Event Descriptions

Detailed ARAM Event Logs with Example data

A list of all available events captured by the Keeper Advanced Reporting and Alert Module are provided in the chart below. The Event Code is utilized in the user interface and within the Keeper Commander CLI command parameters. The "Message" field is utilized for the Alerting module.

Within each event, there may be additional attributes such as Record UID, Shared Folder UID, Team UID, Username, etc. These attributes will appear within the event description and they are also provided to the 3rd party SIEM provider in the format as specified by the destination. Below this chart are example JSON samples that are transmitted to the target SIEM.

Keeper ARAM Event JSON Samples

This document contains an example JSON payload for every audit event Keeper writes to the ARAM (Advanced Reporting & Alerts Module) stream. These are the events you can consume via the public Audit Events API or via SIEM/audit-log sync integrations (Splunk, Sumo Logic, DataDog, Azure Sentinel, Chronicle, etc.).

Base envelope

Every event includes these top-level fields, then adds event-specific fields below.

{
  "audit_event":   "<event name, e.g. record_update>",
  "category":      "<category, e.g. usage, share, ksm>",
  "remote_address":"<client IP>",
  "client_version":"<product + version, e.g. Web Vault 16.10.5>",
  "username":      "<acting user email>",
  "timestamp":     "<ISO-8601 UTC>",
  "enterprise_id": <int>
}

Field reference (event-specific)

Field

Meaning

record_uid

UID of a vault record

shared_folder_uid

UID of a shared folder

folder_uid

UID of a folder (user or shared)

folder_type

user or shared

team_uid

UID of a team

app_uid

UID of a KSM application / PAM resource

secret_uid

UID of a secret in a KSM app

gateway_uid

UID of a PAM/KSM gateway

agent_uid

UID of an EPM agent

deployment_uid,policy_uid,collection_uid,request_uid,link_uid

EPM entity UIDs

attachment_id

UID of a file attachment on a record

to_username / from_username

Other-party user emails

role_id / team_uid

Role / team identifiers

node_id / node

Enterprise node identifier / display name

channel

result_code

Failure code on login_failure-style events

device_name

Friendly device label

protocol

PAM session protocol (ssh, rdp, vnc...)

plan,seats,enterprise,enterprise_new

Managed Company / MSP context

value

Enforcement value, benchmark setting, etc.

status

Generic state field (depends on event)

auth_fail_reason

EPM auth failure reason

token_id

Public-API or SCIM token id

Events by category

Category: `account`

`account_recovery`

Description: Account Recovery Requested

Alert template: User ${username} requested account recovery

{
  "audit_event": "account_recovery",
  "category": "account",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`alias_added`

Description: Added alternative email

Alert template: User ${username} added alternative email ${email}

{
  "audit_event": "alias_added",
  "category": "account",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "email": "newuser@keepersecurity.com"
}

`change_email`

Description: Changed Email

Alert template: User ${username} changed email. Previous email ${email}

{
  "audit_event": "change_email",
  "category": "account",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "email": "newuser@keepersecurity.com"
}

`change_master_password`

Description: Changed Master Password

Alert template: User ${username} changed master password

{
  "audit_event": "change_master_password",
  "category": "account",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`change_security_question`

Description: Changed Security Question

Alert template: User ${username} changed security question

{
  "audit_event": "change_security_question",
  "category": "account",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_user_passkey_add`

Description: Biometric passkey add

Alert template: User ${username} added a passkey for biometric login on a device '${device_name}'.

{
  "audit_event": "device_user_passkey_add",
  "category": "account",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro"
}

`device_user_passkey_remove`

Description: Biometric passkey removal

Alert template: User ${username} removed a passkey for biometric login on a device '${device_name}'.

{
  "audit_event": "device_user_passkey_remove",
  "category": "account",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro"
}

`set_alternate_master_password`

Description: Alternate Master Password Set

Alert template: User ${username} set alternate Master Password

{
  "audit_event": "set_alternate_master_password",
  "category": "account",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`set_biometric_access`

Description: Biometric Access Set

Alert template: User ${username} set biometric access

{
  "audit_event": "set_biometric_access",
  "category": "account",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

Category: `admin_permission`

`admin_permission_added`

Description: Add Administrative Permission

Alert template: User ${username} added an administrative permission '${value}' for role ${role_id} on node ${node_id}

{
  "audit_event": "admin_permission_added",
  "category": "admin_permission",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true",
  "role_id": 9876543210,
  "node_id": 1234567890
}

`admin_permission_removed`

Description: Remove Administrative Permission

Alert template: User ${username} removed an administrative permission '${value}' for role ${role_id} on node ${node_id}

{
  "audit_event": "admin_permission_removed",
  "category": "admin_permission",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true",
  "role_id": 9876543210,
  "node_id": 1234567890
}

Category: `breachwatch`

`bw_record_high_risk`

Description: BreachWatch detected high-risk record password

Alert template: User ${username} was notified of a high risk password for record UID ${record_uid}

{
  "audit_event": "bw_record_high_risk",
  "category": "breachwatch",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`bw_record_ignored`

Description: User ignored detected high-risk record password

Alert template: User ${username} ignored high risk password for record UID ${record_uid}

{
  "audit_event": "bw_record_ignored",
  "category": "breachwatch",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`bw_record_resolved`

Description: User resolved detected high-risk record password

Alert template: User ${username} resolved a high risk password for record UID ${record_uid}

{
  "audit_event": "bw_record_resolved",
  "category": "breachwatch",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

Category: `chat`

`chat_contact_added`

Description: Added Contact on Chat

Alert template: User ${username} invited ${to_username} as contact

{
  "audit_event": "chat_contact_added",
  "category": "chat",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com"
}

`chat_file_attached`

Description: Sent File on Chat

Alert template: User ${username} sent a file

{
  "audit_event": "chat_file_attached",
  "category": "chat",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`chat_login`

Description: Chat Login

Alert template: User ${username} logged in to KeeperChat (${channel})

{
  "audit_event": "chat_login",
  "category": "chat",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "channel": "Web Vault"
}

`chat_login_failed`

Description: Chat Login Failure

Alert template: User ${username} login failed to KeeperChat with code ${result_code}

{
  "audit_event": "chat_login_failed",
  "category": "chat",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "result_code": "auth_failed",
  "channel": "Web Vault"
}

`chat_message_destruct`

Description: Self-Destructed Chat Message

Alert template: User ${username} set a message to self destruct

{
  "audit_event": "chat_message_destruct",
  "category": "chat",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`chat_message_received`

Description: Received Chat Message

Alert template: User ${username} received a secure message

{
  "audit_event": "chat_message_received",
  "category": "chat",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`chat_message_sent`

Description: Sent Chat Message

Alert template: User ${username} sent a secure message

{
  "audit_event": "chat_message_sent",
  "category": "chat",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

Category: `compliance_report`

`compliance_report_deleted`

Description: Deleted Compliance Report

Alert template: Compliance report UID ${app_uid} deleted by ${username}

{
  "audit_event": "compliance_report_deleted",
  "category": "compliance_report",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`compliance_report_downloaded`

Description: Downloaded Compliance Report

Alert template: Compliance report UID ${app_uid} downloaded by ${username}

{
  "audit_event": "compliance_report_downloaded",
  "category": "compliance_report",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`compliance_report_exported`

Description: Exported Compliance Report

Alert template: Compliance report UID ${app_uid} exported by ${username}

{
  "audit_event": "compliance_report_exported",
  "category": "compliance_report",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`compliance_report_run`

Description: Generated Compliance Report

Alert template: Compliance report run by ${username}

{
  "audit_event": "compliance_report_run",
  "category": "compliance_report",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`compliance_report_saved`

Description: Saved Compliance Report

Alert template: Compliance report UID ${app_uid} saved by ${username}

{
  "audit_event": "compliance_report_saved",
  "category": "compliance_report",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`saved_criteria_deleted`

Description: Deleted Compliance Report Criteria

Alert template: Compliance report criteria UID ${app_uid} deleted by ${username}

{
  "audit_event": "saved_criteria_deleted",
  "category": "compliance_report",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`saved_criteria_edited`

Description: Edited Compliance Report Criteria

Alert template: Compliance report criteria UID ${app_uid} edited by ${username}

{
  "audit_event": "saved_criteria_edited",
  "category": "compliance_report",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`saved_criteria_saved`

Description: Saved Compliance Report Criteria

Alert template: Compliance report criteria UID ${app_uid} saved by ${username}

{
  "audit_event": "saved_criteria_saved",
  "category": "compliance_report",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`unsaved_compliance_report_exported`

Description: Unsaved Compliance Report Exported

Alert template: Unsaved compliance report exported by ${username}

{
  "audit_event": "unsaved_compliance_report_exported",
  "category": "compliance_report",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

Category: `endpoint_privilege_manager`

`agent_added_collection_link`

Description: Agent added collection link

Alert template: Agent added resource ${link_uid} to collection ${collection_uid}

{
  "audit_event": "agent_added_collection_link",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "link_uid": "Lnk9qLnfWVxWL9OQlsGdOUw",
  "collection_uid": "Col9qLnfWVxWL9OQlsGdOUw"
}

`agent_added_to_collection`

Description: Agent added to collection

Alert template: Agent ${agent_uid} added itself to collection ${collection_uid}

{
  "audit_event": "agent_added_to_collection",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "agent_uid": "Ag9qLnfWVxWL9OQlsGdOUw",
  "collection_uid": "Col9qLnfWVxWL9OQlsGdOUw"
}

`agent_authentication_failed`

Description: Agent Auth Failed

Alert template: Agent ${agent_uid} auth failed. Reason: ${auth_fail_reason}

{
  "audit_event": "agent_authentication_failed",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "agent_uid": "Ag9qLnfWVxWL9OQlsGdOUw",
  "auth_fail_reason": "invalid_token"
}

`agent_created_collection`

Description: Agent created collection

Alert template: Agent ${agent_uid} created collection ${collection_uid}

{
  "audit_event": "agent_created_collection",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "agent_uid": "Ag9qLnfWVxWL9OQlsGdOUw",
  "collection_uid": "Col9qLnfWVxWL9OQlsGdOUw"
}

`agent_removed`

Description: Removed agent

Alert template: ${username} deleted agent ${agent_uid}

{
  "audit_event": "agent_removed",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "agent_uid": "Ag9qLnfWVxWL9OQlsGdOUw"
}

`agent_removed_from_collection`

Description: Agent removed from collection

Alert template: Agent ${agent_uid} removed itself from collection ${collection_uid}

{
  "audit_event": "agent_removed_from_collection",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "agent_uid": "Ag9qLnfWVxWL9OQlsGdOUw",
  "collection_uid": "Col9qLnfWVxWL9OQlsGdOUw"
}

`agent_unregistered`

Description: Agent Unregistered

Alert template: Agent ${agent_uid} unregistered

{
  "audit_event": "agent_unregistered",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "agent_uid": "Ag9qLnfWVxWL9OQlsGdOUw"
}

`agent_updated`

Description: Updated agent

Alert template: ${username} updated agent ${agent_uid}

{
  "audit_event": "agent_updated",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "agent_uid": "Ag9qLnfWVxWL9OQlsGdOUw"
}

`approval_request_created`

Description: Agent created approval request

Alert template: Agent ${agent_uid} created approval request ${request_uid}

{
  "audit_event": "approval_request_created",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "agent_uid": "Ag9qLnfWVxWL9OQlsGdOUw",
  "request_uid": "Req9qLnfWVxWL9OQlsGdOUw"
}

`approval_request_removed`

Description: Removed approval request

Alert template: ${username} deleted approval request ${request_uid}

{
  "audit_event": "approval_request_removed",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "request_uid": "Req9qLnfWVxWL9OQlsGdOUw"
}

`approval_request_status_changed`

Description: Changed approval request status

Alert template: ${username} changed status of approval request ${request_uid} to ${request_status}

{
  "audit_event": "approval_request_status_changed",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "request_uid": "Req9qLnfWVxWL9OQlsGdOUw",
  "request_status": "approved"
}

`collection_created`

Description: Created collection

Alert template: ${username} created collection ${collection_uid}

{
  "audit_event": "collection_created",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "collection_uid": "Col9qLnfWVxWL9OQlsGdOUw"
}

`collection_link_added`

Description: Added collection link

Alert template: ${username} added link ${link_uid} to collection ${collection_uid}

{
  "audit_event": "collection_link_added",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "link_uid": "Lnk9qLnfWVxWL9OQlsGdOUw",
  "collection_uid": "Col9qLnfWVxWL9OQlsGdOUw"
}

`collection_link_removed`

Description: Removed collection link

Alert template: ${username} removed link ${link_uid} from collection ${collection_uid}

{
  "audit_event": "collection_link_removed",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "link_uid": "Lnk9qLnfWVxWL9OQlsGdOUw",
  "collection_uid": "Col9qLnfWVxWL9OQlsGdOUw"
}

`collection_removed`

Description: Removed collection

Alert template: ${username} deleted collection ${collection_uid}

{
  "audit_event": "collection_removed",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "collection_uid": "Col9qLnfWVxWL9OQlsGdOUw"
}

`collection_updated`

Description: Updated collection

Alert template: ${username} updated collection ${collection_uid}

{
  "audit_event": "collection_updated",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "collection_uid": "Col9qLnfWVxWL9OQlsGdOUw"
}

`deployment_authentication_failed`

Description: Deployment Auth Failed

Alert template: Deployment ${deployment_uid} auth failed. Reason: ${auth_fail_reason}

{
  "audit_event": "deployment_authentication_failed",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "deployment_uid": "Dep9qLnfWVxWL9OQlsGdOUw",
  "auth_fail_reason": "invalid_token"
}

`deployment_created`

Description: Created deployment

Alert template: ${username} created deployment ${deployment_uid}

{
  "audit_event": "deployment_created",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "deployment_uid": "Dep9qLnfWVxWL9OQlsGdOUw"
}

`deployment_removed`

Description: Removed deployment

Alert template: ${username} deleted deployment ${deployment_uid}

{
  "audit_event": "deployment_removed",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "deployment_uid": "Dep9qLnfWVxWL9OQlsGdOUw"
}

`deployment_updated`

Description: Updated deployment

Alert template: ${username} updated deployment ${deployment_uid}

{
  "audit_event": "deployment_updated",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "deployment_uid": "Dep9qLnfWVxWL9OQlsGdOUw"
}

`policy_created`

Description: Created policy

Alert template: ${username} created policy ${policy_uid}

{
  "audit_event": "policy_created",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "policy_uid": "Pol9qLnfWVxWL9OQlsGdOUw"
}

`policy_removed`

Description: Removed policy

Alert template: ${username} removed policy ${policy_uid}

{
  "audit_event": "policy_removed",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "policy_uid": "Pol9qLnfWVxWL9OQlsGdOUw"
}

`policy_updated`

Description: Updated policy

Alert template: ${username} updated policy ${policy_uid}

{
  "audit_event": "policy_updated",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "policy_uid": "Pol9qLnfWVxWL9OQlsGdOUw"
}

`register_agent`

Description: Registered agent

Alert template: Agent ${agent_uid} is registered using ${deployment_uid}

{
  "audit_event": "register_agent",
  "category": "endpoint_privilege_manager",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "agent_uid": "Ag9qLnfWVxWL9OQlsGdOUw",
  "deployment_uid": "Dep9qLnfWVxWL9OQlsGdOUw"
}

Category: `keeper_ai`

`keeper_ai_critical_risk_level_detected`

Description: KeeperAI Detected Critical Risk

Alert template: KeeperAI analyzed the session and assigned an overall risk level of Critical for Record UID ${record_uid}

{
  "audit_event": "keeper_ai_critical_risk_level_detected",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_high_risk_level_detected`

Description: KeeperAI Detected High Risk

Alert template: KeeperAI analyzed the session and assigned an overall risk level of High for Record UID ${record_uid}

{
  "audit_event": "keeper_ai_high_risk_level_detected",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_medium_risk_level_detected`

Description: KeeperAI Detected Medium Risk

Alert template: KeeperAI analyzed the session and assigned an overall risk level of Medium for Record UID ${record_uid}

{
  "audit_event": "keeper_ai_medium_risk_level_detected",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_pam_configuration_feature_disabled`

Description: Disabled KeeperAI in the PAM Config

Alert template: User ${username} disabled KeeperAI options in PAM Configuration ${record_uid}

{
  "audit_event": "keeper_ai_pam_configuration_feature_disabled",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_pam_configuration_feature_enabled`

Description: event_keeper_ai_pam_configuration_feature_enabled

Alert template: User ${username} enabled KeeperAI options in PAM Configuration ${record_uid}

{
  "audit_event": "keeper_ai_pam_configuration_feature_enabled",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_recording_disabled`

Description: KeeperAI Recording Disabled

Alert template: KeeperAI recording was disabled by user ${username} on Record UID ${record_uid}

{
  "audit_event": "keeper_ai_recording_disabled",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_recording_enabled`

Description: KeeperAI Recording Enabled

Alert template: KeeperAI recording was enabled by user ${username} on Record UID ${record_uid}

{
  "audit_event": "keeper_ai_recording_enabled",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_session_locked_by_ai_critical`

Description: Session Locked by KeeperAI (Critical Threat)

Alert template: Session terminated and resource locked due to a critical threat detected for Record UID ${record_uid}

{
  "audit_event": "keeper_ai_session_locked_by_ai_critical",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_session_locked_by_ai_high`

Description: Session Locked by KeeperAI (High Threat)

Alert template: Session terminated and resource locked due to a high threat detected for Record UID ${record_uid}

{
  "audit_event": "keeper_ai_session_locked_by_ai_high",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_session_locked_by_ai_medium`

Description: Session Locked by KeeperAI (Medium Threat)

Alert template: Session terminated and resource locked due to a medium threat detected for Record UID ${record_uid}

{
  "audit_event": "keeper_ai_session_locked_by_ai_medium",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_session_terminate_disabled`

Description: KeeperAI Terminate Session Disabled

Alert template: User ${username} disabled KeeperAI session terminate on Record UID ${record_uid}

{
  "audit_event": "keeper_ai_session_terminate_disabled",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_session_terminate_enabled`

Description: KeeperAI Terminate Session Enabled

Alert template: User ${username} enabled KeeperAI session terminate on Record UID ${record_uid}

{
  "audit_event": "keeper_ai_session_terminate_enabled",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`keeper_ai_session_unlocked_by_user`

Description: Session Unlocked by User

Alert template: User ${username} unlocked Record UID ${record_uid}

{
  "audit_event": "keeper_ai_session_unlocked_by_user",
  "category": "keeper_ai",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

Category: `ksm`

`app_client_access`

Description: Accessed Secrets Manager from App

Alert template: ${app_client_type} ${device_name} has accessed secrets from application ${app_uid}

{
  "audit_event": "app_client_access",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`app_client_access_denied`

Description: Denied access to Secrets Manager from Client Device

Alert template: Access denied to application ${app_uid} from ${app_client_type} ${device_name} with IP address ${ip_address}

{
  "audit_event": "app_client_access_denied",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw",
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "ip_address": "203.0.113.45"
}

`app_client_added`

Description: Added Client Device to Secrets Manager App

Alert template: User ${username} added ${app_client_type} ${device_name} to application ${app_uid}

{
  "audit_event": "app_client_added",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`app_client_connected`

Description: Initialized Client Device on Secrets Manager App

Alert template: ${app_client_type} ${device_name} performed initial connect to application ${app_uid}

{
  "audit_event": "app_client_connected",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`app_client_expired`

Description: Secrets Manager Client Device Access Expired

Alert template: Access for ${app_client_type} ${device_name} to application ${app_uid} has expired

{
  "audit_event": "app_client_expired",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`app_client_folder_create`

Description: Created Folder from Secrets Manager device

Alert template: ${app_client_type} ${device_name} has created folder UID ${record_uid}

{
  "audit_event": "app_client_folder_create",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`app_client_folder_delete`

Description: Deleted Folder from Secrets Manager device

Alert template: ${app_client_type} ${device_name} has deleted folder UID ${record_uid}

{
  "audit_event": "app_client_folder_delete",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`app_client_folder_remove_record`

Description: Record removed from shared folder by Secrets Manager device

Alert template: ${app_client_type} ${device_name} removed record ${record_uid} from shared folder

{
  "audit_event": "app_client_folder_remove_record",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`app_client_folder_update`

Description: Updated Folder from Secrets Manager device

Alert template: ${app_client_type} ${device_name} has updated folder UID ${record_uid}

{
  "audit_event": "app_client_folder_update",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`app_client_record_create`

Description: Record created by Secrets Manager device

Alert template: ${app_client_type} ${device_name} has created record UID ${record_uid}

{
  "audit_event": "app_client_record_create",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`app_client_record_delete`

Description: Record deleted by Secrets Manager device

Alert template: ${app_client_type} ${device_name} has sent record UID ${record_uid} to trash

{
  "audit_event": "app_client_record_delete",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`app_client_record_update`

Description: Record updated by Secrets Manager device

Alert template: ${app_client_type} ${device_name} has updated record UID ${record_uid}

{
  "audit_event": "app_client_record_update",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`app_client_removed`

Description: Removed Client Device from Secrets Manager App

Alert template: User ${username} removed ${app_client_type} ${device_name} from application ${app_uid}

{
  "audit_event": "app_client_removed",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_client_type": "general",
  "device_name": "MacBook Pro",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`app_folder_removed`

Description: Folder removed from Secrets Manager

Alert template: User ${username} removed folder UID ${secret_uid} from KSM application ${app_uid}

{
  "audit_event": "app_folder_removed",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "secret_uid": "Sec9qLnfWVxWL9OQlsGdOUw",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`app_folder_share_changed`

Description: Changed folder permission to Secrets Manager

Alert template: User ${username} changed share permissions for folder UID ${secret_uid} for KSM application ${app_uid}

{
  "audit_event": "app_folder_share_changed",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "secret_uid": "Sec9qLnfWVxWL9OQlsGdOUw",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`app_folder_shared`

Description: Folder shared with Secrets Manager

Alert template: User ${username} shared folder UID ${secret_uid} with KSM application ${app_uid}

{
  "audit_event": "app_folder_shared",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "secret_uid": "Sec9qLnfWVxWL9OQlsGdOUw",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`app_record_removed`

Description: Record removed from Secrets Manager

Alert template: User ${username} removed record UID ${secret_uid} from KSM application ${app_uid}

{
  "audit_event": "app_record_removed",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "secret_uid": "Sec9qLnfWVxWL9OQlsGdOUw",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`app_record_share_changed`

Description: Changed record permission to Secrets Manager

Alert template: User ${username} changed share permissions for record UID ${secret_uid} for KSM application ${app_uid}

{
  "audit_event": "app_record_share_changed",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "secret_uid": "Sec9qLnfWVxWL9OQlsGdOUw",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`app_record_shared`

Description: Record Shared with Secrets Manager App

Alert template: User ${username} shared record UID ${secret_uid} with KSM application ${app_uid}

{
  "audit_event": "app_record_shared",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "secret_uid": "Sec9qLnfWVxWL9OQlsGdOUw",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`pam_configuration_created`

Description: PAM Configuration Created

Alert template: User ${username} created a PAM Configuration '${record_uid}'

{
  "audit_event": "pam_configuration_created",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`pam_configuration_deleted`

Description: PAM Configuration Deleted

Alert template: User ${username} deleted a PAM Configuration '${record_uid}'

{
  "audit_event": "pam_configuration_deleted",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`pam_configuration_updated`

Description: PAM Configuration Updated

Alert template: User ${username} updated a PAM Configuration '${record_uid}'

{
  "audit_event": "pam_configuration_updated",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`pam_gateway_created`

Description: Gateway Created

Alert template: User ${username} created gateway ${device_name} (UID: ${gateway_uid})

{
  "audit_event": "pam_gateway_created",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro",
  "gateway_uid": "Gw9qLnfWVxWL9OQlsGdOUw"
}

`pam_gateway_max_instance_count_updated`

Alert template: User ${username} updated gateway ${device_name} (UID: ${gateway_uid}) max instance count to ${max_instance_count}

{
  "audit_event": "pam_gateway_max_instance_count_updated",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro",
  "gateway_uid": "Gw9qLnfWVxWL9OQlsGdOUw",
  "max_instance_count": 10
}

`pam_gateway_offline`

Description: Gateway Offline

Alert template: Gateway ${device_name} (UID: ${gateway_uid}) is offline

{
  "audit_event": "pam_gateway_offline",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro",
  "gateway_uid": "Gw9qLnfWVxWL9OQlsGdOUw"
}

`pam_gateway_online`

Description: Gateway Online

Alert template: Gateway ${device_name} (UID: ${gateway_uid}) is online

{
  "audit_event": "pam_gateway_online",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro",
  "gateway_uid": "Gw9qLnfWVxWL9OQlsGdOUw"
}

`pam_gateway_removed`

Description: Gateway Removed

Alert template: User ${username} removed gateway ${device_name} (UID: ${gateway_uid})

{
  "audit_event": "pam_gateway_removed",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro",
  "gateway_uid": "Gw9qLnfWVxWL9OQlsGdOUw"
}

`record_rotation_created`

Description: Rotation Settings added to Record

Alert template: User ${username} added rotation settings to record ${record_uid}

{
  "audit_event": "record_rotation_created",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`record_rotation_disabled`

Description: Rotation Disabled on Record

Alert template: User ${username} disabled rotation settings on record ${record_uid}

{
  "audit_event": "record_rotation_disabled",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`record_rotation_on_demand_fail`

Description: On Demand Rotation Failed

Alert template: On demand rotation by user ${username} failed for record ${record_uid}

{
  "audit_event": "record_rotation_on_demand_fail",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`record_rotation_on_demand_ok`

Description: On Demand Rotation Successful

Alert template: User ${username} successfully rotated record ${record_uid}

{
  "audit_event": "record_rotation_on_demand_ok",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`record_rotation_scheduled_fail`

Description: Scheduled Rotation Failed

Alert template: Scheduled rotation failed for record ${record_uid}

{
  "audit_event": "record_rotation_scheduled_fail",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`record_rotation_scheduled_ok`

Description: Scheduled Rotation Successful

Alert template: Record ${record_uid} was successfully rotated

{
  "audit_event": "record_rotation_scheduled_ok",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`record_rotation_updated`

Description: Rotation Settings Changed on Record

Alert template: User ${username} updated rotation settings on record ${record_uid}

{
  "audit_event": "record_rotation_updated",
  "category": "ksm",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

Description: Logged In

Alert template: User ${username} logged in to vault (${channel})

{
  "audit_event": "login",
  "category": "login",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "channel": "Web Vault"
}

`login_console`

Description: Console Login

Alert template: User ${username} logged into Admin Console (${channel})

{
  "audit_event": "login_console",
  "category": "login",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "channel": "Web Vault"
}

`login_failure`

Description: Failed Login

Alert template: User ${username} login failed with code ${result_code}

{
  "audit_event": "login_failure",
  "category": "login",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "result_code": "auth_failed",
  "channel": "Web Vault"
}

Category: `managed_company`

`enterprise_addon_added`

Description: Added add-on

Alert template: User ${username} added ${plan} add-on to enterprise ${enterprise}

{
  "audit_event": "enterprise_addon_added",
  "category": "managed_company",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "plan": "business_monthly",
  "enterprise": "Acme Corp"
}

`enterprise_addon_removed`

Description: Removed add-on

Alert template: User ${username} removed ${plan} add-on from enterprise ${enterprise}

{
  "audit_event": "enterprise_addon_removed",
  "category": "managed_company",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "plan": "business_monthly",
  "enterprise": "Acme Corp"
}

`enterprise_created`

Description: Created enterprise

Alert template: User ${username} created enterprise ${enterprise}

{
  "audit_event": "enterprise_created",
  "category": "managed_company",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp"
}

`enterprise_deleted`

Description: Deleted enterprise

Alert template: User ${username} deleted enterprise ${enterprise}

{
  "audit_event": "enterprise_deleted",
  "category": "managed_company",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp"
}

`enterprise_file_plan_changed`

Description: Changed File Plan

Alert template: User ${username} changed file plan for enterprise ${enterprise} to ${plan}

{
  "audit_event": "enterprise_file_plan_changed",
  "category": "managed_company",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp",
  "plan": "business_monthly"
}

`mc_pam_active_seat_count_changed`

Description: Active Seat Count Changed For Managed Company (Only for active users not invited users)

Alert template: PAM active seat count XXX by ${seats}

{
  "audit_event": "mc_pam_active_seat_count_changed",
  "category": "managed_company",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "seats": 5
}

`msp_changes_mc_plan`

Description: Changed MC Plan

Alert template: User ${username} changed plan for MC ${enterprise} to ${plan}

{
  "audit_event": "msp_changes_mc_plan",
  "category": "managed_company",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp",
  "plan": "business_monthly",
  "mc_enterprise_id": 9876
}

`msp_changes_mc_seats`

Description: Changed MC Maximum license count

Alert template: User ${username} changed MC Maximum license count for enterprise ${enterprise} to ${seats}

{
  "audit_event": "msp_changes_mc_seats",
  "category": "managed_company",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp",
  "seats": 5,
  "mc_enterprise_id": 9876
}

`msp_pam_active_seat_count_changed_within_mc`

Description: Active Seat Count Changed Within Managed Company, Visible to the MSP (Only for active users not invited users)

Alert template: PAM active seat count for managed company ${enterprise} XXX by ${seats}

{
  "audit_event": "msp_pam_active_seat_count_changed_within_mc",
  "category": "managed_company",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp",
  "seats": 5
}

Category: `msp`

`gradient_connection_remove`

Description: Gradient MSP remove

Alert template: User ${username} delete Gradient MSP integration succeeded

{
  "audit_event": "gradient_connection_remove",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`gradient_connection_setup`

Description: Gradient MSP setup

Alert template: User ${username} setup connection to Gradient MSP succeeded

{
  "audit_event": "gradient_connection_setup",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`gradient_mappings_setup`

Description: Gradient MSP mappings

Alert template: User ${username} sync mappings to Gradient MSP succeeded

{
  "audit_event": "gradient_mappings_setup",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`gradient_sync_fail`

Description: Gradient MSP sync fail

Alert template: Gradient MSP billing sync has failed

{
  "audit_event": "gradient_sync_fail",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`msp_activated`

Description: MSP Activated

Alert template: User ${username} activated MSP for enterprise ${enterprise}

{
  "audit_event": "msp_activated",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp"
}

`msp_attaches_mc`

Description: Attached to node

Alert template: User ${username} attached enterprise ${enterprise} to node ${node}

{
  "audit_event": "msp_attaches_mc",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp",
  "node": "Engineering"
}

`msp_creates_mc`

Description: Registered Managed Company

Alert template: User ${username} registered enterprise ${enterprise}, ${plan}

{
  "audit_event": "msp_creates_mc",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp",
  "plan": "business_monthly",
  "mc_enterprise_id": 9876
}

`msp_deactivated`

Description: MSP Deactivated

Alert template: User ${username} deactivated MSP for enterprise ${enterprise}

{
  "audit_event": "msp_deactivated",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp"
}

`msp_pam_active_seat_count_changed`

Description: Active Seat Count Changed For Managed Service Provider (Only for active users not invited users)

Alert template: PAM active seat count XXX by ${seats}

{
  "audit_event": "msp_pam_active_seat_count_changed",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "seats": 5
}

`msp_pauses_mc`

Description: Paused Managed Company

Alert template: User ${username} paused enterprise ${enterprise}, ${plan}

{
  "audit_event": "msp_pauses_mc",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp",
  "plan": "business_monthly",
  "mc_enterprise_id": 9876
}

`msp_removes_mc`

Description: Removed Managed Company

Alert template: User ${username} removed enterprise ${enterprise}, ${plan}

{
  "audit_event": "msp_removes_mc",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp",
  "plan": "business_monthly",
  "mc_enterprise_id": 9876
}

`msp_renames_mc`

Description: Renamed Managed Company

Alert template: User ${username} renamed enterprise ${enterprise} to ${enterprise_new}

{
  "audit_event": "msp_renames_mc",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp",
  "enterprise_new": "Acme Corporation",
  "mc_enterprise_id": 9876
}

`msp_resumes_mc`

Description: Resumed Managed Company

Alert template: User ${username} resumed enterprise ${enterprise}, ${plan}

{
  "audit_event": "msp_resumes_mc",
  "category": "msp",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp",
  "plan": "business_monthly",
  "mc_enterprise_id": 9876
}

Category: `policy`

`agent_removed_approval_request`

Description: Agent Removed Approval Request

Alert template: Agent ${agent_uid} removed approval request ${request_uid}

{
  "audit_event": "agent_removed_approval_request",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "agent_uid": "Ag9qLnfWVxWL9OQlsGdOUw",
  "request_uid": "Req9qLnfWVxWL9OQlsGdOUw"
}

`audit_alert_created`

Description: Created Alert

Alert template: Admin ${username} created audit alert "${name}"

{
  "audit_event": "audit_alert_created",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "name": "High-Risk Login Alert"
}

`audit_alert_deleted`

Description: Deleted Alert

Alert template: Admin ${username} deleted audit alert "${name}"

{
  "audit_event": "audit_alert_deleted",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "name": "High-Risk Login Alert"
}

`audit_alert_paused`

Description: Paused Alert

Alert template: Admin ${username} paused audit alert "${name}" for user ${recipient}

{
  "audit_event": "audit_alert_paused",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "name": "High-Risk Login Alert",
  "recipient": "soc-team@keepersecurity.com"
}

`audit_alert_resumed`

Description: Resumed Alert

Alert template: Admin ${username} resumed audit alert "${name}" for user ${recipient}

{
  "audit_event": "audit_alert_resumed",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "name": "High-Risk Login Alert",
  "recipient": "soc-team@keepersecurity.com"
}

`audit_sync_removed`

Description: Removed Audit Log Sync

Alert template: Admin ${username} removed "${name}" audit log sync

{
  "audit_event": "audit_sync_removed",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "name": "High-Risk Login Alert"
}

`audit_sync_setup`

Description: Setup Audit Log Sync

Alert template: Admin ${username} set up "${name}" audit log sync

{
  "audit_event": "audit_sync_setup",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "name": "High-Risk Login Alert"
}

`bridge_activated`

Description: Activated AD Bridge

Alert template: User ${username} activated Keeper Bridge on node ${node}

{
  "audit_event": "bridge_activated",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering"
}

`bridge_deleted`

Description: Deleted AD Bridge

Alert template: User ${username} deleted Keeper Bridge from node ${node}

{
  "audit_event": "bridge_deleted",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering"
}

`bridge_updated`

Description: Updated AD Bridge

Alert template: User ${username} updated Keeper Bridge on node ${node}

{
  "audit_event": "bridge_updated",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering"
}

`email_provisioning_activated`

Description: Activated Email Provisioning

Alert template: User ${username} activated Email auto-provisioning for domain ${email_domain} on node ${node}

{
  "audit_event": "email_provisioning_activated",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "email_domain": "keepersecurity.com",
  "node": "Engineering"
}

`email_provisioning_deleted`

Description: Deleted Email Provisioning

Alert template: User ${username} deleted Email auto-provisioning for domain ${email_domain} from node ${node}

{
  "audit_event": "email_provisioning_deleted",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "email_domain": "keepersecurity.com",
  "node": "Engineering"
}

`node_created`

Description: Created Node

Alert template: User ${username} created node ${node}

{
  "audit_event": "node_created",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering"
}

`node_deleted`

Description: Deleted Node

Alert template: User ${username} deleted node ${node}

{
  "audit_event": "node_deleted",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering"
}

`out_of_seats`

Description: License reached maximum

Alert template: License has reached the maximum allowed users for ${enterprise}

{
  "audit_event": "out_of_seats",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp"
}

`record_type_created`

Description: Created Record Type

Alert template: Admin ${username} created record type ${name}

{
  "audit_event": "record_type_created",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "name": "High-Risk Login Alert"
}

`record_type_deleted`

Description: Deleted Record Type

Alert template: Admin ${username} deleted record type ${name}

{
  "audit_event": "record_type_deleted",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "name": "High-Risk Login Alert"
}

`record_type_updated`

Description: Updated Record Type

Alert template: Admin ${username} updated record type ${name}

{
  "audit_event": "record_type_updated",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "name": "High-Risk Login Alert"
}

`report_created`

Description: Created Report

Alert template: Admin ${username} created report ${report_name}

{
  "audit_event": "report_created",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "report_name": "Quarterly Compliance Review"
}

`report_deleted`

Description: Deleted Report

Alert template: Admin ${username} deleted report ${report_name}

{
  "audit_event": "report_deleted",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "report_name": "Quarterly Compliance Review"
}

`report_modified`

Description: Modified Report

Alert template: Admin ${username} modified report ${report_name}

{
  "audit_event": "report_modified",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "report_name": "Quarterly Compliance Review"
}

`role_created`

Description: Created Role

Alert template: User ${username} created role ${role_id}

{
  "audit_event": "role_created",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "role_id": 9876543210
}

`role_deleted`

Description: Deleted Role

Alert template: User ${username} deleted role ${role_id}

{
  "audit_event": "role_deleted",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "role_id": 9876543210
}

`role_enforcement_changed`

Description: Changed Role Policy

Alert template: User ${username} changed enforcement ${enforcement} to ${value} for role ${role_id}

{
  "audit_event": "role_enforcement_changed",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enforcement": "require_two_factor",
  "value": "true",
  "role_id": 9876543210
}

`scim_activated`

Description: Activated SCIM

Alert template: User ${username} activated SCIM provisioning on node ${node}

{
  "audit_event": "scim_activated",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering"
}

`scim_deleted`

Description: Deleted SCIM

Alert template: User ${username} deleted SCIM provisioning from node ${node}

{
  "audit_event": "scim_deleted",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering"
}

`scim_updated`

Description: Activated SCIM

Alert template: User ${username} updated SCIM provisioning on node ${node}

{
  "audit_event": "scim_updated",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering"
}

`set_2fa_configuration`

Description: Set 2FA Configuration

Alert template: Set global 2FA configuration ${value} for node ${node}

{
  "audit_event": "set_2fa_configuration",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true",
  "node": "Engineering"
}

`set_custom_email_content`

Description: Set Custom Email

Alert template: User ${username} set custom email content

{
  "audit_event": "set_custom_email_content",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`set_custom_email_logo`

Description: Set Email Logo

Alert template: User ${username} set custom email logo

{
  "audit_event": "set_custom_email_logo",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`set_custom_header_logo`

Description: Set Vault Logo

Alert template: User ${username} set custom header logo

{
  "audit_event": "set_custom_header_logo",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`ssh_agent_approved`

Description: Approved the SSH agent

Alert template: User ${username} used SSH Agent with record ${record_uid}

{
  "audit_event": "ssh_agent_approved",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw"
}

`ssh_agent_started`

Description: Started the SSH agent

Alert template: User ${username} started SSH Agent

{
  "audit_event": "ssh_agent_started",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`ssh_agent_stopped`

Description: Stopped the SSH agent

Alert template: User ${username} stopped SSH Agent

{
  "audit_event": "ssh_agent_stopped",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`sso_activated`

Description: Activated SSO Connect

Alert template: User ${username} activated Keeper SSO Connect on node ${node}

{
  "audit_event": "sso_activated",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering"
}

`sso_deleted`

Description: Deleted SSO Connect

Alert template: User ${username} deleted Keeper SSO Connect from node ${node}

{
  "audit_event": "sso_deleted",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering"
}

`sso_updated`

Description: Updated SSO Connect

Alert template: User ${username} updated Keeper SSO Connect configuration on node ${node}

{
  "audit_event": "sso_updated",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering"
}

`team_created`

Description: Created Team

Alert template: User ${username} created team ${team_uid}

{
  "audit_event": "team_created",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "team_uid": "Tm9qLnfWVxWL9OQlsGdOUw"
}

`team_deleted`

Description: Deleted Team

Alert template: User ${username} deleted team ${team_uid}

{
  "audit_event": "team_deleted",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "team_uid": "Tm9qLnfWVxWL9OQlsGdOUw"
}

`team_provisioned_by_scim`

Description: SCIM Provisioned Team

Alert template: SCIM provisioned team ${team_uid}

{
  "audit_event": "team_provisioned_by_scim",
  "category": "policy",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "team_uid": "Tm9qLnfWVxWL9OQlsGdOUw"
}

Category: `public_api`

`access_resource_public_api`

Description: Resource Access with Public API Token

Alert template: API with token ${token_id} with resource ${app_uid} executed

{
  "audit_event": "access_resource_public_api",
  "category": "public_api",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "token_id": "tok_9f4Z2K3pX7vQ8aB1",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`create_public_api_token_in_days`

Description: Admin created an API token

Alert template: User ${username} created an API token ${token_id} for type ${app_uid} with an expiration of ${feature_id} days

{
  "audit_event": "create_public_api_token_in_days",
  "category": "public_api",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "token_id": "tok_9f4Z2K3pX7vQ8aB1",
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw",
  "feature_id": 30
}

`revoke_public_api_token`

Description: Deleted Public API Token

Alert template: User ${username} deleted API token ${token_id}

{
  "audit_event": "revoke_public_api_token",
  "category": "public_api",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "token_id": "tok_9f4Z2K3pX7vQ8aB1"
}

Category: `role_node_management`

`role_managed_node_added`

Description: Add A Manage Node To A Role

Alert template: User ${username} added manage nodes permission for role ${role_id} on node ${node_id} with cascade set to ${value}

{
  "audit_event": "role_managed_node_added",
  "category": "role_node_management",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "role_id": 9876543210,
  "node_id": 1234567890,
  "value": "true"
}

`role_managed_node_removed`

Description: Remove A Manage Node From A Role

Alert template: User ${username} removed manage nodes permission for role ${role_id} on node ${node_id}

{
  "audit_event": "role_managed_node_removed",
  "category": "role_node_management",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "role_id": 9876543210,
  "node_id": 1234567890
}

`role_managed_node_updated`

Description: Change Cascade Node Permission

Alert template: User ${username} changed the cascade node permission on node ${node_id} for role ${role_id} to ${value}

{
  "audit_event": "role_managed_node_updated",
  "category": "role_node_management",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node_id": 1234567890,
  "role_id": 9876543210,
  "value": "true"
}

Category: `security`

`accept_invitation`

Description: Accepted Invitation

Alert template: User ${username} accepted invitation

{
  "audit_event": "accept_invitation",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`accept_transfer`

Description: Accepted Transfer Consent

Alert template: User ${username} accepted account transfer consent

{
  "audit_event": "accept_transfer",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`account_recovery_decline`

Description: Recovery Phrase Set Declined

Alert template: User ${username} declined to set a recovery phrase for their account

{
  "audit_event": "account_recovery_decline",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`account_recovery_setup`

Description: Recovery Phrase Set

Alert template: User ${username} set a recovery phrase for their account

{
  "audit_event": "account_recovery_setup",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`add_security_key`

Description: Added Security Key

Alert template: User ${username} added security key

{
  "audit_event": "add_security_key",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`added_admin_key`

Description: Granted Admin Permissions

Alert template: User ${to_username} was provided admin permissions by admin ${username}

{
  "audit_event": "added_admin_key",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com"
}

`added_to_role`

Description: Added User to Role

Alert template: User ${to_username} was added to Role ${role_id} by admin ${username}

{
  "audit_event": "added_to_role",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com",
  "role_id": 9876543210
}

`auto_invite_user`

Description: Auto-Invited User

Alert template: User ${email} was added by an automated provisioning method (SCIM, SSO or AD Bridge)

{
  "audit_event": "auto_invite_user",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "email": "newuser@keepersecurity.com"
}

`clear_security_data`

Description: Cleared security audit data

Alert template: User ${username} cleared security audit data from the Admin Console

{
  "audit_event": "clear_security_data",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`create_user`

Description: Created User

Alert template: User ${username} created

{
  "audit_event": "create_user",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`decline_invitation`

Description: Declined Invitation

Alert template: User ${username} declined invitation

{
  "audit_event": "decline_invitation",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`delete_pending_user`

Description: Deleted Pending User

Alert template: Pending user ${email} was deleted by ${username}

{
  "audit_event": "delete_pending_user",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "email": "newuser@keepersecurity.com"
}

`delete_security_key`

Description: Deleted Security Key

Alert template: User ${username} removed security key

{
  "audit_event": "delete_security_key",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`delete_user`

Description: Deleted User

Alert template: User ${email} was deleted by admin ${username}

{
  "audit_event": "delete_user",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "email": "newuser@keepersecurity.com"
}

`device_admin_account_locked`

Description: Admin locked device account

Alert template: Admin ${username} locked account on a device for ${to_username}

{
  "audit_event": "device_admin_account_locked",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com"
}

`device_admin_account_unlocked`

Description: Admin unlocked device account

Alert template: Admin ${username} unlocked account on a device for ${to_username}

{
  "audit_event": "device_admin_account_unlocked",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com"
}

`device_admin_approval_requested`

Description: Admin approval for device requested

Alert template: User ${username} requested admin approval for device ${device_name}

{
  "audit_event": "device_admin_approval_requested",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro"
}

`device_admin_locked`

Description: Admin locked device

Alert template: Admin ${username} locked a device

{
  "audit_event": "device_admin_locked",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_admin_loggedout`

Description: Admin Logged Out device

Alert template: Admin ${username} Removed a device

{
  "audit_event": "device_admin_loggedout",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_admin_removed`

Description: Admin removed device

Alert template: Admin ${username} Removed a device

{
  "audit_event": "device_admin_removed",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_admin_unlocked`

Description: Admin unlocked device

Alert template: Admin ${username} unlocked a device

{
  "audit_event": "device_admin_unlocked",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_approved`

Description: Device approved

Alert template: Device ${device_name} is approved for user ${username}

{
  "audit_event": "device_approved",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro"
}

`device_approved_by_admin`

Description: Device approved by admin

Alert template: Admin ${username} approved device ${device_name} for user ${to_username}

{
  "audit_event": "device_approved_by_admin",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro",
  "to_username": "bob@keepersecurity.com"
}

`device_user_approval_requested`

Description: User requested self approval for device

Alert template: User ${username} requested self approval for device ${device_name}

{
  "audit_event": "device_user_approval_requested",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro"
}

`device_user_blocked`

Description: User Blocked Device

Alert template: User ${username} blocked login on a device

{
  "audit_event": "device_user_blocked",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_user_linked`

Description: User Linked Devices

Alert template: User ${username} linked two or more devices

{
  "audit_event": "device_user_linked",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_user_locked`

Description: User Locked Device

Alert template: User ${username} locked a device for all accounts

{
  "audit_event": "device_user_locked",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_user_loggedout`

Description: User Logged Out Device

Alert template: User ${username} forced logout on a device

{
  "audit_event": "device_user_loggedout",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_user_removed`

Description: User Removed Device

Alert template: User ${username} removed a device

{
  "audit_event": "device_user_removed",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_user_renamed`

Description: User Renamed Device

Alert template: User ${username} renamed a device

{
  "audit_event": "device_user_renamed",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_user_unblocked`

Description: User Unblocked Device

Alert template: User ${username} unblocked a device

{
  "audit_event": "device_user_unblocked",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_user_unlinked`

Description: User Unlinked Devices

Alert template: User ${username} unlinked two or more devices

{
  "audit_event": "device_user_unlinked",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`device_user_unlocked`

Description: User Unlocked Device

Alert template: User ${username} unlocked a device

{
  "audit_event": "device_user_unlocked",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`enable_user`

Description: Enabled User

Alert template: User ${to_username} was enabled by admin ${username}

{
  "audit_event": "enable_user",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com"
}

`enterprise_2fa_disabled_by_admin`

Description: Disabled 2FA By Admin

Alert template: Admin ${username} disabled 2FA for user ${to_username}

{
  "audit_event": "enterprise_2fa_disabled_by_admin",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com"
}

`enterprise_product_changed`

Description: Changed plan

Alert template: User ${username} changed plan for enterprise ${enterprise} to ${plan}

{
  "audit_event": "enterprise_product_changed",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "enterprise": "Acme Corp",
  "plan": "business_monthly"
}

`enterprise_to_consumption_billing`

Description: Converted to Consumption billing

Alert template: Consumption billing start date: ${app_uid}

{
  "audit_event": "enterprise_to_consumption_billing",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`expire_password`

Description: Expired Master Password

Alert template: User ${to_username} master password was reset by admin ${username}

{
  "audit_event": "expire_password",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com"
}

`lock_user`

Description: Locked User

Alert template: User ${to_username} was locked by admin ${username}

{
  "audit_event": "lock_user",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com"
}

`login_failed_console`

Description: Failed Console Login

Alert template: User ${username} failed login to Admin Console

{
  "audit_event": "login_failed_console",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "channel": "Web Vault"
}

`login_failed_ip_whitelist`

Description: IP Blocked

Alert template: User ${username} has been blocked from IP ${ip_address}

{
  "audit_event": "login_failed_ip_whitelist",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "ip_address": "203.0.113.45"
}

`payment_method_updated`

Description: Payment Method Updated

Alert template: User ${username} updated payment method to ${plan} for enterprise ${enterprise}

{
  "audit_event": "payment_method_updated",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "plan": "business_monthly",
  "enterprise": "Acme Corp"
}

`pending_added_to_role`

Description: Added Pending User to Role

Alert template: Pending user ${value} was added to Role ${role_id} by admin ${username}

{
  "audit_event": "pending_added_to_role",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true",
  "role_id": 9876543210
}

`pending_removed_from_role`

Description: Removed Pending User from Role

Alert template: Pending user ${value} was removed from Role ${role_id} by admin ${username}

{
  "audit_event": "pending_removed_from_role",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true",
  "role_id": 9876543210
}

`reauthentication_reprompt_success`

Description: Master password reprompt success

Alert template: User ${username} re-authentication succeeded

{
  "audit_event": "reauthentication_reprompt_success",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`reauthentication_reprompt_throttle`

Description: Re-authentication prompt throttled

Alert template: User ${username} re-authentication throttled

{
  "audit_event": "reauthentication_reprompt_throttle",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`removed_from_role`

Description: Removed User from Role

Alert template: User ${to_username} was removed from Role ${role_id} by admin ${username}

{
  "audit_event": "removed_from_role",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com",
  "role_id": 9876543210
}

`role_team_add`

Description: Added Role to Team

Alert template: ${username} added role ${role_id_status} to team ${team_uid}

{
  "audit_event": "role_team_add",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "role_id_status": "9876543210",
  "team_uid": "Tm9qLnfWVxWL9OQlsGdOUw"
}

`role_team_remove`

Description: Removed Role from Team

Alert template: ${username} removed role ${role_id_status} from team ${team_uid}

{
  "audit_event": "role_team_remove",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "role_id_status": "9876543210",
  "team_uid": "Tm9qLnfWVxWL9OQlsGdOUw"
}

`scim_access_failure`

Description: SCIM access failure

Alert template: SCIM provisioning on node ${node} failed to authenticate ${failure_count} times. Token ${token_id}..

{
  "audit_event": "scim_access_failure",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "node": "Engineering",
  "failure_count": 4,
  "token_id": "tok_9f4Z2K3pX7vQ8aB1"
}

`send_invitation`

Description: Invited User

Alert template: User ${email} was invited to join by admin ${username}

{
  "audit_event": "send_invitation",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "email": "newuser@keepersecurity.com"
}

`set_two_factor_off`

Description: Disabled Two-Factor Auth

Alert template: User ${username} set 2FA method OFF

{
  "audit_event": "set_two_factor_off",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`set_two_factor_on`

Description: Enabled Two-Factor Auth

Alert template: User ${username} set 2FA method ON

{
  "audit_event": "set_two_factor_on",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`two_factor_code_invalid`

Description: The Two-Factor code is invalid

Alert template: User ${username} entered invalid two-factor authentication code

{
  "audit_event": "two_factor_code_invalid",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`two_factor_disabled_by_support`

Description: Disabled 2FA By Keeper Support

Alert template: Two-Factor Auth was disabled for user ${username} by Keeper Support

{
  "audit_event": "two_factor_disabled_by_support",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345
}

`unusual_location_activity_logout`

Alert template: KeeperAI logged out device ${device_name} for user ${username} due to unusual location activity

{
  "audit_event": "unusual_location_activity_logout",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "device_name": "MacBook Pro"
}

`vault_transferred`

Description: Transferred Vault

Alert template: User ${email} (${from_username}) vault was transferred to user ${to_username} by admin ${username}

{
  "audit_event": "vault_transferred",
  "category": "security",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "email": "newuser@keepersecurity.com",
  "from_username": "alice@keepersecurity.com",
  "to_username": "bob@keepersecurity.com"
}

Category: `security_benchmark`

`sb_configure_ip_allowlisting`

Description: Configure IP Allowlisting

Alert template: Security Benchmark Configure IP Allowlisting set to ${value} by ${username}

{
  "audit_event": "sb_configure_ip_allowlisting",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_create_alerts`

Description: Create alerts

Alert template: Security Benchmark Create Alerts set to ${value} by ${username}

{
  "audit_event": "sb_create_alerts",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_create_at_least_two_keeper_administrators`

Description: Create at least two Keeper Administrators

Alert template: Security Benchmark Create At Least Two Keeper Administrators set to ${value} by ${username}

{
  "audit_event": "sb_create_at_least_two_keeper_administrators",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_deploy_across_entire_organization`

Description: Deploy Across Your Entire Organization

Alert template: Security Benchmark Deploy Across Entire Organization set to ${value} by ${username}

{
  "audit_event": "sb_deploy_across_entire_organization",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_disable_account_recovery`

Description: Disable Account Recovery

Alert template: Security Benchmark Disable Account Recovery set to ${value} by ${username}

{
  "audit_event": "sb_disable_account_recovery",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_disable_browser_password_managers`

Description: Disable Browser Password Managers

Alert template: Security Benchmark Disable Browser Password Managers set to ${value} by ${username}

{
  "audit_event": "sb_disable_browser_password_managers",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_enable_account_transfer_policy`

Description: Enable Account Transfer Policy

Alert template: Security Benchmark Enable Account Transfer Policy set to ${value} by ${username}

{
  "audit_event": "sb_enable_account_transfer_policy",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_enforce_least_privilege_policy`

Description: Enforce Least Privileged Policy

Alert template: Security Benchmark Enforce Least Privilege Policy On Managed Devices set to ${value} by ${username}

{
  "audit_event": "sb_enforce_least_privilege_policy",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_enforce_strong_master_password`

Description: Enforce a strong Master Password

Alert template: Security Benchmark Enforce Strong Master Password set to ${value} by ${username}

{
  "audit_event": "sb_enforce_strong_master_password",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_ensure_outside_sso_administrator_exists`

Description: Ensure Outside SSO Administrator Exists

Alert template: Security Benchmark Ensure Outside SSO Administrator Exists set to ${value} by ${username}

{
  "audit_event": "sb_ensure_outside_sso_administrator_exists",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_ensure_two_factor_authentication_admin_users`

Description: Ensure Two-Factor Authentication For Admin Users

Alert template: Security Benchmark Ensure Two-Factor Authentication For Admin Users set to ${value} by ${username}

{
  "audit_event": "sb_ensure_two_factor_authentication_admin_users",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_ensure_two_factor_authentication_for_end_users`

Description: Ensure Two-Factor Authentication For End Users

Alert template: Security Benchmark Ensure Two-Factor Authentication For End Users set to ${value} by ${username}

{
  "audit_event": "sb_ensure_two_factor_authentication_for_end_users",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_lock_down_sso_provider`

Description: Lock down your SSO provider

Alert template: Security Benchmark Lock Down SSO Provider set to ${value} by ${username}

{
  "audit_event": "sb_lock_down_sso_provider",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_prevent_installation_of_untrusted_extensions`

Description: Prevent Installation of Untrusted Extensions

Alert template: Security Benchmark Prevent Installation Of Untrusted Extensions set to ${value} by ${username}

{
  "audit_event": "sb_prevent_installation_of_untrusted_extensions",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`sb_reduce_administrator_privilege`

Description: Reduce Administrator Privilege

Alert template: Security Benchmark Reduce Administrator Privilege set to ${value} by ${username}

{
  "audit_event": "sb_reduce_administrator_privilege",
  "category": "security_benchmark",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "value": "true"
}

`accept_share`

Description: Accepted Share Request

Alert template: User ${username} accepted share from user ${to_username}

{
  "audit_event": "accept_share",
  "category": "share",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com"
}

`added_shared_folder`

Description: Added Shared Folder

Alert template: User ${username} created shared folder UID ${shared_folder_uid}

{
  "audit_event": "added_shared_folder",
  "category": "share",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "shared_folder_uid": "abc1234567WL9OQlsGdOUw"
}

`added_to_team`

Description: Added User to Team

Alert template: User ${to_username} was added to Team ${team_uid} by admin ${username}

{
  "audit_event": "added_to_team",
  "category": "share",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com",
  "team_uid": "Tm9qLnfWVxWL9OQlsGdOUw"
}

`cancel_share`

Description: Rejected Share Request

Alert template: User ${username} canceled share from user ${to_username}

{
  "audit_event": "cancel_share",
  "category": "share",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "to_username": "bob@keepersecurity.com"
}

`change_share`

Description: Changed Record Share

Alert template: User ${username} changed share permissions for record UID ${record_uid} to user ${to_username}

{
  "audit_event": "change_share",
  "category": "share",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "record_uid": "Uk6qLnfWVxWL9OQlsGdOUw",
  "to_username": "bob@keepersecurity.com"
}

`deleted_shared_folder`

Description: Deleted Shared Folder

Alert template: User ${username} deleted shared folder UID ${shared_folder_uid}

{
  "audit_event": "deleted_shared_folder",
  "category": "share",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "shared_folder_uid": "abc1234567WL9OQlsGdOUw"
}

`ext_share_access`

Description: One-Time Share Re-opened

Alert template: A user re-opened the One-Time Share link for 'Record UID:${app_uid}' created by ${username}

{
  "audit_event": "ext_share_access",
  "category": "share",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`ext_share_added`

Description: One-Time Share Added

Alert template: User ${username} generated a One-Time Share link to Record UID:${app_uid}

{
  "audit_event": "ext_share_added",
  "category": "share",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`ext_share_connected`

Description: One-Time Share Opened

Alert template: A user opened the One-Time Share link for 'Record UID:${app_uid}' created by ${username}

{
  "audit_event": "ext_share_connected",
  "category": "share",
  "remote_address": "203.0.113.45",
  "client_version": "Web Vault 16.10.5",
  "username": "alice@keepersecurity.com",
  "timestamp": "2026-05-25T14:30:00.000Z",
  "enterprise_id": 12345,
  "app_uid": "App9qLnfWVxWL9OQlsGdOUw"
}

`ext_share_expired`

Description: One-Time Share Expired

Alert template: A One-Time Share link for 'Record UID:${app_uid}' has expired

`ext_share_removed`

Description: One-Time Share Removed

Alert template: User ${username} removed a One-Time Share link to 'Record UID:${app_uid}'

`folder_add_outside_user`

Description: Folder Shared Outside

Alert template: User ${username} added outside the company user ${to_username} to shared folder UID ${shared_folder_uid}"

`folder_add_record`

Description: Added Record to Shared Folder

Alert template: User ${username} added record ${record_uid} to shared folder UID ${shared_folder_uid}

`folder_add_team`

Description: Added Team to Folder

Alert template: User ${username} added team UID ${team_uid} to shared folder UID ${shared_folder_uid}

`folder_add_user`

Description: Added User to Folder

Alert template: User ${username} added user ${to_username} to shared folder UID ${shared_folder_uid}

`folder_change_record`

Description: Changed Record Permissions

Alert template: User ${username} changed record ${record_uid} permissions to shared folder UID ${shared_folder_uid}

`folder_change_team`

Description: Changed Team Permissions

Alert template: User ${username} changed team UID ${team_uid} permissions to shared folder UID ${shared_folder_uid}

`folder_change_user`

Description: Changed User Permissions

Alert template: User ${username} changed user ${to_username} permissions to shared folder UID ${shared_folder_uid}

`folder_remove_record`

Description: Removed Record from Shared Folder

Alert template: User ${username} removed record ${record_uid} owned by ${to_username} from shared folder UID ${shared_folder_uid}

`folder_remove_team`

Description: Removed Team from Folder

Alert template: User ${username} removed team UID ${team_uid} from shared folder UID ${shared_folder_uid}

`folder_remove_user`

Description: Removed User from Folder

Alert template: User ${username} removed user ${to_username} from shared folder UID ${shared_folder_uid}

`record_share_outside_user`

Description: Record Shared Outside

Alert template: User ${username} shared record UID ${record_uid} outside the company with user ${to_username}

`remove_share`

Description: Removed Record Share

Alert template: User ${username} removed share of record UID ${record_uid} from user ${to_username}

`removed_from_team`

Description: Removed User from Team

Alert template: User ${to_username} was removed from Team ${team_uid} by admin ${username}

Description: Shared Record

Alert template: User ${username} shared record UID ${record_uid} with ${to_username}

`shared_folder_folder_record_restored`

Description: Shared Folder Folder Record Restored

Alert template: User ${username} restored record UID ${record_uid} in shared folder folder UID ${folder_uid}

`shared_folder_folder_restored`

Description: Shared Folder Folder Restored

Alert template: User ${username} restored shared folder folder UID ${folder_uid}

`shared_folder_record_restored`

Description: Shared Folder Record Restored

Alert template: User ${username} restored record UID ${record_uid} in shared folder UID ${shared_folder_uid}

`shared_folder_restored`

Description: Shared Folder Restored

Alert template: User ${username} restored shared folder UID ${shared_folder_uid}

`transfer_owner`

Description: Transferred Record Ownership

Alert template: User ${username} transferred ownership of record UID ${record_uid} to user ${to_username}

Category: `usage`

`added_folder`

Description: Added Folder

Alert template: User ${username} created ${folder_type} folder UID ${folder_uid}

`added_identity`

Description: Added Identity

Alert template: User ${username} added an identity

`added_payment_card`

Description: Added Payment Card

Alert template: User ${username} added a payment card

`audit_alert_sent`

Description: Sent Audit Alert

Alert template: Audit alert "${name}" was sent to ${recipient}

`audit_sync_failed`

Description: Failed Audit Log Sync

Alert template: Audit log sync to ${channel} failed with error ${result_code}

`audit_sync_paused`

Description: Paused Audit Log Sync

Alert template: Audit log sync to ${channel} paused

`audit_sync_restored`

Description: Restored Audit Log Sync

Alert template: Audit log sync to ${channel} restored

`audit_sync_resumed`

Description: Resumed Audit Log Sync

Alert template: Admin ${username} resumed audit log sync to "${name}"

`changed_identity`

Description: Changed Identity

Alert template: User ${username} changed an identity

`changed_payment_card`

Description: Changed Payment Card

Alert template: User ${username} changed a payment card

`copy_password`

Description: Copied Password to Clipboard

Alert template: User ${username} copied password to clipboard on record UID ${record_uid}

`deleted_folder`

Description: Deleted Folder

Alert template: User ${username} deleted ${folder_type} folder UID ${folder_uid}

`duplicate_record`

Description: Duplicated Record

Alert template: User ${username} duplicated record UID ${record_uid}

`empty_trash`

Description: Emptied Trash Bin

Alert template: User ${username} purged deleted records

`exported_records`

Description: Exported Records

Alert template: User ${username} exported records to ${file_format} file

`fast_fill`

Description: Filled Record

Alert template: User ${username} autofilled record UID ${record_uid}

`file_attachment_deleted`

Description: Deleted File Attachment

Alert template: User ${username} deleted file attachment UID ${attachment_id} on record UID ${record_uid}

`file_attachment_downloaded`

Description: Downloaded File Attachment

Alert template: User ${username} downloaded file attachment UID ${attachment_id} on record UID ${record_uid}

`file_attachment_exported`

Description: Exported File Attachment

Alert template: User ${username} exported file attachment UID ${attachment_id} on record UID ${record_uid}

`file_attachment_uploaded`

Description: Uploaded File Attachment

Alert template: User ${username} uploaded file attachment UID ${attachment_id} on record UID ${record_uid}

`file_attachment_viewed`

Description: Viewed File Attachment

Alert template: User ${username} viewed file attachment UID ${attachment_id} on record UID ${record_uid}

`imported_records`

Description: Imported Records

Alert template: User ${username} imported records from ${file_format} file

`open_record`

Description: Opened Record

Alert template: User ${username} opened record UID ${record_uid}

`record_add`

Description: Added Record

Alert template: User ${username} added record UID ${record_uid}

`record_delete`

Description: Deleted Record

Alert template: User ${username} sent record UID ${record_uid} to trash

`record_password_change`

Description: Record Password Changed

Alert template: User ${username} changed password on record UID ${record_uid}

`record_restored`

Description: Deleted Record Restored

Alert template: User ${username} restored deleted record UID ${record_uid}

`record_update`

Description: Updated Record

Alert template: User ${username} updated record UID ${record_uid}

`reused_password`

Description: Created Re-used Password

Alert template: User ${username} reused a password

`revision_restored`

Description: Record Revision Restored

Alert template: User ${username} restored previous revision of record UID ${record_uid}

Category: `zero_trust_keeper_pam`

`discovery_job_completed`

Description: Completed Discovery

Alert template: Discovery job completed on Gateway UID (${gateway_uid}) for user ${username}

`discovery_job_started`

Description: Started Discovery

Alert template: Discovery job started on Gateway UID (${gateway_uid}) for user ${username}

`ksm_app_shared`

Description: Secrets Manager Application Shared

Alert template: User ${username} shared KSM application ${app_uid} with user ${to_username}

`pam_kcm_connection_started`

Description: Started Connection

Alert template: User ${username} started connection with protocol ${protocol} on record ${record_uid}

`pam_kcm_connection_stopped`

Description: Stopped Connection

Alert template: User ${username} stopped connection with protocol ${protocol} on record ${record_uid}

`pam_kcm_connection_terminated`

Description: Terminated Connection

Alert template: Connection with protocol ${protocol} for user ${username} on ${record_uid} was terminated due to revoked access

`pam_rbi_started`

Description: Started Remote Browser Isolation

Alert template: User ${username} started remote browser isolation session on record ${record_uid}

`pam_rbi_stopped`

Description: Stopped Remote Browser Isolation

Alert template: User ${username} stopped remote browser isolation session on record ${record_uid}

`pam_rbi_terminated`

Description: Terminated Remote Browser Isolation

Alert template: Remote Browser Isolation session for user ${username} on ${record_uid} was terminated due to revoked access

`pam_session_rbi_recording_started`

Description: Remote Browser Isolation with recording started

Alert template: User ${username} started remote browser isolation session with session recording on record ${record_uid}

`pam_session_rbi_recording_stopped`

Description: Remote Browser Isolation with recording stopped

Alert template: User ${username} stopped remote browser isolation session with session recording on record ${record_uid}

`pam_session_recording_downloaded`

Description: Session Recording Files Downloaded

Alert template: User ${username} downloaded session recording ${file_format} for Record UID ${record_uid}

`pam_session_recording_started`

Description: Connection with recording started

Alert template: User ${username} started connection with protocol ${protocol} and session recording on record ${record_uid}

`pam_session_recording_stopped`

Description: Connection with recording stopped

Alert template: User ${username} stopped connection with protocol ${protocol} and session recording on record ${record_uid}

`pam_tunnel_started`

Description: Started Tunnel

Alert template: User ${username} started tunnel on record ${record_uid}

`pam_tunnel_stopped`

Description: Stopped Tunnel

Alert template: User ${username} stopped tunnel on record ${record_uid}

`pam_tunnel_terminated`

Description: Terminated Tunnel

Alert template: Tunnel for user ${username} on ${record_uid} was terminated due to revoked access

`pam_workflow_request_approved`

Description: Worflow Request Approved

Alert template: Workflow request from ${username} for record ${record_uid} was approved by ${approver}.

`pam_workflow_request_denied`

Description: Workflow Request Denied

Alert template: Workflow request from ${username} for record ${record_uid} was denied by ${approver}. Reason: ${reason}.

`pam_workflow_request_escalated`

Description: Workflow Request Escalated

Alert template: Workflow request from ${username} for record ${record_uid} was escalated.

`pam_workflow_session_ended_checkin`

Description: Workflow Session Ended Checkin

Alert template: ${username} ended a workflow session for record ${record_uid} (check-in).

`pam_workflow_session_ended_expired`

Description: Workflow Session Ended Expired

Alert template: Workflow ended for record ${record_uid} for ${username} (check-in, expired).

`pam_workflow_session_started_checkout`

Description: Workflow Session Started Checkout

Alert template: ${username} started a workflow session for record ${record_uid} (checkout).

PreviousReporting, Alerts & SIEM NextAWS S3

Last updated 16 days ago

Good afternoon

Keeper ARAM Event JSON Samples

Base envelope

Field reference (event-specific)

Events by category

Category: account

account_recovery

alias_added

change_email

change_master_password

change_security_question

device_user_passkey_add

device_user_passkey_remove

set_alternate_master_password

set_biometric_access

Category: admin_permission

admin_permission_added

admin_permission_removed

Category: breachwatch

bw_record_high_risk

bw_record_ignored

bw_record_resolved

Category: chat

chat_contact_added

chat_file_attached

chat_login

chat_login_failed

chat_message_destruct

chat_message_received

chat_message_sent

Category: compliance_report

compliance_report_deleted

compliance_report_downloaded

compliance_report_exported

compliance_report_run

compliance_report_saved

saved_criteria_deleted

saved_criteria_edited

saved_criteria_saved

unsaved_compliance_report_exported

Category: endpoint_privilege_manager

agent_added_collection_link

agent_added_to_collection

agent_authentication_failed

agent_created_collection

agent_removed

agent_removed_from_collection

agent_unregistered

agent_updated

approval_request_created

approval_request_removed

approval_request_status_changed

collection_created

collection_link_added

collection_link_removed

collection_removed

collection_updated

deployment_authentication_failed

deployment_created

deployment_removed

deployment_updated

policy_created

policy_removed

policy_updated

register_agent

Category: keeper_ai

keeper_ai_critical_risk_level_detected

keeper_ai_high_risk_level_detected

keeper_ai_medium_risk_level_detected

keeper_ai_pam_configuration_feature_disabled

keeper_ai_pam_configuration_feature_enabled

keeper_ai_recording_disabled

keeper_ai_recording_enabled

keeper_ai_session_locked_by_ai_critical

keeper_ai_session_locked_by_ai_high

keeper_ai_session_locked_by_ai_medium

keeper_ai_session_terminate_disabled

keeper_ai_session_terminate_enabled

keeper_ai_session_unlocked_by_user

Category: ksm