Event Reporting
Integration with the Keeper Advanced Reporting & Alerts Module
Keeper Secrets Manager generates several events in the Advanced Reporting & Alerts Module. These events are available for analysis in several places including:
Keeper Admin Console (Learn More about the Event Reporting & Alerts Module): https://docs.keeper.io/enterprise-guide/event-reporting
SIEM Export to Splunk and other common providers: https://docs.keeper.io/enterprise-guide/event-reporting/splunk
Webhooks such as Slack and Teams: https://docs.keeper.io/enterprise-guide/webhooks
Commander audit-report CLI command and audit-log CLI command
Secrets Manager Events
Below is the list of events generated from Secrets Manager. "Application" refers to the Secrets Manager Application which is associated to a record or folder in the Keeper Vault.
Event Name | Description | What causes event |
app_record_shared | User ${username} shared record UID ${secret_uid} with KSM application ${app_uid} | When record owner adds record to the Application |
app_folder_shared | User ${username} shared folder UID ${secret_uid} with KSM application ${app_uid} | When the shared folder owner adds shared folder to the Application |
app_record_removed | User ${username} removed record UID ${secret_uid} from KSM application ${app_uid} | When user removes record share from the Application |
app_folder_removed | User ${username} removed folder UID ${secret_uid} from KSM application ${app_uid} | When user removes folder share from the Application |
app_record_share_changed | User ${username} changed share permissions for record UID ${secret_uid} for KSM application ${app_uid} | When user changes share permissions of record share in the Application |
app_folder_share_changed | User ${username} changed share permissions for folder UID ${secret_uid} for KSM application ${app_uid} | When user changes share permissions of folder share in the Application |
app_client_added | User ${username} added KSM device ${device_name} to application ${app_uid} | When a new Client Device was added to the Application |
app_client_removed | User ${username} removed KSM device ${device_name} from application ${app_uid} | When Client Device was removed from the Application |
app_client_connected | KSM device ${device_name} performed initial connect to application ${app_uid} | Client Device initially connected with the One Time Access Token |
app_client_access | KSM device ${device_name} has accessed secrets from application ${app_uid} | Client Device accessed the Application shares |
app_client_record_update | KSM device ${device_name} has updated record UID ${secret_uid} | Client Device has updated a record |
Access denied from blocked IP | Access denied to record UID ${secret_uid} from device with blocked IP address ${device_ip} | Device with an IP that is different from the IP lock attempts to access a secret |
For a list of all events, visit: https://docs.keeper.io/enterprise-guide/event-reporting
Last updated