Recommended Alerts

Best Practices and Recommended Alerts for Advanced Reporting System

Keeper's Advanced Reporting System provides built-in Alerting capabilities that will notify users and Administrators for important events.  As a best practice, Keeper has created a list of recommended alerts that can be configured by the Keeper Administrator.
To create an alert, login to the Admin Console and visit Reporting & Alerts > Alerts.
Alerts is only available to customers who subscribe to Advanced Reporting & Alerts module.  To upgrade, please contact your Keeper customer success representative.
Admin Policy Changes
It is important that the Keeper Admin is notified when any administrative changes are made on the Keeper Admin Console which can affect the security and usage of the platform.  We recommend selecting all "Policy Change" events.
Policy Changes
Critical system events in this category include the following:
Event
Threat / Description
Created Node
Ensure this action is approved.
Deleted Node
Ensure this action is approved.
Created Role
Ensure this action is approved.
Deleted Role
Ensure this action is approved.
Created Team
Ensure this action is approved.
Deleted Team
Deleting a team could also removed Shared Folder access. Ensure this action is approved.
Changed Role Policy
Role enforcement policies can affect many different threat vectors 
Set 2FA Configuration
Duo or RSA integration could be interrupted.
Created Alert
Admin created an alert in the Advanced Reporting system
Deleted Alert
An Admin deleted an alert  which could prevent detection - ensure that this was an expected action.
Paused Alert
An Admin has paused an alert which could prevent detection - ensure that this was an expected action.
License reached maximum
Notifies if you are reaching your maximum user count, will ensure that new users can be onboarded to the platform.
User Management and Security Changes
We recommend that the Keeper Admin (and the user who performs the action) is notified when any User-Specific changes occur.  At minimum, we recommend generating alerts on several key events within the "Security" category.
User Management and Security Alerts
Critical User Management and Security Change events include the following:
Event
Threat / Description
Invited User
Ensure that only approved users are invited to the platform.
Created User
Ensure that users who join the Enterprise are approved.
Deleted User
Ensure that user deletion is approved.  Note this action also deletes all vault contents.
Locked User
Admin has locked a user from the platform.   Ensure this action is approved.
Disabled 2FA By Admin
A user's 2FA has been turned off by the Keeper Admin.  Ensure this action is approved.
Device Approved
A user has signed into a new device.  This event may generate a lot of alerts depending on number of users.
Admin approval for device requested
User may need assistance to approve a new device.  Login to the Admin Console to approve.
Transferred vault
The user's vault has been transferred to another user account.  Ensure that this action is approved.
Granted Admin Permission
The user has been added to a role with Administrative permission.  Ensure that this user is approved for administrative duties.
Breached Passwords Detected
BreachWatch provides organizations oversight of the vulnerabilities of user's passwords through active monitoring of dark web breach data. Users and administrators are notified if any of their passwords in a record have been used in publicly known breach that could leave your organization vulnerable to a credential stuffing attack or an account takeover. 
Before you configure the alert, ensure that BreachWatch events are configured to flow through the Advanced Reporting & Alerts module.  This is disabled by default.
Go to the Role of the users affected by the policy > Enforcement Policies > Vault Features and turn the setting to ON.
Enable BreachWatch events to ARAM
In the Alerts section of the Advanced Reporting & Alerts module, create an alert with all 3 event types within the BreachWatch category.
BreachWatch Events
Critical BreachWatch events include the following:
Event
Threat / Description
BreachWatch detected high-risk record password
The user has either created a record or imported data with weak passwords or a password known to be breached on the Dark Web. 
User ignored detected high-risk record password
The user has clicked "Ignore" on a detected breached password.
User resolved detected high-risk record password
The user has successfully changed a password that was previously flagged by BreachWatch as a breached password.
Admin Console Logins
Depending how many Keeper Administrators you have in the organization, you may want to be alerted every time an Admin Console login occurs.
Admin Console Logins
Event
Threat/Description
Console Login
Ensure that the user should be granted Administrative rights.
New Events
Note that new Keeper events are added on a monthly basis as the functionality and features of the platform are enhanced.  Therefore, we recommend reviewing the latest event types on a regular basis to ensure that you are informed of the latest capabilities.

On-site Commander Push

Webhooks (Slack & Teams)

Last modified 8mo ago

Event	Threat / Description
Created Node	Ensure this action is approved.
Deleted Node	Ensure this action is approved.
Created Role	Ensure this action is approved.
Deleted Role	Ensure this action is approved.
Created Team	Ensure this action is approved.
Deleted Team	Deleting a team could also removed Shared Folder access. Ensure this action is approved.
Changed Role Policy	Role enforcement policies can affect many different threat vectors
Set 2FA Configuration	Duo or RSA integration could be interrupted.
Created Alert	Admin created an alert in the Advanced Reporting system
Deleted Alert	An Admin deleted an alert which could prevent detection - ensure that this was an expected action.
Paused Alert	An Admin has paused an alert which could prevent detection - ensure that this was an expected action.
License reached maximum	Notifies if you are reaching your maximum user count, will ensure that new users can be onboarded to the platform.

Event	Threat / Description
Invited User	Ensure that only approved users are invited to the platform.
Created User	Ensure that users who join the Enterprise are approved.
Deleted User	Ensure that user deletion is approved. Note this action also deletes all vault contents.
Locked User	Admin has locked a user from the platform. Ensure this action is approved.
Disabled 2FA By Admin	A user's 2FA has been turned off by the Keeper Admin. Ensure this action is approved.
Device Approved	A user has signed into a new device. This event may generate a lot of alerts depending on number of users.
Admin approval for device requested	User may need assistance to approve a new device. Login to the Admin Console to approve.
Transferred vault	The user's vault has been transferred to another user account. Ensure that this action is approved.
Granted Admin Permission	The user has been added to a role with Administrative permission. Ensure that this user is approved for administrative duties.

Event	Threat / Description
BreachWatch detected high-risk record password	The user has either created a record or imported data with weak passwords or a password known to be breached on the Dark Web.
User ignored detected high-risk record password	The user has clicked "Ignore" on a detected breached password.
User resolved detected high-risk record password	The user has successfully changed a password that was previously flagged by BreachWatch as a breached password.

Event	Threat/Description
Console Login	Ensure that the user should be granted Administrative rights.