Keeper¶
About¶
Keeper is a password manager created by Keeper Security, Inc. that allows users to store online login credentials, documents and images, and other sensitive information in an encrypted digital web vault. Users can also store two-factor authentication codes.
Product Details¶
Vendor URL: Keeper Security™ Official Site - Keeper Password Manager
Product Type: Password Manager
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Reporting, Alerts & SIEM - SYSLOG Guide
Log Guide: Reporting, Alerts & SIEM - Enterprise Guide
Parser Details¶
Log Format: SYSLOG/JSON
Expected Normalization Rate: 75%
Data Label: Keeper
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| audit_event | metadata.product_event_type |
| client_version | principal.asset.platform_software.platform_version |
| device_name | target.hostname |
| device_name | target.ip |
| enterprise_id | metadata.product_deployment_id |
| folder_type | target.resource.name |
| folder_uid | target.resource.product_object_id |
| observer | observer.hostname |
| observer | observer.ip |
| record_uid | metadata.product_log_id |
| remote_address | principal.hostname |
| remote_address | principal.ip |
| result_code | metadata.description |
| shared_folder_uid | target.resource.product_object_id |
| Statically Defined | target.resource.name |
| Statically Defined | security_result.action |
| to_username | target.user.userid |
| username | principal.user.userid |
| username | target.user.userid |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| alias_added | USER_RESOURCE_UPDATE_CONTENT | ||
| change_email | USER_RESOURCE_UPDATE_CONTENT | ||
| change_master_password | USER_CHANGE_PASSWORD | ||
| change_security_question | USER_RESOURCE_UPDATE_CONTENT | ||
| copy_password | USER_RESOURCE_ACCESS | ||
| create_user | USER_CREATION | ||
| Default | GENERIC_EVENT | ||
| folder_add_record | USER_RESOURCE_CREATION | ||
| folder_remove_record | USER_RESOURCE_DELETION | ||
| login | USER_LOGIN | ||
| login_console | USER_LOGIN | ||
| login_failed_console | USER_LOGIN | ||
| login_failure | USER_LOGIN | ||
| open_record | USER_RESOURCE_ACCESS | ||
| record_add | USER_RESOURCE_CREATION | ||
| record_delete | USER_RESOURCE_DELETION | ||
| record_password_change | USER_CHANGE_PASSWORD | ||
| record_update | USER_RESOURCE_UPDATE_CONTENT |
Log Sample¶
<165>1 2022-03-18T18:57:31.000Z keepersecurity.com keeper - - - {"record_uid":"a1d5c8r1g8g1g8r1rQ","audit_event":"open_record","remote_address":"10.10.10.120","client_version":"Web App.16.4.6","username":"john.doe@domain.com","enterprise_id":1234}
Sample Parsing¶
metadata.product_log_id = "a1d5c8r1g8g1g8r1rQ"
metadata.event_timestamp = "2022-03-18T18:57:31Z"
metadata.event_type = "USER_RESOURCE_ACCESS"
metadata.product_name = "keeper"
metadata.product_event_type = "open_record"
metadata.product_deployment_id = "1234"
principal.user.userid = "john.doe"
principal.ip = "10.10.10.120"
principal.administrative_domain = "domain.com"
principal.asset.platform_software.platform_version = "Web App.16.4.6"
observer.hostname = "keepersecurity.com"
security_result.action = "ALLOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon