Advanced Reporting and Alerts
Keeper's Advanced Reporting and Alerts module provides event logging and log event tracking for over 100 event types, ability to send event based alerts and can log your events to an external system.
Reports provide you with a built-in line chart for top events, and two built-in reports, for recent activity and security-related events. You can create your own reports by clicking "Add Custom Report" and specifying a name, a filter criteria and columns to display:
Preview the results by clicking "Apply", and if you want to use the report in the future, click the "Save" button. Additionally, you can export the events as a file in JSON, CSV or SysLog formats.
New events are not immediately available for reports, there is a delay 1 to 10 minutes before they can be displayed in a report.
New alerts are created similarly to new reports, by clicking "Add Alert" and specifying a name and a filter criteria. You would also add one or more recipients, using email, phone number or both. Recipients don't have to be a part of your enterprise, any email address or phone number would work. The first recipient is a predefined one - it is the user who generated the event. It is "off" by default, you need to toggle the switch to enable sending the alerts (email only) to the originator.
To prevent the recipients from receiving too many emails or SMS, alerts can be "throttled". One way to throttle is to specify Alert Frequency. For example, if you set the frequency to "Once Per Time Period" with a period of 1 hour than all events matching the alert filter will still trigger the alert "occurrence" but the message will be sent only if 1 hour passed since the time of the previous message. Another way to "throttle" the alert is to put it on pause using the toggle switch. Paused alert will also accumulate "occurrences" without sending the actual messages. When resumed, the very next event matching the alert will trigger sending the message which will contain the number of events that happened while being on pause.
Here is how a sample email alert looks like:
You can view the alert history in the "Alerts Sent" tab, with the ability to drill down to see the individual events:
If Keeper Admin Console reporting capabilities are not meeting your needs, you can set up logging of the Keeper events to an external system. Four systems are currently supported, Splunk (via HTTP Event Collector), Sumo Logic (via HTTP Logs and metrics Source), AWS S3 Bucket (via bucket name/access credentials) and IBM QRadar (via Syslog push). Only one method of the external sync can be active at a time. After external logging is established, it might be automatically put on pause if the external system becomes unavailable and the number of the events in the queue reaches a threshold of 50. If this happens, you will have to manually resume the external logging after correcting the issue. We recommend setting up an alert for the "Paused Audit log Sync" event so you get notified if the external logging is broken.
External logging is real-time, new events appear almost immediately in the external system. The exception is AWS S3 Bucket, which operates on a time frame you set for writing to the bucket. For example, if you set the time frame to a "day", all events will accumulate until the day has ended (using UTC clock) and then a new file containing all day events will be added to your S3 bucket.
Within the Admin Console, the default "Recent Activity" report contains 16 event types. Keeper's new Advanced Reporting and alert module supports over 100 event types that can be automatically pushed to popular SIEM products such as Splunk, Sumo and QRadar. Keeper Commander, the command-line client application can also export event data in JSON and Syslog format.
The events captured by Keeper Enterprise are documented below. Metadata such as record identifiers and usernames are displayed as placeholders.
ID | EVENT CODE | TYPE | CRITICAL | MESSAGE |
1 | change_master_password | account | ​ | User ${username} changed master password |
2 | set_two_factor_off | security | X | User ${username} set 2FA method OFF |
3 | change_security_question | account | ​ | User ${username} changed security question |
4 | change_email | account | X | User ${username} changed email to ${to_username} |
5 | create_user | account | ​ | User ${username} created |
6 | delete_user | security | ​ | User ${to_username} was deleted by admin ${username} |
7 | fast_fill | usage | ​ | User ${username} autofilled record UID ${record_uid} |
8 | login | login | ​ | User ${username} logged in to vault |
9 | login_failure | login | ​ | User ${username} login failed with code ${result_code} |
10 | open_record | usage | ​ | User ${username} opened record UID ${record_uid} |
11 | record_add | usage | ​ | User ${username} added record UID ${record_uid} |
12 | record_delete | usage | X | User ${username} sent record UID ${record_uid} to trash |
13 | record_remove | usage | ​ | User ${username} removed record UID ${record_uid} |
14 | record_update | usage | ​ | User ${username} updated record UID ${record_uid} |
15 | set_two_factor_on | security | ​ | User ${username} set 2FA method ${channel} ON |
16 | share | share | ​ | User ${username} shared record UID ${record_uid} with ${to_username}. Share status: ${status} |
17 | transfer_owner | share | ​ | User ${username} transferred ownership of record UID ${record_uid} to user ${to_username} |
18 | change_share | share | ​ | User ${username} changed share permissions for record UID ${record_uid} to user ${to_username} |
19 | remove_share | share | ​ | User ${username} removed share of record UID ${record_uid} from user ${to_username} |
20 | accept_share | share | ​ | User ${username} accepted share from user ${to_username} |
21 | cancel_share | share | ​ | User ${username} canceled share from user ${to_username} |
22 | add_security_key | security | ​ | User ${username} added security key |
23 | delete_security_key | security | X | User ${username} removed security key |
24 | added_folder | usage | ​ | User ${username} created ${folder_type} folder UID ${folder_uid} |
25 | folder_add_user | share | ​ | User ${username} added user ${to_username} to shared folder UID ${shared_folder_uid} |
26 | folder_remove_user | share | ​ | User ${username} removed user ${to_username} from shared folder UID ${shared_folder_uid} |
27 | folder_add_team | share | ​ | User ${username} added team UID ${team_uid} to shared folder UID ${shared_folder_uid} |
28 | folder_remove_team | share | ​ | User ${username} removed team UID ${team_uid} from shared folder UID ${shared_folder_uid} |
29 | folder_add_record | share | ​ | User ${username} added record ${record_uid} to shared folder UID ${shared_folder_uid} |
30 | folder_remove_record | share | ​ | User ${username} removed record ${record_uid} from shared folder UID ${shared_folder_uid} |
31 | empty_trash | usage | X | User ${username} purged deleted records |
32 | added_shared_folder | share | ​ | User ${username} created shared folder UID ${shared_folder_uid} |
33 | deleted_shared_folder | share | ​ | User ${username} deleted shared folder UID ${shared_folder_uid} |
34 | deleted_folder | usage | ​ | User ${username} deleted ${folder_type} folder UID ${folder_uid} |
50 | expire_password | security | ​ | User ${to_username} master password was reset by admin ${username} |
51 | send_invitation | security | ​ | User ${username} invited ${to_username} to join |
52 | vault_transferred | security | X | User ${from_username} vault was transferred to user ${to_username} by admin ${username} |
53 | added_admin_key | security | X | User ${to_username} was provided admin permissions by admin ${username} |
54 | added_to_role | security | ​ | User ${to_username} was added to Role ${role_id} by admin ${username} |
55 | added_to_team | security | ​ | User ${to_username} was added to Team ${team_uid} by admin ${username} |
56 | accept_transfer | security | ​ | User ${username} accepted account transfer consent |
57 | accept_invitation | security | ​ | User ${username} accepted invitation |
58 | lock_user | security | X | User ${to_username} was locked by admin ${username} |
59 | enable_user | security | ​ | User ${to_username} was enabled by admin ${username} |
60 | set_custom_header_logo | policy | ​ | User ${username} set custom header logo |
61 | set_custom_email_logo | policy | ​ | User ${username} set custom email logo |
62 | set_custom_email_content | policy | ​ | User ${username} set custom email content |
63 | bridge_activated | policy | X | User ${username} activated Keeper Bridge on node ${node_id} |
64 | sso_activated | policy | X | User ${username} activated Keeper SSO Connect on node ${node_id} |
65 | email_provisioning_activated | policy | X | User ${username} activated Email auto-provisioning for domain ${email_domain} on node ${node_id} |
66 | scim_activated | policy | X | User ${username} activated SCIM provisioning on node ${node_id} |
67 | role_enforcement_changed | policy | ​ | User ${username} changed enforcement ${enforcement} to ${value} for role ${role_id} |
68 | login_failed_console | policy | X | User ${username} failed login to Admin Console |
70 | audit_sync_failed | usage | X | Audit log sync to ${channel} failed with error ${result_code} |
71 | audit_sync_restored | usage | ​ | Audit log sync to ${channel} restored |
72 | audit_sync_paused | usage | X | Audit log sync to ${channel} paused |
73 | audit_alert_sent | usage | ​ | Audit alert "${channel}" was sent to ${value} |
74 | login_failed_ip_whitelist | security | X | User ${username} has been blocked from IP ${ip_address} |
75 | decline_invitation | security | ​ | User ${username} declined invitation |
76 | set_2fa_configuration | policy | ​ | Set global 2FA configuration ${value} for node ${node} |
77 | report_created | policy | ​ | Admin ${username} created report ${report_name} |
78 | report_modified | policy | ​ | Admin ${username} modified report ${report_name} |
79 | report_deleted | policy | ​ | Admin ${username} deleted report ${report_name} |
80 | record_password_change | usage | ​ | User ${username} changed password on record UID ${record_uid} |
81 | added_identity | usage | ​ | User ${username} added an identity |
82 | added_payment_card | usage | ​ | User ${username} added a payment card |
83 | changed_identity | usage | ​ | User ${username} changed an identity |
84 | changed_payment_card | usage | ​ | User ${username} changed a payment card |
85 | imported_records | usage | ​ | User ${username} imported records from ${file_format} file |
86 | exported_records | usage | X | User ${username} exported records to ${file_format} file |
87 | weak_password | password | X | User ${username} created a password that is weak |
88 | reused_password | password | X | User ${username} reused a password |
89 | revision_restored | usage | ​ | User ${username} restored previous revision of record UID ${record_uid}' |
90 | record_restored | usage | ​ | User ${username} restored deleted record UID ${record_uid} |
91 | high_risk_password_detected | breachwatch | X | BreachWatch detected a high-risk password for user ${username} record UID ${record_uid} |
92 | high_risk_password_resolved | breachwatch | ​ | User ${username} resolved a high-risk password detected by BreachWatch for record UID ${record_uid} |
93 | high_risk_password_ignored | breachwatch | ​ | User ${username} ignored a high-risk password detected by BreachWatch for record UID ${record_uid} |
100 | chat_message_sent | chat | ​ | User ${username} sent a secure message |
101 | chat_message_received | chat | ​ | User ${username} received a secure message |
102 | chat_message_destruct | chat | ​ | User ${username} set a message to self destruct |
103 | chat_file_attached | chat | ​ | User ${username} sent a file |
104 | chat_contact_invited | chat | ​ | User ${username} invited ${to_username} |
​ | ​ | ​ | ​ |
​ | ​ | ​ | ​ |