Reporting & Alerts (SIEM)
The Reporting & Alerts dashboard provides an overview of the top 5 events, two built-in reports and your custom reports. The "Recent Activity" report is a built-in report that provides basic event tracking for the last 1,000 events across 16 event types. Customers can upgrade to the Advanced Reporting and Alerts module to track over 75 event types and generate custom reports and alert notifications.
The "Recent Activity" and "All Security Events" reports are provided in all Keeper Business and Enterprise subscriptions. Custom reporting and alerts is a feature of the Advanced Reporting and Alerts Module (ARAM). To take advantage of this capability, please contact your Keeper Security account manager or upgrade your subscription through the Secure Add Ons interface of the Admin Console.
Additionally, a user status report is available via the dashboard. See the Dashboard section in this guide.
Admins can also create custom reports by clicking Add Custom Report.
Preview the results by clicking Apply, and if you want to use the report in the future, click the Save button. You can export the events as a file in JSON, CSV or SysLog formats.
New events generated by Keeper vault devices can take up to 10 minutes to appear in the reporting module.
Accuracy of geolocation based on IP address varies depending on the database used to identify the user's location. The precision of geolocation data depends on several factors. Most importantly is how well registries validate the data they receive. If information connected with an IP address is incorrect, it reduces it's usefulness. Geolocation is incredibly challenging in the case of mobile phone usage where IP address changes are frequently and mobile carriers use centralized gateways that users reach the internet. Additionally, if users are using proxies or VPN's the location data will invariably be incorrect.
Keeper subscribes to one of the industries most reliable providers who performs quality assurance by validating data quality against known IP addresses sourced from the public on a regular basis.. While it is very reliable, it is not always 100% accurate.
The Timeline Chart provides a chart of events over a 24-hour, 7-day and 30-day period. Clicking on any event row will open a report containing all events from the time period.
The Alert module allows you to create event-based triggers that will generate either email or SMS-based alerts.
New alerts are created similarly to new reports, by clicking Add Alert and specifying a name and a filter criteria. You can add one or more recipients using email address, phone number (for SMS) or both. Recipients don't have to be a part of your enterprise and any email address or phone number can be provided. The first recipient is predefined to be the user who generated the event. This will be "off" by default, and you will need to toggle it "on" to enable sending the alerts (email only) to the originator.
Specifying a broad event and attribute filter could generate a lot of alerts. Adjust alert frequency and set narrow event types and filters to reduce alert noise.
To prevent the recipients from receiving too many emails or SMS, alerts can be throttled. One way to throttle is to specify Alert Frequency. For example, if you set the frequency to "Once Per Time Period" with a period of 1 hour than all events matching the alert filter will still trigger the alert "occurrence" but the message will be sent only if 1 hour has passed since the time of the previous message. Another way to throttle the alert is to pause it using the toggle switch. Paused alert will also accumulate "occurrences" without sending the actual messages. When resumed, the very next event matching the alert will trigger sending the message which will contain the number of events that happened while being on pause.
Below is an example of an email alert:
You can view the alert history in the Alerts Sent tab, with the ability to drill down to see the individual events:
If you are utilizing a 3rd party SIEM solution, the Keeper Admin Console can be configured to automatically feed live event data into external SIEM products. Currently supported systems include:
Splunk
Sumo Logic
AWS S3 Bucket
IBM QRadar
Azure Log Analytics
LogRhythm
Only one method of the external sync can be active at a time.
Click Setup to activate the external logging solution.
Setup is easy on each logging platform and typically only requires a few attributes to integrate. For example, Splunk only requires three fields: Host, Port, & Token.
The standard form for the HEC URL in self-service Splunk Cloud is as follows:
<protocol>://input-<host>:<port>/<endpoint>
Host: Example: input-prd-p-2dm85a8f6db.cloud.splunk.com Port: 8088 Token: HEC token generated in Splunk
The standard form for the HEC URL in managed Splunk Cloud is as follows:
<protocol>://http-inputs-<host>:<port>/<endpoint>
Host: Example: http-inputs-prd-p-2dm85a8f6db.splunkcloud.com Port: 443 Token: HEC token generated in Splunk
LogRhythm, Syslog and QRadar share a common "Syslog" push capability.
Ports TCP Ports 514 and 6514 (TLS)
Fields Exported "audit_event", "username", "client_version", "remote_address", "channel", "result_code", "email", "to_username", "client_version_new","username_new", "file_format", "record_uid", "folder_uid", "folder_type", "shared_folder_uid", "attachment_id", "team_uid", "role_id"
Payload Format Pipe-delimited, e.g. "audit_event=login|username=bob@foo.com|..."
Event logs are pushed from Keeper's backend logging system through a static set of IP addresses. Please ensure that your SIEM HTTP collector IP/port is open to the below addresses.
US / Global
34.194.242.137
18.235.39.229
54.208.20.102 (Connection verification only)
EU / Dublin
54.246.149.209
34.250.37.43
52.210.163.45 (Connection verification only)
After external logging is established, it might be automatically put on pause if the external system becomes unavailable and the number of the events in the queue reaches a threshold of 50. If this happens, you will have to manually resume the external logging after correcting the issue. We recommend setting up an alert for the "Paused Audit log Sync" event so you get notified if the external logging is broken.
External logging is real-time, new events appear almost immediately in the external system. The exception is AWS S3 Bucket, which operates on a time frame you set for writing to the bucket. For example, if you set the time frame to a "day", all events will accumulate until the day has ended (using UTC clock) and then a new file containing all day events will be added to your S3 bucket.
Within the Admin Console, the default "Recent Activity" report contains 16 event types. Keeper's Advanced Reporting and Alert module supports over 75 event types.
The events captured by Keeper Enterprise are visible in the drop-down menus for report and alert configuration.
By default, BreachWatch events from the end-user devices are not collected and transmitted to the Advanced Reporting & Alerts module. These events are managed by the Role policy. To activate this feature, visit the Role > Enforcement Policies > Vault Features and toggle Send BreachWatch events to Reporting & Alerts and connected external logging systems "on".
In addition to using the user interface for generating custom reports, Keeper supports a command-line interface (CLI) and Python SDK to programmatically generate reports. Keeper Commander is an open source tool that provides command-line access and automation / integration capabilities.
Download Keeper Commander here, https://github.com/Keeper-Security/Commander.
For example, below is a screenshot of the "audit-report" command usage which can be used to generate custom reports through the CLI:
Keeper Commander also integrates into 3rd party SIEM solutions that operate on-premise. For a comprehensive look at how Keeper Commander can be utilized in your environment, please visit the Keeper Commander SDK on Github. If you require assistance with Keeper Commander, please contact commander@keepersecurity.com.
A list of all available events captured by the Keeper Advanced Reporting and Alert Module are provided in the chart below. The Event Code is utilized in the user interface and within the Keeper Commander CLI command parameters. The "Message" field is utilized for the Alerting module.
Within each event, there may be additional attributes such as Record UID, Shared Folder UID, Team UID, Username, etc. These attributes will appear within the event description and they are also provided to the 3rd party SIEM provider in the format as specified by the destination.
Event Code | Category | Message | Comments |
change_master_password | account | User ${username} changed master password | |
set_two_factor_off | security | User ${username} set 2FA method OFF | |
change_security_question | account | User ${username} changed security question | |
change_email | account | User ${username} changed email. Previous email ${email} | |
alias_added | account | User ${username} added alternative email ${email} | |
create_user | security | User ${username} created | |
delete_user | security | User ${to_username} was deleted by admin ${username} | |
fast_fill | usage | User ${username} autofilled record UID ${record_uid} | |
login | login | User ${username} logged in to vault | Optional: "channel" |
login_failure | login | User ${username} login failed with code ${result_code} | Optional: "channel" |
open_record | usage | User ${username} opened record UID ${record_uid} | Optional: "folder_type", "folder_uid" |
record_add | usage | User ${username} added record UID ${record_uid} | Optional: "folder_type", "folder_uid" |
record_delete | usage | User ${username} sent record UID ${record_uid} to trash | Optional: "folder_type", "folder_uid" |
record_remove | usage | User ${username} removed record UID ${record_uid} | Optional: "folder_type", "folder_uid" |
record_update | usage | User ${username} updated record UID ${record_uid} | Optional: "folder_type", "folder_uid" |
set_two_factor_on | security | User ${username} set 2FA method ${channel} ON | |
share | share | User ${username} shared record UID ${record_uid} with ${to_username} | |
transfer_owner | share | User ${username} transferred ownership of record UID ${record_uid} to user ${to_username} | |
change_share | share | User ${username} changed share permissions for record UID ${record_uid} to user ${to_username} | This event log changes on record share to user record share includes permissions to re-share and edit |
remove_share | share | User ${username} removed share of record UID ${record_uid} from user ${to_username} | |
accept_share | share | User ${username} accepted share from user ${to_username} | |
cancel_share | share | User ${username} canceled share from user ${to_username} | |
add_security_key | security | User ${username} added security key | |
delete_security_key | security | User ${username} removed security key | |
added_folder | usage | User ${username} created ${folder_type} folder UID ${folder_uid} | |
folder_add_user | share | User ${username} added user ${to_username} to shared folder UID ${shared_folder_uid} | |
folder_remove_user | share | User ${username} removed user ${to_username} from shared folder UID ${shared_folder_uid} | |
folder_add_team | share | User ${username} added team UID ${team_uid} to shared folder UID ${shared_folder_uid} | |
folder_remove_team | share | User ${username} removed team UID ${team_uid} from shared folder UID ${shared_folder_uid} | |
folder_add_record | share | User ${username} added record ${record_uid} to shared folder UID ${shared_folder_uid} | |
folder_remove_record | share | User ${username} removed record ${record_uid} from shared folder UID ${shared_folder_uid} | |
empty_trash | usage | User ${username} purged deleted records | |
added_shared_folder | share | User ${username} created shared folder UID ${shared_folder_uid} | |
deleted_shared_folder | share | User ${username} deleted shared folder UID ${shared_folder_uid} | |
deleted_folder | usage | User ${username} deleted ${folder_type} folder UID ${folder_uid} | |
folder_change_user | share | User ${username} changed user ${to_username} permissions to shared folder UID ${shared_folder_uid} | |
folder_change_team | share | User ${username} changed team UID ${team_uid} permissions to shared folder UID ${shared_folder_uid} | |
folder_change_record | share | User ${username} changed record ${record_uid} permissions to shared folder UID ${shared_folder_uid} | |
record_share_outside_user | share | User ${username} shared record UID ${record_uid} outside the company with user ${to_username} | |
folder_add_outside_user | share | User ${username} added outside the company user ${to_username} to shared folder UID ${shared_folder_uid} | |
node_created | policy | User ${username} created node ${node} | |
node_deleted | policy | User ${username} deleted node ${node} | |
role_created | policy | User ${username} created role ${role_id} | |
role_deleted | policy | User ${username} deleted role ${role_id} | |
team_created | policy | User ${username} created team ${team_uid} | |
team_deleted | policy | User ${username} deleted team ${team_uid} | |
login_console | login | User ${username} logged into Admin Console | |
expire_password | security | User ${to_username} master password was reset by admin ${username} | |
send_invitation | security | User ${username} invited ${to_username} to join | |
vault_transferred | security | User ${from_username} vault was transferred to user ${to_username} by admin ${username} | |
added_admin_key | security | User ${to_username} was provided admin permissions by admin ${username} | |
added_to_role | security | User ${to_username} was added to Role ${role_id} by admin ${username} | |
added_to_team | share | User ${to_username} was added to Team ${team_uid} by admin ${username} | |
accept_transfer | security | User ${username} accepted account transfer consent | |
accept_invitation | security | User ${username} accepted invitation | |
lock_user | security | User ${to_username} was locked by admin ${username} | |
enable_user | security | User ${to_username} was enabled by admin ${username} | |
set_custom_header_logo | policy | User ${username} set custom header logo | |
set_custom_email_logo | policy | User ${username} set custom email logo | |
set_custom_email_content | policy | User ${username} set custom email content | |
bridge_activated | policy | User ${username} activated Keeper Bridge on node ${node} | |
sso_activated | policy | User ${username} activated Keeper SSO Connect on node ${node} | |
email_provisioning_activated | policy | User ${username} activated Email auto-provisioning for domain ${email_domain} on node ${node} | |
scim_activated | policy | User ${username} activated SCIM provisioning on node ${node} | |
role_enforcement_changed | policy | User ${username} changed enforcement ${enforcement} to ${value} for role ${role_id} | |
login_failed_console | security | User ${username} failed login to Admin Console | Optional: "channel" |
audit_sync_failed | usage | Audit log sync to ${channel} failed with error ${result_code} | |
audit_sync_restored | usage | Audit log sync to ${channel} restored | |
audit_sync_resumed | usage | Admin ${username} resumed audit log sync to ${channel} | |
audit_sync_paused | usage | Audit log sync to ${channel} paused | |
audit_sync_setup | policy | Admin ${username} set up audit log sync to "${name}" | |
audit_sync_removed | policy | Admin ${username} removed audit log sync to "${name}" | |
audit_alert_sent | usage | Audit alert "${channel}" was sent to ${recipient} | Optional: "parent_id" |
login_failed_ip_whitelist | security | User ${username} has been blocked from IP ${ip_address} | |
decline_invitation | security | User ${username} declined invitation | |
set_2fa_configuration | policy | Set global 2FA configuration ${value} for node ${node} | |
report_created | policy | Admin ${username} created report ${report_name} | |
report_modified | policy | Admin ${username} modified report ${report_name} | |
report_deleted | policy | Admin ${username} deleted report ${report_name} | |
record_password_change | usage | User ${username} changed password on record UID ${record_uid} | |
added_identity | usage | User ${username} added an identity | |
added_payment_card | usage | User ${username} added a payment card | |
changed_identity | usage | User ${username} changed an identity | |
changed_payment_card | usage | User ${username} changed a payment card | |
copy_password | usage | User ${username} copied password to clipboard on record UID ${record_uid} | |
imported_records | usage | User ${username} imported records from ${file_format} file | N/A for IOS |
exported_records | usage | User ${username} exported records to ${file_format} file | N/A for IOS |
weak_password | password | User ${username} created a password that is weak | N/A |
reused_password | password | User ${username} reused a password | |
revision_restored | usage | User ${username} restored previous revision of record UID ${record_uid}' | |
record_restored | usage | User ${username} restored deleted record UID ${record_uid} | |
high_risk_password_detected | breachwatch | BreachWatch detected a high-risk password for user ${username} record UID ${record_uid} | N/A |
high_risk_password_resolved | breachwatch | User ${username} resolved a high-risk password detected by BreachWatch for record UID ${record_uid} | N/A |
high_risk_password_ignored | breachwatch | User ${username} ignored a high-risk password detected by BreachWatch for record UID ${record_uid} | N/A |
chat_message_sent | chat | User ${username} sent a secure message | |
chat_message_received | chat | User ${username} received a secure message | |
chat_message_destruct | chat | User ${username} set a message to self destruct | |
chat_file_attached | chat | User ${username} sent a file | |
chat_contact_added | chat | User ${username} invited ${to_username} as contact | |
chat_login | chat | User ${username} logged in to KeeperChat | |
chat_login_failed | chat | User ${username} login failed to KeeperChat with code ${result_code} | |
file_attachment_uploaded | usage | User ${username} uploaded file attachment UID ${attachment_id} on record UID ${record_uid} | |
file_attachment_downloaded | usage | User ${username} downloaded file attachment UID ${attachment_id} on record UID ${record_uid} | |
file_attachment_deleted | usage | User ${username} deleted file attachment UID ${attachment_id} on record UID ${record_uid} | |
audit_alert_created | policy | Admin ${username} created audit alert "${name}" | |
audit_alert_deleted | policy | Admin ${username} deleted audit alert "${name}" | |
audit_alert_paused | policy | Admin ${username} paused audit alert "${name}" for user ${recipient} | |
audit_alert_resumed | policy | Admin ${username} resumed audit alert "${name}" for user ${recipient} | |
bw_record_high_risk | breachwatch | User ${username} was notified of a high risk password | |
bw_record_ignored | breachwatch | User ${username} ignored high risk password | |
bw_record_resolved | breachwatch | User ${username} resolved a high risk password | |
msp_attaches_mc | msp | User ${username} attached enterprise ${enterprise} to node ${node} | |
msp_increases_mc_seats | msp | User ${username} increased number of seats for enterprise ${enterprise} by ${seats_added} | |
msp_decreases_mc_seats | msp | User ${username} decreased number of seats for enterprise ${enterprise} by ${seats_removed} | |
msp_changes_mc_plan | msp | User ${username} changed plan for enterprise ${enterprise} to ${plan} | |
msp_renames_mc | msp | User ${username} renamed enterprise ${enterprise} to ${enterprise_new} | |
msp_pauses_mc | msp | User ${username} paused enterprise ${enterprise}, ${plan}, ${seats} seats | |
msp_resumes_mc | msp | User ${username} resumed enterprise ${enterprise}, ${plan}, ${seats} seats | |
msp_removes_mc | msp | User ${username} removed enterprise ${enterprise}, ${plan}, ${seats} seats | |
msp_deletes_mc | msp | User ${username} deleted enterprise ${enterprise}, ${plan}, ${seats} seats | |
msp_creates_mc | msp | User ${username} registered enterprise ${enterprise}, ${plan}, ${seats} seats | |
enterprise_2fa_disabled_by_admin | security | Admin ${username} disabled 2FA for user ${to_username} | |
reauthentication_reprompt_success | security | User ${username} re-authentication succeeded | |
reauthentication_reprompt_throttle | security | User ${username} re-authentication throttled | |
scim_access_failure | security | SCIM provisioning on node ${node} failed to authenticate ${failure_count} times. Token ${token_id}... | |
device_approved | security | Device ${deviceName} is approved for user ${username} | |
device_admin_approval_requested | security | User ${username} requested admin approval for device ${deviceName} | |
device_approved_by_admin | security | Admin ${username} approved device ${deviceName} for user ${to_username} | |
out_of_seats | policy | License has reached the maximum allowed users for ${enterprise} | |
Below are examples of 2 events in JSON format that are sent. Note that Record UID is provided with the "record_update" event since it relates to a specific record.
{"record_uid" : "Uk6qLnfWVxWL9OQlsGdOUw","audit_event" : "record_update","remote_address" : "155.65.556.130","client_version" : "Browser Extensions.12.3.0","timestamp" : "2019-02-14T22:41:12.027Z","username" : "testing@keepersecurity.com"}{"audit_event" : "login","remote_address" : "168.123.45.130","client_version" : "Web App.14.2.4","timestamp" : "2019-02-14T22:40:08.655Z","username" : "demo@keepersecurity.com","client_version_new" : true}
Below is an example of a Syslog-format event that can be exported via Keeper Commander or into the 3rd party SIEM solution:
<110>1 2019-02-14T21:34:47Z 46.45.253.15 Keeper - 1132431639 [Keeper@Commander geo_location="Chicago, IL, US" keeper_version_category="MOBILE" audit_event_type="login_failure" keeper_version="iPhone 14.2.0" result_code="auth_failed" username="testing@keepersecurity.com" node_id="47377784242178"] User testing@keepersecurity.com login failed with code auth_failed
The event data references several types of UID values such as Record UID, Shared Folder UID and Team UID. The Record UID and Shared Folder UID can be found either through the Keeper Commander CLI or through the Web Vault user interface.
