# ARAM Events ### Description The ARAM Events endpoint provides programmatic access to enterprise audit logs and security events captured by Keeper's [Advanced Reporting and Alerts Module (ARAM)](/enterprise-guide/event-reporting.md). This endpoint enables administrators and security teams to retrieve, filter, and export audit event data for compliance monitoring, security analysis, and SIEM integration. ARAM captures over 200 distinct event types across the Keeper platform, including authentication events, administrative actions, record operations, sharing activities, and KeeperPAM privileged access events. The Audit Events endpoint exposes this data through a RESTful interface, allowing integration with custom applications, automation workflows, and third-party security tools. ### Overview The Admin REST API Audit Events endpoint delivers real-time and historical audit event data from your Keeper Enterprise environment. This capability supports several critical security and compliance use cases: **Security Monitoring**\ Retrieve event data for security incident investigation, anomaly detection, and threat hunting. Events include contextual information such as IP addresses, geolocation, client versions, and timestamps. **SIEM Integration**\ Feed audit events into Security Information and Event Management platforms for centralized visibility. The endpoint returns data in JSON format compatible with Splunk, Microsoft Sentinel, Elastic, and other SIEM solutions. **Compliance Auditing**\ Generate audit reports for SOX, ISO 27001, SOC 2, and other regulatory frameworks requiring detailed access logs and administrative action tracking. #### Prerequisites * Active Keeper Enterprise subscription * [Advanced Reporting and Alerts Module (ARAM)](/enterprise-guide/event-reporting.md) add-on enabled * Administrative privileges with reporting permissions * Valid API authentication credentials #### Event Categories The endpoint returns events across the following categories: | Category | Description | | ---------------------- | ---------------------------------------------------------------------------------- | | Security Events | Login attempts, 2FA changes, master password modifications, failed authentications | | Administrative Actions | User provisioning, role assignments, policy changes, node management | | Record Operations | Record creation, updates, deletions, and access events | | Sharing Activities | Record sharing, shared folder operations, team membership changes | | KeeperPAM Events | Privileged session recordings, connection events, secret access | | Secrets Manager Events | KSM application access, secret retrieval, rotation events | | BreachWatch Events | High-risk password detection, resolution tracking | ### Configuration ## Get Audit Events > Retrieves a paginated list of audit events for a specific enterprise between two\ > dates. This endpoint is primarily used for SIEM integrations (e.g., Azure Sentinel)\ > and is compatible with other log aggregation tools.\ > \ > Results are returned in pages. Use the \`continuation\_token\` from the response\ > to retrieve the next page. When there are no more results, \`continuation\_token\`\ > will be \`null\` and \`has\_more\` will be \`false\`.\ > \ > Example:\ > \ > curl --location '' \\\ > \--header 'x-api-token: Bearer YOUR\_API\_TOKEN'
```json {"openapi":"3.0.3","info":{"title":"Keeper Integration API","version":"1.0.0"},"servers":[{"url":"https://keepersecurity.com/api/rest","description":"Production environment"}],"security":[{"ApiTokenAuth":[]}],"components":{"securitySchemes":{"ApiTokenAuth":{"type":"apiKey","in":"header","name":"x-api-token"}}},"paths":{"/public/events":{"get":{"summary":"Get Audit Events","description":"Retrieves a paginated list of audit events for a specific enterprise between two\ndates. This endpoint is primarily used for SIEM integrations (e.g., Azure Sentinel)\nand is compatible with other log aggregation tools.\n\nResults are returned in pages. Use the `continuation_token` from the response\nto retrieve the next page. When there are no more results, `continuation_token`\nwill be `null` and `has_more` will be `false`.\n\nExample:\n\ncurl --location 'https://keepersecurity.com/api/rest/public/events?start_date=2025-11-24T00%3A00%3A00Z&limit=20&end_date=2025-11-26T23%3A59%3A59Z' \\\n--header 'x-api-token: Bearer YOUR_API_TOKEN'\n","tags":["Audit Events"],"parameters":[{"name":"start_date","in":"query","required":true,"schema":{"type":"string","format":"date-time"}},{"name":"end_date","in":"query","required":true,"schema":{"type":"string","format":"date-time"}},{"name":"limit","in":"query","required":false,"schema":{"type":"integer","minimum":1,"maximum":1000,"default":100}},{"name":"continuation_token","in":"query","required":false,"schema":{"type":"string"}}],"responses":{"200":{"description":"A paginated list of audit events","content":{"application/json":{"schema":{"type":"object","properties":{"continuation_token":{"type":"string","nullable":true},"has_more":{"type":"boolean"},"events":{"type":"array","items":{"type":"object","properties":{"audit_event":{"type":"string"},"remote_address":{"type":"string"},"category":{"type":"string"},"client_version":{"type":"string"},"enterprise_id":{"type":"integer"},"username":{"type":"string"},"timestamp":{"type":"integer"}}}}}}}}},"400":{"description":"Bad request"},"401":{"description":"Unauthorized"},"500":{"description":"Server error"}}}}}} ``` **Endpoint** ``` GET /api/rest/public/events ``` **Purpose**\ Retrieve audit events within a specified date range for your enterprise. **Authentication**\ Send your API token in the `x-api-token` header:\ `x-api-token: Bearer ` #### Query parameters
NameTypeRequiredDescription
start_dateISO 8601YesStart of the date range (e.g., 2024-07-09T00:00:00Z).
end_dateISO 8601YesEnd of the date range (e.g., 2025-07-10T19:45:00Z).
continuation_tokenStringOnly for paginationUse the token returned by the API to fetch the next page of events.
#### Headers
HeaderExample
x-api-tokenBearer <API_TOKEN>
#### Example requests **Without pagination** ```bash curl --location 'https://keepersecurity.com/api/rest/public/events?start_date=2024-07-09T00%3A00%3A00Z&end_date=2025-07-10T19%3A45%3A00Z' \ --header 'x-api-token: Bearer ' ``` **With pagination** 
curl --location 'https://keepersecurity.com/api/rest/public/events?start_date=2024-07-09T00%3A00%3A00Z&end_date=2025-07-10T19%3A45%3A00Z&continuation_token=<CONT_TOKEN>' \
  --header 'x-api-token: Bearer <API_TOKEN>'
#### Example success response (200) ```json { "has_more": true, "events": [ { "audit_event": "login_failure", "remote_address": "10.15.12.197", "category": "ADMIN", "client_version": "Commander 17.1.0", "enterprise_id": 8560, "username": "admin@example.com", "timestamp": 1751910807587 } ], "continuation_token": "vWiXa0eu2edoe_fonw5IJHwEbLmxXOACIvuoQRh7j4XiKuu1" } ``` #### Error codes | Code | Message | Cause | | ---- | --------------------- | --------------------------------------- | | 400 | Missing start date | `start_date` query parameter is missing | | 400 | Missing end date | `end_date` query parameter is missing | | 401 | Unauthorized | Invalid or missing API token | | 500 | Internal Server Error | Unexpected server error | ### Security Notes * Treat API tokens like passwords; rotate them on a schedule. * Restrict permissions to the minimum required roles and actions. * Prefer short expirations; use `never` only for special automation cases. * Store tokens in a secure location (e.g., Keeper Vault). ### Appendix: Quick Reference (Commander) ```bash # List public-api-key list [--format table|json|csv] [--output ] # Generate public-api-key generate \ --name "" \ --roles "SIEM:1" \ --expires 24h|7d|30d|1y|never \ [--format json|csv] [--output ] # Revoke public-api-key revoke [--force] ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/commander-cli/admin-rest-api/aram-events.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.