The Advanced Reporting and Alerts Module (ARAM) tracks over 200 security events across the organization and addresses many password-related cybersecurity auditing, alerting and compliance needs. This module provides insight to assess vulnerabilities related to administrative changes, password reuse, unauthorized access, password stuffing attacks and insider threats.

The Reporting Dashboard provides a quick view of top events, the Recent Activity and All Security Events Reports and any saved custom reports. Monitoring these events can assist in the detection of several threat vectors and help establish enforcement policies around vault and privileged account access.

For example, let’s take a look at the “Policy Change Report” that I’ve created. Here we can see any administrative changes in the platform. Clicking on the event shows event details such as the user, device, software version, IP address and event-specific metadata.

Filters can be customized for Users, Event Types, Event Attributes and Date Range. Data can also be exported for offline analysis.

To closely track critical security events, click Add Alert in the Alerts screen and specify a name and filter criteria. Admins can create an unlimited number of alerts that can trigger over 100 different event types and attributes. For example, here's an alert that is triggered upon any “Admin Policy Change” event within the Admin Console.

Like reports, Alerts can be sent to any number of recipients or endpoints such as an email address, SMS, or even Slack or Microsoft Teams through our Webhook feature.

Click Add Recipient to set up an email or SMS delivery option to a specified recipient, or you can add a Webhook to send the event to your favorite messaging platform. In this case, I have a Slack Webhook set up to receive the alert. It will be displayed in a Slack channel with custom formatting and can even include action buttons that launch the vault.

In addition to the reporting and alerting capabilities we offer through the Admin Console, event data can be streamed into any existing SIEM solution such as Splunk, Sumo Logic, Azure, DataDog, LogRhythm or any other Syslog-compatible destination.

From the External Logging screen, click Setup to activate the external logging solution. Setup is easy on each logging platform and typically only requires a few attributes to integrate. Once configured, our system will automatically stream all event data to the destination collector. Keeper supports both cloud-based and on-premise SIEM solutions.

Reports can also be generated automatically on Keeper Commander, our open source command-line and SDK toolkit. Using the "audit-report" command, users can generate any type of event report and stream events directly into a SIEM collector. Because these logs don’t contain any secret data, it’s safe to export to a SIEM. Additionally, if you have the compliance module activated, Commander will also decrypt the record title and URL in the audit reports.

Learn more about Keeper at:
https://keepersecurity.com

View our Keeper Enterprise Guide here:
https://docs.keeper.io/enterprise-guide/