Reporting, Alerts & SIEM
Keeper's Advanced Reporting and Alerts Module (ARAM) provides advanced event logging to meet compliance requirements.

Overview

Keeper's Advanced Reporting & Alerts Module ("ARAM") is a critical component of the Keeper Security platform which provides Keeper Administrators and Compliance teams tools for monitoring overall usage and adherence to policies.

Key Capabilities

    Reporting Engine Run custom time-based reports with 100+ different event types that are broken down by category (e.g. Security Events, Administrative Actions, General Usage, etc). Filter on User, Event Type, Attribute (e.g. Record UID, Shared Folder UID, Geolocation).
    Alerts Set alert triggers which can send email, SMS or Webhook notifications based on specific event types (For example, notify Admins upon any policy changes).
    External Logging Integrate with any existing SIEM solution such as Splunk, Sumo or LogRhythm.
    BreachWatch monitoring Get notified and track BreachWatch events (user notified of high risk password, resolved high risk password).
    Commander CLI / SDK Integration Keeper Commander can perform customized reporting and automation.
    Compliance Auditing Generate reports specifically to address SOX, ISO, SOC compliance auditing requirements.

Reporting Interface

The Reporting & Alerts dashboard provides an overview of the top 5 events, two built-in reports and your custom reports. The "Recent Activity" report is a built-in report that provides basic event tracking for the last 1,000 events across 16 event types. Customers can upgrade to the Advanced Reporting and Alerts module to track over 100 event types and generate custom reports and alert notifications.
The "Recent Activity" and "All Security Events" reports are provided in all Keeper Business and Enterprise subscriptions. Custom reporting and alerts is a feature of the Advanced Reporting and Alerts Module (ARAM). To take advantage of this capability, please contact your Keeper Security account manager or upgrade your subscription through the Secure Add Ons interface of the Admin Console.
Additionally, a user status report is available via the dashboard. See the Dashboard section in this guide.
Admins can also create custom reports by clicking Add Custom Report.
Preview the results by clicking Apply, and if you want to use the report in the future, click the Save button. You can export the events as a file in JSON, CSV or SysLog formats.
New events generated by Keeper vault devices can take up to 10 minutes to appear in the reporting module.

Geolocation based on IP address

Accuracy of geolocation based on IP address varies depending on the database used to identify the user's location. The precision of geolocation data depends on several factors. Most importantly is how well registries validate the data they receive. If information connected with an IP address is incorrect, it reduces its usefulness. Geolocation is incredibly challenging in the case of mobile phone usage where IP address changes are frequently and mobile carriers use centralized gateways that users reach the internet. Additionally, if users are using proxies or VPN's the location data will invariably be incorrect.
Keeper subscribes to one of the industries most reliable providers who performs quality assurance by validating data quality against known IP addresses sourced from the public on a regular basis.

Timeline Chart

The Timeline Chart provides a chart of events over a 24-hour, 7-day and 30-day period. Clicking on any event row will open a report containing all events from the time period.

Alerts

The Alert module allows you to create event-based triggers that will generate either email or SMS-based alerts.
New alerts are created similarly to new reports, by clicking Add Alert and specifying a name and a filter criteria. You can add one or more recipients using email address, phone number (for SMS) or both. Recipients don't have to be a part of your enterprise and any email address or phone number can be provided. The first recipient is predefined to be the user who generated the event. This will be "off" by default, and you will need to toggle it "on" to enable sending the alerts (email only) to the originator.
Specifying a broad event and attribute filter could generate a lot of alerts. Adjust alert frequency and set narrow event types and filters to reduce alert noise.
To prevent the recipients from receiving too many emails or SMS, alerts can be throttled. One way to throttle is to specify Alert Frequency. For example, if you set the frequency to "Once Per Time Period" with a period of 1 hour than all events matching the alert filter will still trigger the alert "occurrence" but the message will be sent only if 1 hour has passed since the time of the previous message. Another way to throttle the alert is to pause it using the toggle switch. Paused alert will also accumulate "occurrences" without sending the actual messages. When resumed, the very next event matching the alert will trigger sending the message which will contain the number of events that happened while being on pause.
Below is an example of an email alert:
You can view the alert history in the Alerts Sent tab, with the ability to drill down to see the individual events:

External SIEM Logging

If you are utilizing a 3rd party SIEM solution, the Keeper Admin Console can be configured to automatically feed live event data into external SIEM products. Currently supported systems include:
    Splunk
    Sumo Logic
    AWS S3 Bucket
    IBM QRadar
    Azure Log Analytics
    LogRhythm
    Syslog Push
Event data is transmitted from Keeper's servers to the destination SIEM collector. Only one method of the external sync can be active at a time.
Click Setup to activate the external logging solution. Setup is easy on each logging platform and typically only requires a few attributes to integrate.

Event Types

Within the Admin Console, the default "Recent Activity" report contains 16 event types. Keeper's Advanced Reporting and Alert module supports ~ 100 event types.
The events captured by Keeper Enterprise are visible in the drop-down menus for report and alert configuration.
Event Type Filter

Enabling BreachWatch Events

By default, BreachWatch events from the end-user devices are not collected and transmitted to the Advanced Reporting & Alerts module. These events are managed by the Role policy. To activate this feature, visit the Role > Enforcement Policies > Vault Features and toggle Send BreachWatch events to Reporting & Alerts and connected external logging systems "on".
Enable BreachWatch Events

Event List

A list of all available events captured by the Keeper Advanced Reporting and Alert Module are provided in the chart below. The Event Code is utilized in the user interface and within the Keeper Commander CLI command parameters. The "Message" field is utilized for the Alerting module.
Within each event, there may be additional attributes such as Record UID, Shared Folder UID, Team UID, Username, etc. These attributes will appear within the event description and they are also provided to the 3rd party SIEM provider in the format as specified by the destination.
Event Code
Category
Message
Comments
change_master_password
account
User ${username} changed master password
set_two_factor_off
security
User ${username} set 2FA method OFF
change_security_question
account
User ${username} changed security question
change_email
account
User ${username} changed email. Previous email ${email}
alias_added
account
User ${username} added alternative email ${email}
create_user
security
User ${username} created
delete_user
security
User ${to_username} was deleted by admin ${username}
fast_fill
usage
User ${username} autofilled record UID ${record_uid}
login
login
User ${username} logged in to vault
Optional: "channel"
login_failure
login
User ${username} login failed with code ${result_code}
Optional: "channel"
open_record
usage
User ${username} opened record UID ${record_uid}
Optional: "folder_type", "folder_uid"
record_add
usage
User ${username} added record UID ${record_uid}
Optional: "folder_type", "folder_uid"
record_delete
usage
User ${username} sent record UID ${record_uid} to trash
Optional: "folder_type", "folder_uid"
record_remove
usage
User ${username} removed record UID ${record_uid}
Optional: "folder_type", "folder_uid"
record_update
usage
User ${username} updated record UID ${record_uid}
Optional: "folder_type", "folder_uid"
set_two_factor_on
security
User ${username} set 2FA method ${channel} ON
share
share
User ${username} shared record UID ${record_uid} with ${to_username}
transfer_owner
share
User ${username} transferred ownership of record UID ${record_uid} to user ${to_username}
change_share
share
User ${username} changed share permissions for record UID ${record_uid} to user ${to_username}
This event log changes on record share to user
record share includes permissions to re-share and edit
remove_share
share
User ${username} removed share of record UID ${record_uid} from user ${to_username}
accept_share
share
User ${username} accepted share from user ${to_username}
cancel_share
share
User ${username} canceled share from user ${to_username}
add_security_key
security
User ${username} added security key
delete_security_key
security
User ${username} removed security key
added_folder
usage
User ${username} created ${folder_type} folder UID ${folder_uid}
folder_add_user
share
User ${username} added user ${to_username} to shared folder UID ${shared_folder_uid}
folder_remove_user
share
User ${username} removed user ${to_username} from shared folder UID ${shared_folder_uid}
folder_add_team
share
User ${username} added team UID ${team_uid} to shared folder UID ${shared_folder_uid}
folder_remove_team
share
User ${username} removed team UID ${team_uid} from shared folder UID ${shared_folder_uid}
folder_add_record
share
User ${username} added record ${record_uid} to shared folder UID ${shared_folder_uid}
folder_remove_record
share
User ${username} removed record ${record_uid} from shared folder UID ${shared_folder_uid}
empty_trash
usage
User ${username} purged deleted records
added_shared_folder
share
User ${username} created shared folder UID ${shared_folder_uid}
deleted_shared_folder
share
User ${username} deleted shared folder UID ${shared_folder_uid}
deleted_folder
usage
User ${username} deleted ${folder_type} folder UID ${folder_uid}
folder_change_user
share
User ${username} changed user ${to_username} permissions to shared folder UID ${shared_folder_uid}
folder_change_team
share
User ${username} changed team UID ${team_uid} permissions to shared folder UID ${shared_folder_uid}
folder_change_record
share
User ${username} changed record ${record_uid} permissions to shared folder UID ${shared_folder_uid}
record_share_outside_user
share
User ${username} shared record UID ${record_uid} outside the company with user ${to_username}
folder_add_outside_user
share
User ${username} added outside the company user ${to_username} to shared folder UID ${shared_folder_uid}
node_created
policy
User ${username} created node ${node}
node_deleted
policy
User ${username} deleted node ${node}
role_created
policy
User ${username} created role ${role_id}
role_deleted
policy
User ${username} deleted role ${role_id}
team_created
policy
User ${username} created team ${team_uid}
team_deleted
policy
User ${username} deleted team ${team_uid}
login_console
login
User ${username} logged into Admin Console
expire_password
security
User ${to_username} master password was reset by admin ${username}
send_invitation
security
User ${username} invited ${to_username} to join
vault_transferred
security
User ${from_username} vault was transferred to user ${to_username} by admin ${username}
added_admin_key
security
User ${to_username} was provided admin permissions by admin ${username}
added_to_role
security
User ${to_username} was added to Role ${role_id} by admin ${username}
added_to_team
share
User ${to_username} was added to Team ${team_uid} by admin ${username}
accept_transfer
security
User ${username} accepted account transfer consent
accept_invitation
security
User ${username} accepted invitation
lock_user
security
User ${to_username} was locked by admin ${username}
enable_user
security
User ${to_username} was enabled by admin ${username}
set_custom_header_logo
policy
User ${username} set custom header logo
set_custom_email_logo
policy
User ${username} set custom email logo
set_custom_email_content
policy
User ${username} set custom email content
bridge_activated
policy
User ${username} activated Keeper Bridge on node ${node}
sso_activated
policy
User ${username} activated Keeper SSO Connect on node ${node}
email_provisioning_activated
policy
User ${username} activated Email auto-provisioning for domain ${email_domain} on node ${node}
scim_activated
policy
User ${username} activated SCIM provisioning on node ${node}
role_enforcement_changed
policy
User ${username} changed enforcement ${enforcement} to ${value} for role ${role_id}
login_failed_console
security
User ${username} failed login to Admin Console
Optional: "channel"
audit_sync_failed
usage
Audit log sync to ${channel} failed with error ${result_code}
audit_sync_restored
usage
Audit log sync to ${channel} restored
audit_sync_resumed
usage
Admin ${username} resumed audit log sync to ${channel}
audit_sync_paused
usage
Audit log sync to ${channel} paused
audit_sync_setup
policy
Admin ${username} set up audit log sync to "${name}"
audit_sync_removed
policy
Admin ${username} removed audit log sync to "${name}"
audit_alert_sent
usage
Audit alert "${channel}" was sent to ${recipient}
Optional: "parent_id"
login_failed_ip_whitelist
security
User ${username} has been blocked from IP ${ip_address}
decline_invitation
security
User ${username} declined invitation
set_2fa_configuration
policy
Set global 2FA configuration ${value} for node ${node}
report_created
policy
Admin ${username} created report ${report_name}
report_modified
policy
Admin ${username} modified report ${report_name}
report_deleted
policy
Admin ${username} deleted report ${report_name}
record_password_change
usage
User ${username} changed password on record UID ${record_uid}
added_identity
usage
User ${username} added an identity
added_payment_card
usage
User ${username} added a payment card
changed_identity
usage
User ${username} changed an identity
changed_payment_card
usage
User ${username} changed a payment card
copy_password
usage
User ${username} copied password to clipboard on record UID ${record_uid}
imported_records
usage
User ${username} imported records from ${file_format} file
N/A for IOS
exported_records
usage
User ${username} exported records to ${file_format} file
N/A for IOS
weak_password
password
User ${username} created a password that is weak
N/A
reused_password
password
User ${username} reused a password
revision_restored
usage
User ${username} restored previous revision of record UID ${record_uid}'
record_restored
usage
User ${username} restored deleted record UID ${record_uid}
high_risk_password_detected
breachwatch
BreachWatch detected a high-risk password for user ${username} record UID ${record_uid}
N/A
high_risk_password_resolved
breachwatch
User ${username} resolved a high-risk password detected by BreachWatch for record UID ${record_uid}
N/A
high_risk_password_ignored
breachwatch
User ${username} ignored a high-risk password detected by BreachWatch for record UID ${record_uid}
N/A
chat_message_sent
chat
User ${username} sent a secure message
chat_message_received
chat
User ${username} received a secure message
chat_message_destruct
chat
User ${username} set a message to self destruct
chat_file_attached
chat
User ${username} sent a file
chat_contact_added
chat
User ${username} invited ${to_username} as contact
chat_login
chat
User ${username} logged in to KeeperChat
chat_login_failed
chat
User ${username} login failed to KeeperChat with code ${result_code}
file_attachment_uploaded
usage
User ${username} uploaded file attachment UID ${attachment_id} on record UID ${record_uid}
file_attachment_downloaded
usage
User ${username} downloaded file attachment UID ${attachment_id} on record UID ${record_uid}
file_attachment_deleted
usage
User ${username} deleted file attachment UID ${attachment_id} on record UID ${record_uid}
audit_alert_created
policy
Admin ${username} created audit alert "${name}"
audit_alert_deleted
policy
Admin ${username} deleted audit alert "${name}"
audit_alert_paused
policy
Admin ${username} paused audit alert "${name}" for user ${recipient}
audit_alert_resumed
policy
Admin ${username} resumed audit alert "${name}" for user ${recipient}
bw_record_high_risk
breachwatch
User ${username} was notified of a high risk password
bw_record_ignored
breachwatch
User ${username} ignored high risk password
bw_record_resolved
breachwatch
User ${username} resolved a high risk password
msp_attaches_mc
msp
User ${username} attached enterprise ${enterprise} to node ${node}
msp_increases_mc_seats
msp
User ${username} increased number of seats for enterprise ${enterprise} by ${seats_added}
msp_decreases_mc_seats
msp
User ${username} decreased number of seats for enterprise ${enterprise} by ${seats_removed}
msp_changes_mc_plan
msp
User ${username} changed plan for enterprise ${enterprise} to ${plan}
msp_renames_mc
msp
User ${username} renamed enterprise ${enterprise} to ${enterprise_new}
msp_pauses_mc
msp
User ${username} paused enterprise ${enterprise}, ${plan}, ${seats} seats
msp_resumes_mc
msp
User ${username} resumed enterprise ${enterprise}, ${plan}, ${seats} seats
msp_removes_mc
msp
User ${username} removed enterprise ${enterprise}, ${plan}, ${seats} seats
msp_deletes_mc
msp
User ${username} deleted enterprise ${enterprise}, ${plan}, ${seats} seats
msp_creates_mc
msp
User ${username} registered enterprise ${enterprise}, ${plan}, ${seats} seats
enterprise_2fa_disabled_by_admin
security
Admin ${username} disabled 2FA for user ${to_username}
reauthentication_reprompt_success
security
User ${username} re-authentication succeeded
reauthentication_reprompt_throttle
security
User ${username} re-authentication throttled
scim_access_failure
security
SCIM provisioning on node ${node} failed to authenticate ${failure_count} times. Token ${token_id}...
device_approved
security
Device ${deviceName} is approved for user ${username}
device_admin_approval_requested
security
User ${username} requested admin approval for device ${deviceName}
device_approved_by_admin
security
Admin ${username} approved device ${deviceName} for user ${to_username}
device_user_approval_requested
security
User ${username} requested self approval for device ${device_name}
out_of_seats
policy
License has reached the maximum allowed users for ${enterprise}
scim_access_failure
security
SCIM provisioning on node ${node} failed to authenticate ${failure_count} times. Token ${token_id}
record_type_created
policy
Admin ${username} created record type "${name}"
record_type_updated
policy
Admin ${username} updated record type "${name}"
record_type_deleted
policy
Admin ${username} deleted record type "${name}"
compliance_report_saved
compliance
Compliance report UID ${app_uid} saved by ${username}
compliance_report_downloaded
compliance
Compliance report UID ${app_uid} downloaded by ${username}
compliance_report_exported
compliance
Compliance report UID ${app_uid} exported by ${username}
compliance_report_deleted
compliance
Compliance report UID ${app_uid} deleted by ${username}
saved_criteria_saved
compliance
Compliance report criteria UID ${app_uid} saved by ${username}
saved_criteria_edited
compliance
Compliance report criteria UID ${app_uid} edited by ${username}
saved_criteria_deleted
compliance
Compliance report criteria UID ${app_uid} deleted by ${username}

Raw Event Data Examples

Below are examples of 2 events in JSON format that are sent. Note that Record UID is provided with the "record_update" event since it relates to a specific record.
1
{
2
"record_uid" : "Uk6qLnfWVxWL9OQlsGdOUw",
3
"audit_event" : "record_update",
4
"remote_address" : "155.65.556.130",
5
"client_version" : "Browser Extensions.12.3.0",
6
"timestamp" : "2019-02-14T22:41:12.027Z",
7
"username" : "[email protected]",
8
"enterprise_id" : 12345
9
}
10
11
{
12
"audit_event" : "login",
13
"remote_address" : "168.123.45.130",
14
"client_version" : "Web App.14.2.4",
15
"timestamp" : "2019-02-14T22:40:08.655Z",
16
"username" : "[email protected]",
17
"client_version_new" : true,
18
"enterprise_id" : 12345
19
}
20
Copied!
Below is an example of a Syslog-format event that can be exported via Keeper Commander or into the 3rd party SIEM solution:
1
<110>1 2019-02-14T21:34:47Z 46.45.253.15 Keeper - 1132431639 [[email protected] geo_location="Chicago, IL, US" keeper_version_category="MOBILE" audit_event_type="login_failure" keeper_version="iPhone 14.2.0" result_code="auth_failed" username="[email protected]" node_id="47377784242178"] User [email protected] login failed with code auth_failed
2
Copied!
Note that "enterprise_id" is useful for distinguishing different Keeper Enterprise tenants within the same SIEM collector.

Locating the Record UID and Other Identifiers

The event data references several types of UID values such as Record UID, Shared Folder UID and Team UID. The Record UID and Shared Folder UID can be found either through the Keeper Commander CLI or through the Web Vault user interface.
Last modified 1mo ago