# Event Reporting

Keeper Secrets Manager generates several events in the Advanced Reporting & Alerts Module. These events are available for analysis in several places including:

* Keeper Admin Console ([Learn More ](/enterprise-guide/event-reporting.md)about the Event Reporting & Alerts Module)<br>
* SIEM Export to [Splunk](/enterprise-guide/event-reporting/splunk.md) and other common providers<br>
* [Webhooks](/enterprise-guide/webhooks.md) such as Slack and Teams<br>
* Commander [audit-report](/keeperpam/commander-cli/command-reference/reporting-commands.md#audit-report-command) CLI command and [audit-log](/keeperpam/commander-cli/command-reference/reporting-commands.md#audit-log-command) CLI command

## Secrets Manager Events

Below is the list of events generated from Secrets Manager. "Application" refers to the Secrets Manager Application which is associated to a record or folder in the Keeper Vault.

| **Event Name**                | **Description**                                                                                          | **What causes event**                                                            |
| ----------------------------- | -------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
| app\_record\_shared           | User ${username} shared record UID ${secret\_uid} with KSM application ${app\_uid}                       | When record owner adds record to the Application                                 |
| app\_folder\_shared           | User ${username} shared folder UID ${secret\_uid} with KSM application ${app\_uid}                       | When the shared folder owner adds shared folder to the Application               |
| app\_record\_removed          | User ${username} removed record UID ${secret\_uid} from KSM application ${app\_uid}                      | When user removes record share from the Application                              |
| app\_folder\_removed          | User ${username} removed folder UID ${secret\_uid} from KSM application ${app\_uid}                      | When user removes folder share from the Application                              |
| app\_record\_share\_changed   | User ${username} changed share permissions for record UID ${secret\_uid} for KSM application ${app\_uid} | When user changes share permissions of record share in the Application           |
| app\_folder\_share\_changed   | User ${username} changed share permissions for folder UID ${secret\_uid} for KSM application ${app\_uid} | When user changes share permissions of folder share in the Application           |
| app\_client\_added            | User ${username} added KSM device ${device\_name} to application ${app\_uid}                             | When a new Client Device was added to the Application                            |
| app\_client\_removed          | User ${username} removed KSM device ${device\_name} from application ${app\_uid}                         | When Client Device was removed from the Application                              |
| app\_client\_connected        | KSM device ${device\_name} performed initial connect to application ${app\_uid}                          | Client Device initially connected with the One Time Access Token                 |
| app\_client\_access           | KSM device ${device\_name} has accessed secrets from application ${app\_uid}                             | Client Device accessed the Application shares                                    |
| app\_client\_record\_update   | KSM device ${device\_name} has updated record UID ${secret\_uid}                                         | Client Device has updated a record                                               |
| Access denied from blocked IP | Access denied to record UID ${secret\_uid} from device with blocked IP address ${device\_ip}             | Device with an IP that is different from the IP lock attempts to access a secret |

For a list of all events, visit:\
[https://docs.keeper.io/enterprise-guide/event-reporting](/enterprise-guide/event-reporting.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/secrets-manager/about/event-reporting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.