Recommended Alerts
Keeper's Advanced Reporting System provides built-in Alerting capabilities that will notify users and Administrators for important events. As a best practice, Keeper has created a list of recommended alerts that can be configured by the Keeper Administrator.
To create an alert, login to the Admin Console and visit Reporting & Alerts > Alerts.
Alerts is only available to customers who subscribe to Advanced Reporting & Alerts module. To upgrade, please contact your Keeper customer success representative.
It is important that the Keeper Admin is notified when any administrative changes are made on the Keeper Admin Console which can affect the security and usage of the platform. We recommend selecting all "Policy Change" events.
Critical system events in this category include the following:
Event | Threat / Description |
Created Node | Ensure this action is approved. |
Deleted Node | Ensure this action is approved. |
Created Role | Ensure this action is approved. |
Deleted Role | Ensure this action is approved. |
Created Team | Ensure this action is approved. |
Deleted Team | Deleting a team could also removed Shared Folder access. Ensure this action is approved. |
Changed Role Policy | Role enforcement policies can affect many different threat vectors |
Set 2FA Configuration | Duo or RSA integration could be interrupted. |
Created Alert | Admin created an alert in the Advanced Reporting system |
Deleted Alert | An Admin deleted an alert which could prevent detection - ensure that this was an expected action. |
Paused Alert | An Admin has paused an alert which could prevent detection - ensure that this was an expected action. |
License reached maximum | Notifies if you are reaching your maximum user count, will ensure that new users can be onboarded to the platform. |
We recommend that the Keeper Admin (and the user who performs the action) is notified when any User-Specific changes occur. At minimum, we recommend generating alerts on several key events within the "Security" category.
Critical User Management and Security Change events include the following:
Event | Threat / Description |
Invited User | Ensure that only approved users are invited to the platform. |
Created User | Ensure that users who join the Enterprise are approved. |
Deleted User | Ensure that user deletion is approved. Note this action also deletes all vault contents. |
Locked User | Admin has locked a user from the platform. Ensure this action is approved. |
Disabled 2FA By Admin | A user's 2FA has been turned off by the Keeper Admin. Ensure this action is approved. |
Device Approved | A user has signed into a new device. This event may generate a lot of alerts depending on number of users. |
Admin approval for device requested | User may need assistance to approve a new device. Login to the Admin Console to approve. |
Transferred vault | The user's vault has been transferred to another user account. Ensure that this action is approved. |
Granted Admin Permission | The user has been added to a role with Administrative permission. Ensure that this user is approved for administrative duties. |
BreachWatch provides organizations oversight of the vulnerabilities of user's passwords through active monitoring of dark web breach data. Users and administrators are notified if any of their passwords in a record have been used in publicly known breach that could leave your organization vulnerable to a credential stuffing attack or an account takeover.
Before you configure the alert, ensure that BreachWatch events are configured to flow through the Advanced Reporting & Alerts module. This is disabled by default.
Go to the Role of the users affected by the policy > Enforcement Policies > Vault Features and turn the setting to ON.
In the Alerts section of the Advanced Reporting & Alerts module, create an alert with all 3 event types within the BreachWatch category.
Critical BreachWatch events include the following:
Event | Threat / Description |
BreachWatch detected high-risk record password | The user has either created a record or imported data with weak passwords or a password known to be breached on the Dark Web. |
User ignored detected high-risk record password | The user has clicked "Ignore" on a detected breached password. |
User resolved detected high-risk record password | The user has successfully changed a password that was previously flagged by BreachWatch as a breached password. |
Depending how many Keeper Administrators you have in the organization, you may want to be alerted every time an Admin Console login occurs.
Event | Threat/Description |
Console Login | Ensure that the user should be granted Administrative rights. |
Note that new Keeper events are added on a monthly basis as the functionality and features of the platform are enhanced. Therefore, we recommend reviewing the latest event types on a regular basis to ensure that you are informed of the latest capabilities.
