Advanced Reporting and Alerts

Last updated 20 seconds ago

Keeper's Advanced Reporting and Alerts module provides event logging and log event tracking for over 100 event types, ability to send event based alerts and can log your events to an external system.

Reports

Reports provide you with a built-in line chart for top events, and two built-in reports, for recent activity and security-related events. You can create your own reports by clicking "Add Custom Report" and specifying a name, a filter criteria and columns to display:

Preview the results by clicking "Apply", and if you want to use the report in the future, click the "Save" button. Additionally, you can export the events as a file in JSON, CSV or SysLog formats.

New events are not immediately available for reports, there is a delay 1 to 10 minutes before they can be displayed in a report.

Alerts

New alerts are created similarly to new reports, by clicking "Add Alert" and specifying a name and a filter criteria. You would also add one or more recipients, using email, phone number or both. Recipients don't have to be a part of your enterprise, any email address or phone number would work. The first recipient is a predefined one - it is the user who generated the event. It is "off" by default, you need to toggle the switch to enable sending the alerts (email only) to the originator.

To prevent the recipients from receiving too many emails or SMS, alerts can be "throttled". One way to throttle is to specify Alert Frequency. For example, if you set the frequency to "Once Per Time Period" with a period of 1 hour than all events matching the alert filter will still trigger the alert "occurrence" but the message will be sent only if 1 hour passed since the time of the previous message. Another way to "throttle" the alert is to put it on pause using the toggle switch. Paused alert will also accumulate "occurrences" without sending the actual messages. When resumed, the very next event matching the alert will trigger sending the message which will contain the number of events that happened while being on pause.

Here is how a sample email alert looks like:

You can view the alert history in the "Alerts Sent" tab, with the ability to drill down to see the individual events:

External Logging

If Keeper Admin Console reporting capabilities are not meeting your needs, you can set up logging of the Keeper events to an external system. Four systems are currently supported, Splunk (via HTTP Event Collector), Sumo Logic (via HTTP Logs and metrics Source), AWS S3 Bucket (via bucket name/access credentials) and IBM QRadar (via Syslog push). Only one method of the external sync can be active at a time. After external logging is established, it might be automatically put on pause if the external system becomes unavailable and the number of the events in the queue reaches a threshold of 50. If this happens, you will have to manually resume the external logging after correcting the issue. We recommend setting up an alert for the "Paused Audit log Sync" event so you get notified if the external logging is broken.

External logging is real-time, new events appear almost immediately in the external system. The exception is AWS S3 Bucket, which operates on a time frame you set for writing to the bucket. For example, if you set the time frame to a "day", all events will accumulate until the day has ended (using UTC clock) and then a new file containing all day events will be added to your S3 bucket.

Event Types

Within the Admin Console, the default "Recent Activity" report contains 16 event types. Keeper's new Advanced Reporting and alert module supports over 100 event types that can be automatically pushed to popular SIEM products such as Splunk, Sumo and QRadar. Keeper Commander, the command-line client application can also export event data in JSON and Syslog format.

The events captured by Keeper Enterprise are documented below. Metadata such as record identifiers and usernames are displayed as placeholders.

ID

EVENT CODE

TYPE

CRITICAL

MESSAGE

1

change_master_password

account

User ${username} changed master password

2

set_two_factor_off

security

X

User ${username} set 2FA method OFF

3

change_security_question

account

User ${username} changed security question

4

change_email

account

X

User ${username} changed email to ${to_username}

5

create_user

account

User ${username} created

6

delete_user

security

User ${to_username} was deleted by admin ${username}

7

fast_fill

usage

User ${username} autofilled record UID ${record_uid}

8

login

login

User ${username} logged in to vault

9

login_failure

login

User ${username} login failed with code ${result_code}

10

open_record

usage

User ${username} opened record UID ${record_uid}

11

record_add

usage

User ${username} added record UID ${record_uid}

12

record_delete

usage

X

User ${username} sent record UID ${record_uid} to trash

13

record_remove

usage

User ${username} removed record UID ${record_uid}

14

record_update

usage

User ${username} updated record UID ${record_uid}

15

set_two_factor_on

security

User ${username} set 2FA method ${channel} ON

16

share

share

User ${username} shared record UID ${record_uid} with ${to_username}. Share status: ${status}

17

transfer_owner

share

User ${username} transferred ownership of record UID ${record_uid} to user ${to_username}

18

change_share

share

User ${username} changed share permissions for record UID ${record_uid} to user ${to_username}

19

remove_share

share

User ${username} removed share of record UID ${record_uid} from user ${to_username}

20

accept_share

share

User ${username} accepted share from user ${to_username}

21

cancel_share

share

User ${username} canceled share from user ${to_username}

22

add_security_key

security

User ${username} added security key

23

delete_security_key

security

X

User ${username} removed security key

24

added_folder

usage

User ${username} created ${folder_type} folder UID ${folder_uid}

25

folder_add_user

share

User ${username} added user ${to_username} to shared folder UID ${shared_folder_uid}

26

folder_remove_user

share

User ${username} removed user ${to_username} from shared folder UID ${shared_folder_uid}

27

folder_add_team

share

User ${username} added team UID ${team_uid} to shared folder UID ${shared_folder_uid}

28

folder_remove_team

share

User ${username} removed team UID ${team_uid} from shared folder UID ${shared_folder_uid}

29

folder_add_record

share

User ${username} added record ${record_uid} to shared folder UID ${shared_folder_uid}

30

folder_remove_record

share

User ${username} removed record ${record_uid} from shared folder UID ${shared_folder_uid}

31

empty_trash

usage

X

User ${username} purged deleted records

32

added_shared_folder

share

User ${username} created shared folder UID ${shared_folder_uid}

33

deleted_shared_folder

share

User ${username} deleted shared folder UID ${shared_folder_uid}

34

deleted_folder

usage

User ${username} deleted ${folder_type} folder UID ${folder_uid}

50

expire_password

security

User ${to_username} master password was reset by admin ${username}

51

send_invitation

security

User ${username} invited ${to_username} to join

52

vault_transferred

security

X

User ${from_username} vault was transferred to user ${to_username} by admin ${username}

53

added_admin_key

security

X

User ${to_username} was provided admin permissions by admin ${username}

54

added_to_role

security

User ${to_username} was added to Role ${role_id} by admin ${username}

55

added_to_team

security

User ${to_username} was added to Team ${team_uid} by admin ${username}

56

accept_transfer

security

User ${username} accepted account transfer consent

57

accept_invitation

security

User ${username} accepted invitation

58

lock_user

security

X

User ${to_username} was locked by admin ${username}

59

enable_user

security

User ${to_username} was enabled by admin ${username}

60

set_custom_header_logo

policy

User ${username} set custom header logo

61

set_custom_email_logo

policy

User ${username} set custom email logo

62

set_custom_email_content

policy

User ${username} set custom email content

63

bridge_activated

policy

X

User ${username} activated Keeper Bridge on node ${node_id}

64

sso_activated

policy

X

User ${username} activated Keeper SSO Connect on node ${node_id}

65

email_provisioning_activated

policy

X

User ${username} activated Email auto-provisioning for domain ${email_domain} on node ${node_id}

66

scim_activated

policy

X

User ${username} activated SCIM provisioning on node ${node_id}

67

role_enforcement_changed

policy

User ${username} changed enforcement ${enforcement} to ${value} for role ${role_id}

68

login_failed_console

policy

X

User ${username} failed login to Admin Console

70

audit_sync_failed

usage

X

Audit log sync to ${channel} failed with error ${result_code}

71

audit_sync_restored

usage

Audit log sync to ${channel} restored

72

audit_sync_paused

usage

X

Audit log sync to ${channel} paused

73

audit_alert_sent

usage

Audit alert "${channel}" was sent to ${value}

74

login_failed_ip_whitelist

security

X

User ${username} has been blocked from IP ${ip_address}

75

decline_invitation

security

User ${username} declined invitation

76

set_2fa_configuration

policy

Set global 2FA configuration ${value} for node ${node}

77

report_created

policy

Admin ${username} created report ${report_name}

78

report_modified

policy

Admin ${username} modified report ${report_name}

79

report_deleted

policy

Admin ${username} deleted report ${report_name}

80

record_password_change

usage

User ${username} changed password on record UID ${record_uid}

81

added_identity

usage

User ${username} added an identity

82

added_payment_card

usage

User ${username} added a payment card

83

changed_identity

usage

User ${username} changed an identity

84

changed_payment_card

usage

User ${username} changed a payment card

85

imported_records

usage

User ${username} imported records from ${file_format} file

86

exported_records

usage

X

User ${username} exported records to ${file_format} file

87

weak_password

password

X

User ${username} created a password that is weak

88

reused_password

password

X

User ${username} reused a password

89

revision_restored

usage

User ${username} restored previous revision of record UID ${record_uid}'

90

record_restored

usage

User ${username} restored deleted record UID ${record_uid}

91

high_risk_password_detected

breachwatch

X

BreachWatch detected a high-risk password for user ${username} record UID ${record_uid}

92

high_risk_password_resolved

breachwatch

User ${username} resolved a high-risk password detected by BreachWatch for record UID ${record_uid}

93

high_risk_password_ignored

breachwatch

User ${username} ignored a high-risk password detected by BreachWatch for record UID ${record_uid}

100

chat_message_sent

chat

User ${username} sent a secure message

101

chat_message_received

chat

User ${username} received a secure message

102

chat_message_destruct

chat

User ${username} set a message to self destruct

103

chat_file_attached

chat

User ${username} sent a file

104

chat_contact_invited

chat

User ${username} invited ${to_username}