Event Reporting
Integration with the Keeper Advanced Reporting & Alerts Module
Keeper Secrets Manager generates several events in the Advanced Reporting & Alerts Module. These events are available for analysis in several places including:
Keeper Admin Console (Learn More about the Event Reporting & Alerts Module): https://docs.keeper.io/enterprise-guide/event-reporting
SIEM Export to Splunk and other common providers: https://docs.keeper.io/enterprise-guide/event-reporting/splunk
Webhooks such as Slack and Teams: https://docs.keeper.io/enterprise-guide/webhooks
Commander audit-report CLI command and audit-log CLI command
Secrets Manager Events
Below is the list of events generated from Secrets Manager. "Application" refers to the Secrets Manager Application which is associated to a record or folder in the Keeper Vault.
Event Name
Description
What causes event
app_record_shared
User ${username} shared record UID ${secret_uid} with KSM application ${app_uid}
When record owner adds record to the Application
app_folder_shared
User ${username} shared folder UID ${secret_uid} with KSM application ${app_uid}
When the shared folder owner adds shared folder to the Application
app_record_removed
User ${username} removed record UID ${secret_uid} from KSM application ${app_uid}
When user removes record share from the Application
app_folder_removed
User ${username} removed folder UID ${secret_uid} from KSM application ${app_uid}
When user removes folder share from the Application
app_record_share_changed
User ${username} changed share permissions for record UID ${secret_uid} for KSM application ${app_uid}
When user changes share permissions of record share in the Application
app_folder_share_changed
User ${username} changed share permissions for folder UID ${secret_uid} for KSM application ${app_uid}
When user changes share permissions of folder share in the Application
app_client_added
User ${username} added KSM device ${device_name} to application ${app_uid}
When a new Client Device was added to the Application
app_client_removed
User ${username} removed KSM device ${device_name} from application ${app_uid}
When Client Device was removed from the Application
app_client_connected
KSM device ${device_name} performed initial connect to application ${app_uid}
Client Device initially connected with the One Time Access Token
app_client_access
KSM device ${device_name} has accessed secrets from application ${app_uid}
Client Device accessed the Application shares
app_client_record_update
KSM device ${device_name} has updated record UID ${secret_uid}
Client Device has updated a record
Access denied from blocked IP
Access denied to record UID ${secret_uid} from device with blocked IP address ${device_ip}
Device with an IP that is different from the IP lock attempts to access a secret
For a list of all events, visit: https://docs.keeper.io/enterprise-guide/event-reporting
Last updated
Was this helpful?