Legacy Azure Sentinel

Integrating Keeper SIEM event pushes to Azure Sentinel and Log Analytics

Microsoft has deprecated this logging API. Please see the Microsoft Sentinel integration page.

Overview

Keeper supports event streaming into Azure Sentinel / Log Analytics environments. This document describes the legacy method of streaming logs, which is being deprecated in 2025. Use the Azure Monitor or Microsoft Sentinel with Azure Marketplace method instead.

To proceed with this method... in Azure, go to Log Analytics workspaces > Select Workspace > Classic "Agents Management". From here you can retrieve a Workspace ID and Key. Provide these two fields to Keeper to start streaming logs to your selected workspace.

Keeper will immediately start sending event data to the designated Azure Log Analytics workspace, under a custom table named Keeper_CL.

To view the logs, open the Log Analytics Workspace > Logs > select the Keeper_CL table.

Troubleshooting

If you need to troubleshoot the event log APIs, the below Python script will simulate the Keeper backend system sending event logs to your Azure environment. Replace the Workspace ID and Workspace Key before testing it.

import base64
import datetime
import hmac
import hashlib
import requests
import json

# Configuration
workspace_id = 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx'
workspace_key = 'xxxxxx'
log_type = 'Keeper'

# Sample body
body = [
{
  "audit_event": "role_created",
  "remote_address": "11.22.33.44",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "username": "[email protected]",
  "enterprise_id": 6557,
  "timestamp": "2025-01-12T00:03:44.743Z",
  "role_id": "28162100560074"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.55",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-13T00:03:44.743Z",
  "username": "[email protected]",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "RESEND_ENTERPRISE_INVITE_IN_X_DAYS",
  "value": "7"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.66",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-14T00:03:44.776Z",
  "username": "[email protected]",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "SEND_BREACH_WATCH_EVENTS",
  "value": "ON"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.77",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-15T00:03:44.835Z",
  "username": "[email protected]",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "GENERATED_PASSWORD_COMPLEXITY",
  "value": "[{\"domains\":[\"_default_\"],\"length\":20,\"lower-use\":false,\"lower-min\":5}]"
},
{
  "audit_event": "audit_alert_sent",
  "category": "usage",
  "client_version": "Keeper Service.1.2.0",
  "username": "ALERT",
  "enterprise_id": 6557,
  "timestamp": "2025-01-16T01:31:11.123Z",
  "origin": "admin_permission_added",
  "name": "XXX123",
  "recipient": "[email protected],+19165551212",
  "username_new": true,
  "client_version_new": true
}]

body_json = json.dumps(body)
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body_json)

signature_string = f"{method}\n{content_length}\n{content_type}\nx-ms-date:{rfc1123date}\n{resource}"
decoded_key = base64.b64decode(workspace_key)
signature = base64.b64encode(hmac.new(decoded_key, signature_string.encode('utf-8'), hashlib.sha256).digest()).decode('utf-8')

headers = {
    'Content-Type': content_type,
    'Authorization': f'SharedKey {workspace_id}:{signature}',
    'Log-Type': log_type,
    'x-ms-date': rfc1123date
}

uri = f'https://{workspace_id}.ods.opinsights.azure.com/api/logs?api-version=2016-04-01'

response = requests.post(uri, data=body_json, headers=headers)
print(f"Response code: {response.status_code}")
print(f"Response message: {response.text}")

PreviousAzure Monitor for Microsoft Sentinel (for GovCloud)NextCrowdStrike Falcon Next-Gen SIEM

Last updated 1 month ago

Was this helpful?

import base64 import datetime import hmac import hashlib import requests import json # Configuration workspace_id = 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' workspace_key = 'xxxxxx' log_type = 'Keeper' # Sample body body = [ { "audit_event": "role_created", "remote_address": "11.22.33.44", "category": "policy", "client_version": "EMConsole.17.0.0", "username": "[email protected]", "enterprise_id": 6557, "timestamp": "2025-01-12T00:03:44.743Z", "role_id": "28162100560074" }, { "audit_event": "role_enforcement_changed", "remote_address": "11.22.33.55", "category": "policy", "client_version": "EMConsole.17.0.0", "timestamp": "2025-01-13T00:03:44.743Z", "username": "[email protected]", "enterprise_id": 6557, "role_id": "28162100560074", "enforcement": "RESEND_ENTERPRISE_INVITE_IN_X_DAYS", "value": "7" }, { "audit_event": "role_enforcement_changed", "remote_address": "11.22.33.66", "category": "policy", "client_version": "EMConsole.17.0.0", "timestamp": "2025-01-14T00:03:44.776Z", "username": "[email protected]", "enterprise_id": 6557, "role_id": "28162100560074", "enforcement": "SEND_BREACH_WATCH_EVENTS", "value": "ON" }, { "audit_event": "role_enforcement_changed", "remote_address": "11.22.33.77", "category": "policy", "client_version": "EMConsole.17.0.0", "timestamp": "2025-01-15T00:03:44.835Z", "username": "[email protected]", "enterprise_id": 6557, "role_id": "28162100560074", "enforcement": "GENERATED_PASSWORD_COMPLEXITY", "value": "[{\"domains\":[\"_default_\"],\"length\":20,\"lower-use\":false,\"lower-min\":5}]" }, { "audit_event": "audit_alert_sent", "category": "usage", "client_version": "Keeper Service.1.2.0", "username": "ALERT", "enterprise_id": 6557, "timestamp": "2025-01-16T01:31:11.123Z", "origin": "admin_permission_added", "name": "XXX123", "recipient": "[email protected],+19165551212", "username_new": true, "client_version_new": true }] body_json = json.dumps(body) method = 'POST' content_type = 'application/json' resource = '/api/logs' rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT') content_length = len(body_json) signature_string = f"{method}\n{content_length}\n{content_type}\nx-ms-date:{rfc1123date}\n{resource}" decoded_key = base64.b64decode(workspace_key) signature = base64.b64encode(hmac.new(decoded_key, signature_string.encode('utf-8'), hashlib.sha256).digest()).decode('utf-8') headers = { 'Content-Type': content_type, 'Authorization': f'SharedKey {workspace_id}:{signature}', 'Log-Type': log_type, 'x-ms-date': rfc1123date } uri = f'https://{workspace_id}.ods.opinsights.azure.com/api/logs?api-version=2016-04-01' response = requests.post(uri, data=body_json, headers=headers) print(f"Response code: {response.status_code}") print(f"Response message: {response.text}")

hashtagOverview

hashtagTroubleshooting

Overview

Troubleshooting