Recommended Alerts

Best Practices and Recommended Alerts for Advanced Reporting System

Keeper's Advanced Reporting System provides built-in Alerting capabilities that will notify users and Administrators for important events. As a best practice, Keeper has created a list of recommended alerts that can be configured by the Keeper Administrator.

To create an alert, login to the Admin Console and visit Reporting & Alerts > Alerts.

Alerts is only available to customers who subscribe to Advanced Reporting & Alerts module. To upgrade, please contact your Keeper customer success representative.

Admin Policy Changes

It is important that the Keeper Admin is notified when any administrative changes are made on the Keeper Admin Console which can affect the security and usage of the platform. We recommend selecting all "Policy Change" events.

Policy Changes

Critical system events in this category include the following:

Event

Threat / Description

Created Node

Ensure this action is approved.

Deleted Node

Ensure this action is approved.

Created Role

Ensure this action is approved.

Deleted Role

Ensure this action is approved.

Created Team

Ensure this action is approved.

Deleted Team

Deleting a team could also removed Shared Folder access. Ensure this action is approved.

Changed Role Policy

Role enforcement policies can affect many different threat vectors

Set 2FA Configuration

Duo or RSA integration could be interrupted.

Created Alert

Admin created an alert in the Advanced Reporting system

Deleted Alert

An Admin deleted an alert which could prevent detection - ensure that this was an expected action.

Paused Alert

An Admin has paused an alert which could prevent detection - ensure that this was an expected action.

License reached maximum

Notifies if you are reaching your maximum user count, will ensure that new users can be onboarded to the platform.

User Management and Security Changes

We recommend that the Keeper Admin (and the user who performs the action) is notified when any User-Specific changes occur. At minimum, we recommend generating alerts on several key events within the "Security" category.

User Management and Security Alerts

Critical User Management and Security Change events include the following:

Event

Threat / Description

Invited User

Ensure that only approved users are invited to the platform.

Created User

Ensure that users who join the Enterprise are approved.

Deleted User

Ensure that user deletion is approved. Note this action also deletes all vault contents.

Locked User

Admin has locked a user from the platform. Ensure this action is approved.

Disabled 2FA By Admin

A user's 2FA has been turned off by the Keeper Admin. Ensure this action is approved.

Device Approved

A user has signed into a new device. This event may generate a lot of alerts depending on number of users.

Admin approval for device requested

User may need assistance to approve a new device. Login to the Admin Console to approve.

Transferred vault

The user's vault has been transferred to another user account. Ensure that this action is approved.

Granted Admin Permission

The user has been added to a role with Administrative permission. Ensure that this user is approved for administrative duties.

Breached Passwords Detected

BreachWatch provides organizations oversight of the vulnerabilities of user's passwords through active monitoring of dark web breach data. Users and administrators are notified if any of their passwords in a record have been used in publicly known breach that could leave your organization vulnerable to a credential stuffing attack or an account takeover.

Before you configure the alert, ensure that BreachWatch events are configured to flow through the Advanced Reporting & Alerts module. This is disabled by default.

Go to the Role of the users affected by the policy > Enforcement Policies > Vault Features and turn the setting to ON.

Enable BreachWatch events to ARAM

In the Alerts section of the Advanced Reporting & Alerts module, create an alert with all 3 event types within the BreachWatch category.

BreachWatch Events

Critical BreachWatch events include the following:

Event

Threat / Description

BreachWatch detected high-risk record password

The user has either created a record or imported data with weak passwords or a password known to be breached on the Dark Web.

User ignored detected high-risk record password

The user has clicked "Ignore" on a detected breached password.

User resolved detected high-risk record password

The user has successfully changed a password that was previously flagged by BreachWatch as a breached password.

Admin Console Logins

Depending how many Keeper Administrators you have in the organization, you may want to be alerted every time an Admin Console login occurs.

Admin Console Logins

Event

Threat/Description

Console Login

Ensure that the user should be granted Administrative rights.

New Events

Note that new Keeper events are added on a monthly basis as the functionality and features of the platform are enhanced. Therefore, we recommend reviewing the latest event types on a regular basis to ensure that you are informed of the latest capabilities.