# Risk Management ### Description The Risk Management endpoint provides programmatic access to security posture metrics, compliance benchmarks, and organizational KPIs captured by the Keeper [Risk Management Dashboard](/enterprise-guide/risk-management-dashboard.md). The Risk Management Dashboard tracks key utilization metrics across your Keeper Enterprise environment, including user onboarding status, vault activity, two-factor authentication adoption, and adherence to Keeper Security Benchmarks. The Risk Management endpoint exposes this data through a RESTful interface, enabling CSPM (Cloud Security Posture Management) integration and programmatic security posture assessment. ### Overview The Admin REST API Risk Management endpoint delivers comprehensive security posture data from your Keeper Enterprise environment. This capability supports critical security, compliance, and operational use cases: **Security Posture Monitoring**\ Retrieve real-time metrics on user deployment, vault utilization, and 2FA adoption. Track organizational security health across all users and identify gaps in credential protection coverage. **Compliance Automation**\ Programmatically assess adherence to Keeper Security Benchmarks. Integrate benchmark compliance status into GRC (Governance, Risk, and Compliance) platforms for automated compliance reporting against SOX, ISO 27001, HIPAA, PCI-DSS, and internal security policies. **Executive Dashboards**\ Feed security posture analytics and KPIs into business intelligence platforms for executive visibility. Track deployment progress, user adoption trends, and security benchmark remediation over time. **CSPM Integration**\ Incorporate Keeper security posture data into your Cloud Security Posture Management stack. Automate detection of misconfigurations and track remediation progress across your credential management environment. {% hint style="info" %} **Native connectors for Security Posture Management tools like Wiz, Tenable, and Savyint are coming soon. For now, administrators can use middleware, such as AWS Cloudtrails and Cloudwatch to broker data from Keeper to Wiz. See** [**AWS Docs**](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/monitor-cloudtrail-log-files-with-cloudwatch-logs.html)**.** {% endhint %} #### Prerequisites * Active Keeper Enterprise subscription * [Advanced Reporting and Alerts Module (ARAM)](/enterprise-guide/event-reporting.md) add-on enabled * Administrative privileges with reporting permissions * Valid API authentication credentials #### Key Metrics Available The endpoint provides access to the following security posture data: | Metric Category | Description | | ------------------- | --------------------------------------------------------------------- | | User Deployment | Total users, active users, invited users, invitation acceptance rates | | Vault Utilization | Users who have created records, record creation activity | | Login Activity | Users logged in within 30 days, last login timestamps | | 2FA Adoption | Users with 2FA-protected vaults (non-SSO environments) | | License Utilization | Active licenses, available licenses, utilization percentage | | Security Benchmarks | Critical items to resolve, completed benchmarks, ignored benchmarks | | Security Alerts | High-priority alert counts, occurrence trends, 30-day comparisons | ### Configuration #### Enterprise Stat **Endpoint** ``` GET /api/rest/rmd/get_enterprise_stat ``` **Purpose**\ Retrieve Risk Management recent login count. **Authentication**\ Send your API token in the `x-api-token` header:\ `x-api-token: Bearer ` #### Headers
HeaderExample
x-api-tokenBearer <API_TOKEN>
#### Query parameters **Request** 
curl 'https://keepersecurity.com/api/rest/rmd/get_enterprise_stat' \
  --header 'x-api-token: Bearer <API_TOKEN>'
#### Example success response (200) ```json { "users_has_records": 0, "users_logged_recent": 1 } ``` #### Error codes | Code | Message | Cause | | ---- | --------------------- | ---------------------------- | | 401 | Unauthorized | Invalid or missing API token | | 500 | Internal Server Error | Unexpected server error | #### Security Notes * Treat API tokens like passwords; rotate them on a schedule. * Restrict permissions to the minimum required roles and actions. * Prefer short expirations; use `never` only for special automation cases. * Store tokens in a secure location (e.g., Keeper Vault). ### Enterprise Stat Details **Endpoint** ``` GET /api/rest/rmd/get_enterprise_stat_details ``` **Purpose**\ Retrieve the recent login count (users who logged in the last 30 days) and the number of users who have at least one record in their Vault **Authentication**\ Send your API token in the `x-api-token` header:\ `x-api-token: Bearer ` #### Headers
HeaderExample
x-api-tokenBearer <API_TOKEN>
#### Query parameters **Request** 
curl 'https://keepersecurity.com/api/rest/rmd/get_enterprise_stat_details' \
  --header 'x-api-token: Bearer <API_TOKEN>'
#### Example success response (200) ```json { "enterprise_stat_details": [ { "last_logged_in": "2025-11-21 22:11:15", "has_records": false, "enterprise_user_id": "user@company.com" } ] } ``` #### Error codes | Code | Message | Cause | | ---- | --------------------- | ---------------------------- | | 401 | Unauthorized | Invalid or missing API token | | 500 | Internal Server Error | Unexpected server error | *** #### Security Notes * Treat API tokens like passwords; rotate them on a schedule. * Restrict permissions to the minimum required roles and actions. * Prefer short expirations; use `never` only for special automation cases. * Store tokens in a secure location (e.g., Keeper Vault). ### Security Alerts Summary **Endpoint** ``` GET /api/rest/rmd/get_security_alerts_summary ``` **Purpose**\ Retrieve summary of events that happened in the last 30 days **Authentication**\ Send your API token in the `x-api-token` header:\ `x-api-token: Bearer ` #### Headers
HeaderExample
x-api-tokenBearer <API_TOKEN>
#### Query parameters **Request** 
curl 'https://keepersecurity.com/api/rest/rmd/get_enterprise_stat_details' \
  --header 'x-api-token: Bearer <API_TOKEN>'
#### Example success response (200) ```json { "security_alerts_summary": [ { "event_occurrences": 1, "unique_users": 1, "last_users": 0, "event": "account_recovery_decline", "last_events": 0 } ] } ``` #### Error codes | Code | Message | Cause | | ---- | --------------------- | ---------------------------- | | 401 | Unauthorized | Invalid or missing API token | | 500 | Internal Server Error | Unexpected server error | *** #### Security Notes * Treat API tokens like passwords; rotate them on a schedule. * Restrict permissions to the minimum required roles and actions. * Prefer short expirations; use `never` only for special automation cases. * Store tokens in a secure location (e.g., Keeper Vault). ### Security Alerts Detail **Endpoint** ``` GET /api/rest/rmd/get_security_alerts_detail ``` **Purpose**\ Retrieve details of event that happened in the last 30 days with a comparison to the previous 30 days\ **aet** is audit event type (id)\ example: **account\_recovery\_decline** **Authentication**\ Send your API token in the `x-api-token` header:\ `x-api-token: Bearer ` #### Query parameters
NameTypeRequiredDescription
audit_event_typeISO 8601YesAudit event type from stats
#### Headers
HeaderExample
x-api-tokenBearer <API_TOKEN>
#### Query parameters **Request** 
curl 'https://keepersecurity.com/api/rest/rmd/audit_event_type=account_recovery_decline' \
  --header 'x-api-token: Bearer <API_TOKEN>'
#### Example success response (200) ```json { "security_alerts_summary": [ { "event_occurrences": 1, "unique_users": 1, "last_users": 0, "event": "account_recovery_decline", "last_events": 0 } ] } ``` #### Error codes | Code | Message | Cause | | ---- | --------------------------------------------------------- | ------------------------------------------------------------- | | 400 | Can't find required query param: audit\_event\_type value | audit\_event\_type is missing or not matches internal mapping | | 401 | Unauthorized | Invalid or missing API token | | 500 | Internal Server Error | Unexpected server error | *** #### Security Notes * Treat API tokens like passwords; rotate them on a schedule. * Restrict permissions to the minimum required roles and actions. * Prefer short expirations; use `never` only for special automation cases. * Store tokens in a secure location (e.g., Keeper Vault). ### Get security benchmarks **Endpoint** ``` GET /api/rest/rmd/get_security_benchmarks ``` **Purpose**\ Get the list of security benchmark set for the calling enterprise **Authentication**\ Send your API token in the `x-api-token` header:\ `x-api-token: Bearer ` #### Headers
HeaderExample
x-api-tokenBearer <API_TOKEN>
#### Query parameters **Request** 
curl 'https://keepersecurity.com/api/rest/rmd/get_security_benchmarks' \
  --header 'x-api-token: Bearer <API_TOKEN>'
#### Example success response (200) ```json { "security_benchmarks": [ { "id": "SB_DEPLOY_ACROSS_ENTIRE_ORGANIZATION", "auto_resolve": false, "status": "UNRESOLVED" }, { "last_updated": "2025-12-11 23:37:29", "id": "SB_PREVENT_INSTALLATION_OF_UNTRUSTED_EXTENSIONS", "auto_resolve": false, "status": "RESOLVED" }, { "id": "SB_ENABLE_ACCOUNT_TRANSFER_POLICY", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_REDUCE_ADMINISTRATOR_PRIVILEGE", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_ENSURE_OUTSIDE_SSO_ADMINISTRATOR_EXISTS", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_LOCK_DOWN_SSO_PROVIDER", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_CREATE_AT_LEAST_TWO_KEEPER_ADMINISTRATORS", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_ENSURE_TWO_FACTOR_AUTHENTICATION_ADMIN_USERS", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_ENFORCE_STRONG_MASTER_PASSWORD", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_ENSURE_TWO_FACTOR_AUTHENTICATION_FOR_END_USERS", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_CONFIGURE_IP_ALLOWLISTING", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_CREATE_ALERTS", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_DISABLE_BROWSER_PASSWORD_MANAGERS", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_DISABLE_ACCOUNT_RECOVERY", "auto_resolve": false, "status": "UNRESOLVED" }, { "id": "SB_ENFORCE_LEAST_PRIVILEGE_POLICY", "auto_resolve": false, "status": "UNRESOLVED" } ] } ``` #### Error codes | Code | Message | Cause | | ---- | --------------------- | ---------------------------- | | 401 | Unauthorized | Invalid or missing API token | | 500 | Internal Server Error | Unexpected server error | *** #### Security Notes * Treat API tokens like passwords; rotate them on a schedule. * Restrict permissions to the minimum required roles and actions. * Prefer short expirations; use `never` only for special automation cases. * Store tokens in a secure location (e.g., Keeper Vault). ### Set security benchmarks **Endpoint** ``` POST /api/rest/rmd/set_security_benchmarks ``` **Purpose**\ Set a list of security benchmark. Corresponding audit events will be logged. **Authentication**\ Send your API token in the `x-api-token` header:\ `x-api-token: Bearer ` #### Headers
HeaderExample
x-api-tokenBearer <API_TOKEN>
#### Query parameters **Request** ```bash curl -X POST -H 'x-api-token: Bearer ' -H 'Content-Type: application/json' \ 'https://keepersecurity.com/api/rest/rmd/set_security_benchmarks' \ -d '[{"benchmark": "SB_PREVENT_INSTALLATION_OF_UNTRUSTED_EXTENSIONS", "status": "RESOLVED"}]' ``` #### Example success response (200) ```json { "security_benchmarks": [ { "id": "SB_PREVENT_INSTALLATION_OF_UNTRUSTED_EXTENSIONS", "auto_resolve": false, "status": "RESOLVED" } ] } ``` #### Error codes | Code | Message | Cause | | ---- | --------------------- | ---------------------------- | | 401 | Unauthorized | Invalid or missing API token | | 500 | Internal Server Error | Unexpected server error | #### --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/commander-cli/admin-rest-api/risk-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.