# Audit Alert Commands
#### Usage
```bash
audit-alert command [--options]
```
#### Commands
| Command | Description | Alias |
| ------------------------------------------- | ------------------------ | ----- |
| [`list`](#audit-alert-list) | Display alert list | `l` |
| [`view`](#audit-alert-view) | View alert configuration | `v` |
| [`history`](#audit-alert-history) | View alert history | `h` |
| [`delete`](#audit-alert-delete) | Delete audit alert | `d` |
| [`add`](#audit-alert-add) | Add audit alert | `a` |
| [`edit`](#audit-alert-edit) | Edit audit alert | `e` |
| [`reset-counts`](#audit-alert-reset-counts) | Reset alert counts | |
| [`recipient`](#audit-alert-recipient) | Modify alert recipients | `r` |
### Audit Alert list Command
Display alert list.
DotNet CLI
**Command:** `audit-report list`
**Example:**
```bash
My Vault> audit-report list
# Created Username Event Message
---- --------------------- ---------------------------------- ------------------------- ----------------------------------------------------------------------------------------------------
1 13/11/2025 9:22:22 AM user@email.com login User logged in to vault (PASS)
2 13/11/2025 9:22:22 AM Keeper audit_alert_sent Audit alert "ServiceNow Alerts" was sent to ,https://cert860.servi...
```
DotNet SDK
**Functions:** `GetAvailableEvents`
PowerCommander
**Command:** `Get-KeeperAuditAlert -Action list`
**Alias:** `audit-alert`
**Parameters**
* `-Reload` - Reload alert information
* `-Format` - Output format: `json`, `table`, `csv`
* `-Output` - path to resulting output file (ignored for "table" format)
**Example**:
{% code expandable="true" %}
```ps1
PS > Get-KeeperAuditAlert -Action list
Id Name Events Frequency Occurrences AlertsSent LastSent Active
-- ---- ------ --------- ----------- ---------- -------- ------
1 SalesForce Dev change_master_password Every Occurrence 4069 3536 13-04-2026 15:18 True
open_record
chat_message_sent
chat_message_received
+281 more
2 ConnectHub change_master_password Every Occurrence 2890 2589 10-04-2026 10:21 False
open_record
chat_message_sent
chat_message_received
```
{% endcode %}
Python CLI
**Command:** `audit-alert list`
**Options**
* `-h, --help` show this help message and exit
* `--reload` - Reload alert information
* `--format` - Output format: `json`, `table`, `csv`
* `--output` - path to resulting output file (ignored for "table" format)
**Example:**
```
My Vault> audit-alert list --fromat json
```
Python SDK
**Function**: Coming Soon
### Audit Alert view Command
View alert configuration.
DotNet CLI
**Command:** `audit-report --event-type="some event type"`
**Example:**
```
My Vault> audit-report --event-type="login" --limit=2
# Created Username Event Message
--- --------------------- ------------------------------- ----- --------------------------------------------------------------
1 13/11/2025 9:31:33 AM user1 login User logged in to vault (PASS)
2 13/11/2025 9:26:56 AM user2 login User logged in to vault (PASS)
```
DotNet SDK
**Function**: Coming Soon
PowerCommander
**Command:** `Get-KeeperAuditAlert -Action View`
**Alias:** `audit-alert`
**Parameters**
* `-Reload` - Reload alert information
* `-Target` - (numeric ID or exact name).
* `-All` - use `-All` for all alerts
* `-Format` - Output format: `json`, `table`, `csv`
* `-Output` - path to resulting output file (ignored for "table" format)
**Example:**
PS > Get-KeeperAuditAlert -Action View -Target 13
Name Value
---- -----
Alert ID 13
Alert name Renamed Alert
Status Disabled
Frequency Every Occurrence
Occurrences
Sent Counter
Last Sent
Event Types login
Send To Originator (*) True
Python CLI
**Command:** `audit-alert view`
**Parameter**:
`ALERT` - Alert ID or Name (required)
**Options**
* `-h, --help` show this help message and exit
**Example:**
```
My Vault> audit-alert view
```
Python SDK
**Function**: Coming Soon
### Audit-Alert history Command
View alert history.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function**: Coming Soon
PowerCommander
**Command:** `Get-KeeperAuditAlert -Action history`
**Alias:** `audit-alert`
**Parameters**
* `-Target` - (numeric ID or exact name).
* `-Format` - Output format: `json`, `table`, `csv`
* `-Output` - path to resulting output file (ignored for "table" format)
**Example:**
{% code expandable="true" %}
```ps
PS > Get-KeeperAuditAlert -Action history -Target "1"
AlertSentAt Occurrences
----------- -----------
13-04-2026 15:43 2
13-04-2026 15:31 2
13-04-2026 15:18 1
13-04-2026 15:18 1
13-04-2026 14:47 1
```
{% endcode %}
Python CLI
**Command:** `audit-alert history`
**Parameter**:
`ALERT` - Alert ID or Name (required)
**Options**
* `-h, --help` show this help message and exit
* `--format` - Output format: `json`, `table`, `csv`
* `--output` - Output filename
**Example:**
```
My Vault> audit-alert history
```
Python SDK
**Function**: Coming Soon
### Audit-Alert delete Command
Delete audit alert.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function**: Coming Soon
PowerCommander
**Command:** `Get-KeeperAuditAlert -Action delete`
**Alias:** `audit-alert`
**Parameters**
| Flag | Description |
| --------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-Action` | Must be `delete`. |
| `-Target` | Single alert: numeric ID or exact name (case-insensitive). Use this or `-All` or `-From`/`-To`—not all three patterns at once in a conflicting way. |
| `-All` | Delete all alerts in the enterprise. |
| `-From` | Start of ID range (positive integer). Must be used with `-To`; both are required for range delete. |
| `-To` | End of ID range (positive integer, must be greater than `-From`). Inclusive. |
| `-Force` | Do not prompt; delete immediately. |
| `-Format` | Not used for the delete logic itself; after a successful delete the cmdlet may refresh the list (table output). |
| `-Output` | Stores output in a file |
**Example:**
{% code expandable="true" %}
```ps1
PS > Get-KeeperAuditAlert -Action delete -Target "12"
The following 1 alert(s) will be deleted:
------------------------------------------------------------
ID: 12 | Name: PC Test Alert
------------------------------------------------------------
Are you sure you want to delete 1 alert(s)? (y/n): y
```
{% endcode %}
Python CLI
**Command:** `audit-alert delete`
**Parameter**:
`ALERT` - Alert ID or Name (required)
**Options**
* `-h, --help` show this help message and exit
**Example:**
```
My Vault> audit-alert delete
```
Python SDK
**Function**: Coming Soon
### Audit-Alert add Command
Add audit alert.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function**: Coming Soon
PowerCommander
**Command:** `Get-KeeperAuditAlert -Action add`
**Alias:** `audit-alert`
**Parameters**
| Flag | Description |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-Action` | Must be `add`. |
| `-Name` | Required. Display name of the alert; must be unique among alerts. |
| `-Frequency` | How often notifications are evaluated: e.g. `event` (each qualifying event), or `N:day` / `N:hour` / `N:minute` style throttling. |
| `-AuditEvent` | One or more audit event type names (e.g. `login`). Comma-separated in one string and/or pass `-AuditEvent` multiple times. Names must exist on the server. |
| `-User` | Limit to events for specific enterprise users, by email. Comma-separated or repeated. |
| `-RecordUid` | Limit to events involving specific record UIDs. Comma-separated or repeated. |
| `-SharedFolderUid` | Limit to events involving specific shared folder UIDs. Comma-separated or repeated. |
| `-Active` | `on` or `off`: whether the alert starts enabled (`on`) or created in a disabled state (`off`). |
| `-Format` | Output when showing the new alert after create: `table`, `csv`, or `json`. |
| `-Output` | File path when `-Format` is `csv` or `json`. |
**Example:**
{% code expandable="true" %}
```ps1
PS > Get-KeeperAuditAlert -Action add -Name 'PC Test Alert' -AuditEvent login -Frequency event
Name Value
---- -----
Alert ID 12
Alert name PC Test Alert
Status Enabled
Frequency Every Occurrence
Occurrences
Sent Counter
Last Sent
Event Types login
Send To Originator (*) False
```
{% endcode %}
Python CLI
**Command:** `audit-alert add`
**Options**
* `-h, --help` show this help message and exit
* `--name` - Alert Name (required)
* `--frequency` - Alert Frequency. Format: `[N:]event|minute|hour|day`
* `--audit-event` - Audit Event.
* `--user` - Username. Can be repeated.
* `--record-uid` - Record UID. Can be repeated.
* `--shared-folder-uid` - Shared Folder UID. Can be repeated.
* `--active` - Enable or disable alert: `on` or `off`
**Example:**
```
My Vault> audit-alert add --name --frequency --audit-event --record-uid --user --active on/off
```
Python SDK
**Function**: Coming Soon
### Audit-Alert edit Command
Edit audit alert.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function**: Coming Soon
PowerCommander
**Command:** `Get-KeeperAuditAlert -Action edit`
**Alias:** `audit-alert`
**Parameters**
| Flag | Description |
| ------------------ | ----------------------------------------------------------------------- |
| `-Action` | Must be `edit`. |
| `-Target` | Required. Alert to change: numeric ID or exact name. |
| `-Name` | New name for the alert (optional). |
| `-Frequency` | New frequency string (same rules as `add`). |
| `-AuditEvent` | Replace/apply audit event filters (same as `add`). |
| `-User` | User filter by email (same as `add`). |
| `-RecordUid` | Record UID filter (same as `add`). |
| `-SharedFolderUid` | Shared folder UID filter (same as `add`). |
| `-Active` | `on` or `off`: turn the alert enabled or disabled at the context level. |
| `-Format` | Output format for the follow-up view of the alert. |
| `-Output` | File path for csv/json output of that view. |
**Example:**
{% code expandable="true" %}
```ps1
PS > Get-KeeperAuditAlert -Action edit -Target 13 -Name 'Renamed Alert'
Name Value
---- -----
Alert ID 13
Alert name Renamed Alert
Status Enabled
Frequency Every Occurrence
Occurrences
Sent Counter
Last Sent
Event Types login
Send To Originator (*) False
```
{% endcode %}
Python CLI
**Command:** `audit-alert edit`
**Parameter:**
`ALERT` - Alert ID or Name (required)
**Options**
* `-h, --help` show this help message and exit
* `--name` - Alert Name
* `--frequency` - Alert Frequency. Format: `[N:]event|minute|hour|day`
* `--audit-event` - Audit Event. Can be repeated.
* `--user` - Username. Can be repeated.
* `--record-uid` - Record UID. Can be repeated.
* `--shared-folder-uid` - Shared Folder UID. Can be repeated.
* `--active` - Enable or disable alert: `on` or `off`
**Example:**
```
My Vault> audit-alert edit --name --user --active on/off
```
Python SDK
**Function**: Coming Soon
### Audit-Alert reset-counts Command
Reset alert counts.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function**: Coming Soon
PowerCommander
**Command:** `Get-KeeperAuditAlert -Action reset-counts`
**Alias:** `audit-alert`
**Parameters**
| Flag | Description |
| --------- | ---------------------------- |
| `-Action` | Must be `ResetCounts`. |
| `-Target` | Required. Alert: ID or name. |
**Example:**
{% code expandable="true" %}
```ps1
PS > Get-KeeperAuditAlert -Action reset-counts -Target 12
Alert counts reset to zero.
```
{% endcode %}
Python CLI
**Command:** `audit-alert reset-count`
**Parameter**:
`ALERT` - Alert ID or Name (required)
**Option**:
`-h, --help` show this help message and exit
**Example:**
```
My Vault> audit-alert reset-count
Alert counts reset to zero
```
Python SDK
**Function**: Coming Soon
### Audit-Alert recipient Command
Modify alert recipients.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function**: Coming Soon
PowerCommander
**Command:** `Get-KeeperAuditAlert -Action recipient`
**Alias:** `audit-alert`
**Parameters**
| Flag | Description |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-Action` | Must be `recipient`. |
| `-Target` | Required. Which alert to change: ID or name. |
| `-RecipientAction` | Required. `add` (new recipient row), `edit`, `delete`, `enable`, or `disable` for a recipient. |
| `-Recipient` | For `enable`, `disable`, `delete`, `edit`: recipient name, numeric id, or `*` for “user who generated event” on enable/disable. For `add`, optional until you set channels; other flags build the new row. |
| `-RecipientName` | Display name for the recipient. |
| `-Email` | Email notification address. |
| `-Phone` | SMS number; may use `+country` prefix for country code parsing. |
| `-Webhook` | Webhook URL; empty string can clear webhook on edit. |
| `-HttpBody` | Webhook body template; may be `@path` to read from a file. |
| `-CertErrors` | `ignore` or `enforce` for TLS verification to the webhook host. |
| `-GenerateToken` | Regenerate webhook access token (switch). |
| `-Format` | Format for the view shown after the change. |
| `-Output` | File path for csv/json of that view. |
**Example:**
{% code expandable="true" %}
```ps1
PS > Get-KeeperAuditAlert -Action recipient -Target 13 -RecipientAction enable -Recipient '*'
Name Value
---- -----
Alert ID 13
Alert name Renamed Alert
Status Enabled
Frequency Every Occurrence
Occurrences
Sent Counter
Last Sent
Event Types login
Send To Originator (*) True
```
{% endcode %}
Python CLI
**Command:** `audit-alert recipient `
**Parameter**:\
`ALERT` Alert ID or Name.
**Options**:\
`-h, --help` show this help message and exit
**Recipient actions:**
* `enable` - Enables recipient
* `RECIPIENT` - Recipient ID or Name. Use "\*" for "User who generated event"
* `disable` - Disables recipient
* `RECIPIENT` - Recipient ID or Name. Use "\*" for "User who generated event"
* `delete` - Deletes recipient
* `RECIPIENT` - Recipient ID or Name
* `add` - Adds recipient
* `--name` - Recipient name
* `--email` - Email address
* `--phone` - Phone number. Format: +1 (555) 555-1234
* `--webhook` - Webhook URL. See [https://docs.keeper.io/enterprise-guide/webhooks](/enterprise-guide/webhooks.md)
* `--http-body` - Webhook HTTP Body
* `--cert-errors` - Webhook SSL Certificate errors: `ignore` or `enforce`
* `--generate-token` - Generate new access token
* `edit` - Edit recipient
* `RECIPIENT` - Recipient ID or Name (required)
* `--name` - Recipient name
* `--email` - Email address
* `--phone` - Phone number. Format: +1 (555) 555-1234
* `--webhook` - Webhook URL
* `--http-body` - Webhook HTTP Body
* `--cert-errors` - Webhook SSL Certificate errors: `ignore` or `enforce`
* `--generate-token` - Generate new access token
**Example:**
```
My Vault> audit-alert recipient 1
Alert ID 1
Alert name eMail - changed or alternative created - LAF Consulting
Status Enabled
Recipients:
Send To Originator (*) False
Recipient ID 1
Name user
Status Enabled
Email To user@company.com
Recipient ID 2
Name user2
Status Enabled
Email To user2@company.com
```
Python SDK
**Function**: Coming Soon
### Audit-Alert enable and disable Command
Turns the whole alert on / off.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function**: Coming Soon
PowerCommander
**Command:** `Get-KeeperAuditAlert -Action enable`
**Alias:** `audit-alert`
**Parameter:**
| Flag | Description |
| --------- | ----------------------------------------------- |
| `-Action` | Must be `disable/enable`. |
| `-Target` | One alert: ID or name. Do not use with `-All`. |
| `-All` | Disable every alert. Do not use with `-Target`. |
**Example:**
{% code expandable="true" %}
```ps1
PS > Get-KeeperAuditAlert -Action disable -Target 13
Alert "Renamed Alert" has been disabled.
Name Value
---- -----
Alert ID 13
Alert name Renamed Alert
Status Disabled
Frequency Every Occurrence
Occurrences
Sent Counter
Last Sent
Event Types login
Send To Originator (*) True
```
{% endcode %}
Python CLI
**Command:** Coming Soon
Python SDK
**Function**: Coming Soon
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/keeperpam/commander-sdk/keeper-commander-sdks/sdk-command-reference/enterprise-management-commands/audit-alert-commands.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.