Package

1. Navigate to the AppExchange listing for Keeper ITSM

2. Click Get It Now

3. Select your Salesforce org (Production or Sandbox)

4. Choose Install for Admins Only (recommended)

5. Click Install and wait for confirmation

What Gets Installed

The package automatically creates the following components in your org:

Components Auto-Created on Install

Custom Fields on Case

Permission Sets

Post-Installation Setup

After the package is installed, complete the configuration using the Guided Setup wizard or follow the manual steps below.

Using Guided Setup (Recommended)

1. Open the App Launcher (9-dot grid icon)

2. Search for and select Keeper ITSM Config

3. The Guided Setup tab opens by default, showing your setup progress

4. Follow the numbered steps - completed steps show a green checkmark

5. Click the action buttons to complete each step

The Guided Setup wizard automatically detects:

• Whether the Salesforce Site is active

• Whether an authentication token has been generated

• How many field mappings are configured

• How many priority rules are configured

Setup Steps

Progress Tracking

• The progress ring shows the percentage of core steps completed (Steps 2-5)

• Completed steps display a green checkmark

• Pending steps show a numbered icon

• Optional steps are marked with an "Optional" badge

Testing from Guided Setup

Click the Run Test button in Step 7 to create a test Case directly from the wizard. This verifies that:

• The Salesforce Site is properly configured

• Field mappings are working correctly

• Priority rules are being applied

Manual Setup Steps

If you prefer manual configuration, follow these steps:

Step 1: Assign Permission Set to Admins (Optional)

Assign the Keeper ITSM Admin permission set to users who need to configure the integration:

1. Go to Setup → Permission Sets

2. Click Keeper ITSM Admin

3. Click Manage Assignments → Add Assignments

4. Select the administrator users and click Assign

Step 2: Activate and Configure the Salesforce Site

The webhook endpoint requires an active Salesforce Site. Configure it as follows:

1. Go to Setup → Sites

2. Locate the KeeperWebhook site (or create one if not auto-created)

3. Click Activate if the site is not already active

4. Note the Site URL - you'll need this for the Keeper Admin Console

Verify Site Guest User Permissions

1. Go to Setup → Sites → KeeperWebhook → Public Access Settings

2. Verify the guest user profile has:

   • Apex Class Access: KeeperWebhookController, KeeperIncidentService, KeeperTokenService

   • Object Permissions: Create on Case, Read on Keeper_Field_Mapping__c, Read on Keeper_Priority_Mapping__c

Step 3: Generate Authentication Token

1. Open the App Launcher (9-dot grid icon)

2. Search for and select Keeper ITSM Config

3. On the Webhook Setup tab, click Generate New Token

4. Click Reveal to view the token, then Copy it

Step 4: Configure Keeper Admin Console

1. Log in to the Keeper Admin Console

2. Navigate to Reporting & Alerts

3. Go to Alerts → Add Alert and select the alert types to monitor

4. Go to Alerts → Add Recipient

5. Select Webhook as the recipient type

6. Enter the full URL with token:

1. Save the configuration

Optional: Assign Page Layout

If you want to use the package's pre-configured Case layout with Keeper fields:

1. Go to Setup → Object Manager → Case → Page Layouts

2. Click Page Layout Assignment

3. Assign the Case Layout (with Keeper fields) to relevant profiles

4. Click Save

Configuration

Access the configuration page by opening the App Launcher and searching for Keeper ITSM Config. The page has four tabs: Guided Setup, Webhook Setup, Field Mapping, and Priority Mapping.

Webhook Setup

The Webhook Setup tab provides the URL and authentication token needed to configure Keeper to send alerts to Salesforce.

Webhook URL

The webhook URL is displayed on the configuration page. Copy this URL to use in the Keeper Admin Console.

URL Format:

Authentication Token

• Click Reveal to display the full token

• Click Copy to copy the token to clipboard

• Click Generate New Token to create a new token

Full Webhook URL with Token

Append the token as a query parameter:

Field Mapping

Field Mapping allows you to control which Keeper alert data populates which Salesforce Case fields.

Available Keeper Fields

Adding a Field Mapping

1. Navigate to the Field Mapping tab

2. Select a Keeper Field from the dropdown

3. Select a Salesforce Case Field from the dropdown

4. Click Add Mapping

Recommended Mappings

Managing Mappings

• Toggle Active/Inactive - Use the toggle switch to enable or disable a mapping

• Search - Use the search box to filter mappings

• Delete - Click the delete icon to remove a mapping

• Pagination - Navigate through mappings using the page controls

Default Behavior (No Mappings Configured)

If no field mappings are configured, the package applies these defaults:

Priority Mapping

Priority Mapping allows you to automatically set Case priority based on the type of security event.

How Priority Matching Works

When a Keeper alert arrives, the system:

1. Checks for an exact match with configured event patterns

2. If no exact match, checks for partial/contains matches

3. If no match found, assigns default priority: Low

Adding Priority Rules

Method 1: Category + Event Selection

1. Navigate to the Priority Mapping tab

2. Select a Category from the dropdown

3. Optionally select a specific Event (leave empty to map ALL events in that category)

4. Select the Priority

5. Click Add Rule

Method 2: Quick Add Buttons

Use the Quick Add buttons to add common security rules:

Event Categories Reference

The package supports 17 event categories with over 300 events from Keeper Security.

For the complete list of event types and their descriptions, refer to Reporting, Alerts & SIEM

Recommended Priority Configuration

Testing the Integration

Option 1: Use the Built-in Test (Recommended)

The easiest way to test the integration:

1. Go to Keeper ITSM Config → Guided Setup tab

2. Scroll to Step 7: Test Integration

3. Click Run Test

4. If successful, a test Case will be created and a link will appear

This creates a Case with:

• Subject: "Guided Setup Test Alert: test_event"

• Origin: "Keeper Security"

• All configured field mappings applied

Option 2: Send a Test Webhook via cURL/Postman

Use cURL or Postman to send a test webhook:

Expected Responses

Success (HTTP 200):

Authentication Error (HTTP 401):

Invalid Payload (HTTP 400):

Processing Error (HTTP 500):

Troubleshooting

Cases Not Being Created

"Access Denied" on Configuration Page

Cause: User doesn't have the required permission set.

Solution:

1. Go to Setup → Permission Sets → Keeper ITSM Admin

2. Click Manage Assignments → Add Assignment

3. Select the user and click Assign

Field Data Not Appearing on Cases

Incorrect Priority Being Assigned

Priority matching order:

1. Exact match rules are evaluated first

2. Partial/contains matches are evaluated second

3. Default priority is Low if no rules match

Tip: Create specific event rules before broad category rules.

"Closed" Status Not Showing on Cases

Cause: By default, Salesforce hides closed statuses from the Case Status picklist to prevent accidental closure.

Solution:

1. Go to Setup → Support Settings

2. Find the setting "Show Closed Statuses in Case Status Field"

3. Check the box to enable it

4. Click Save

Security Considerations

Token Security

• Tokens are generated using cryptographically secure AES-128 random generation

• Tokens are stored in protected custom settings (not visible in standard queries)

• Regenerate tokens periodically as a security best practice

• Never share tokens in unsecured channels

Data Security

• All webhook requests require valid token authentication

• Error messages are sanitized to prevent information disclosure

• CRUD/FLS checks are enforced on all database operations

• Field mapping uses a whitelist approach for allowed fields

Audit Trail

• All webhook requests are logged in Salesforce debug logs

• Cases created via webhook have Origin = Keeper Security for identification

• Failed authentication attempts are logged for security review

Guest User Security

The site guest user profile is configured with minimal permissions:

• Apex Access: Only webhook-related classes

• Object Access: Create-only on Case, Read-only on mapping objects

• Field Access: Limited to required Case fields

FAQ

Q: Can I use this with Salesforce sandbox?

A: Yes, install the package in sandbox for testing. Use separate tokens for sandbox and production environments.

Q: How do I upgrade to a new package version?

A: Install the new version from AppExchange. Your configurations (mappings, tokens) are preserved during upgrades.

Q: What Keeper events can trigger alerts?

A: Any event type configured in Keeper Admin Console's Reporting & Alerts section.

Q: Is the webhook endpoint secure?

A: Yes. All requests require a valid authentication token. The endpoint uses HTTPS, and error messages don't expose internal system details.

Q: Can I customize the Case Subject format?

A: Currently, the default format is [Alert Name]: [Event Type]. Map the alert_name or audit_event fields to the Subject field for custom behavior.

Q: What happens if the token is compromised?

A: Immediately generate a new token from the Webhook Setup tab. The old token is invalidated instantly. Update the Keeper Admin Console with the new token.