⮐ Keeper HomeAll DocumentationAdmin Console
Search…
Getting Started
Start Your Trial
Resources
Quick Start for Small Business Teams
Why Choose Keeper Enterprise
Implementation Overview
Domain Reservation
Deploying Keeper to End-Users
Keeper Admin Console Overview
Nodes and Organizational Structure
User and Team Provisioning
SSO / SAML Authentication
User Management and Lifecycle
Roles, RBAC and Permissions
Delegated Administration
Account Transfer Policy
Teams (Groups)
Folders and Shared Folders
Creating Vault Records
Importing Data
Record Types
Two-Factor Authentication
Storing Two-Factor Codes
Security Audit
BreachWatch (Dark Web)
Secure File Storage
Reporting, Alerts & SIEM
Recommended Alerts
Webhooks (Slack & Teams)
Compliance Reports
Vault Offline Access
Keeper MSP
Free Family License for Personal Use
Training and Support
IP Allow Keeper
Migrating User Vaults Between Regions
Password Recovery Via Vault Transfer
Keeper Encryption Model
Developer Tools
SSH Connections
Recommended Security Settings
End-User Guides
Use Cases
On-Prem vs. Cloud
Login API
Migrating from LastPass
Docs Home
Powered By GitBook
BreachWatch (Dark Web)
Zero Knowledge dark web breach scanning for Keeper Enterprise
Keeper BreachWatch

Overview

BreachWatch provides organizations oversight of the vulnerabilities of user's passwords through active monitoring of dark web breach data. Users and administrators are notified if any of their passwords in a record have been used in publicly known breach that could leave your organization vulnerable to a credential stuffing attack or an account takeover.

End-User Experience

BreachWatch will prompt the user on their client device to Resolve the breached password by either changing the password or ignoring it. If a password alert is ignored, then that record will be skipped on future scans until the password is reset. The user may also do nothing (deferring a response) and leave the risky password unchanged and thus still "at risk".

Admin Console Experience

BreachWatch provides Admins a dashboard overview and a summary table in the Admin Console detailing how users have dealt with their BreachWatch notifications.
If users have "At Risk" or "Ignored" passwords, the Keeper Administrator can click on a user's name to bring up the 'User Detail' to gain access to their email address so they can request the user to take action.
The user-specific BreachWatch data does not include shared records, only the records the user owns. Additionally, if a record does not contain a password, it will not be shown in the count.

Reporting & Alerts

If the Advanced Reporting & Alerts module is activated on the Enterprise license, then BreachWatch specific events can be sent from the devices/clients and used to report activity with a variety of filters, and/or generate an alert.

Activate BreachWatch Event Reporting

IMPORTANT: To activate event-level reporting of BreachWatch data to the Advanced Reporting & Alerts Module you must enable the event role enforcement policy under the specific role > Enforcement Policies > Vault Features screen.
By default, Keeper does not send BreachWatch event data from the user's device to connected SIEM and Advanced Reporting & Alerts reporting tools. The Keeper Admin must explicitly enable this feature. After it's enabled, the event data will begin to flow through to the Advanced Reporting engine and connected SIEM systems such as Splunk.
Note that this is not retroactive. Events will only flow through Advanced Reporting & Alerts after this feature is activated.
Enable BreachWatch Role Policy

BreachWatch Reports

After BreachWatch events are flowing into the reporting module, visit the "Reporting & Alerts" screen to generate a report.
Reporting & Alerts Interface
Click on Add Custom Report then select the BreachWatch events.
BreachWatch Events
Alerts can also be created with custom event tracking.
Alerts
Webhooks can receive alerts, so that you can perform any custom logic such as Slack channel alerts, Microsoft Teams, etc.
Alert Recipients and Webhooks
Events can also be streamed to 3rd party SIEM solutions.
SIEM Integration

Deployment & Reporting Enablement

    The BreachWatch capability can be deployed selectively to your organization via Role Enforcements. The Pause BreachWatch on client devices toggle controls whether devices send events for reporting purposes, and whether to pause the service so it will not appear on the user's devices at all. Note that enabling events to the reporting module will send record event metadata (User Email, Record UID, IP Address and Device Type) from Keeper’s backend to any connected SIEM product.
    If you do not want to deploy BreachWatch to your entire organization at once, you can control the deployment using the Pause BreachWatch on client devices toggle. Users in this node will not have BreachWatch enabled on their client devices.

Security

BreachWatch is a Zero Knowledge architecture that uses a number of layered techniques to protect our customer’s information. For detailed technical information regarding the security and encryption model of BreachWatch, please visit the BreachWatch section on the Keeper Encryption Model documentation by clicking This Link.
Previous
Security Audit
Next
Secure File Storage
Last modified 2mo ago
Export as PDF
Copy link
Contents
Overview
End-User Experience
Admin Console Experience
Reporting & Alerts
Activate BreachWatch Event Reporting
BreachWatch Reports
Security