Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|
Keeper Security Events |
Base Rule |
General Security Information |
Information |
|
User Vault Login |
Subrule |
User Logon |
Authentication Success |
|
Admin Console Login |
Subrule |
Administration Session Started |
Authentication Success |
|
Account Recovery Declined |
Subrule |
Recovery Process Failure |
Error |
|
User Account Created |
Subrule |
User Account Created |
Account Created |
|
User Auto Provisioned |
Subrule |
User Account Created |
Account Created |
|
User Account Locked |
Subrule |
Account Locked |
Access Revoked |
|
Pending User Added To Role |
Subrule |
Role Attribute Modified |
Account Modified |
|
Device Approved |
Subrule |
Device Approval Created |
Other Audit |
|
Device Admin Approval Requested |
Subrule |
Device Approval Created |
Other Audit |
|
Biometric Access Configured |
Subrule |
User Account Attribute Modified |
Account Modified |
|
Record Added |
Subrule |
Object Added |
Access Success |
|
Record Opened |
Subrule |
Object Created |
Access Success |
|
Record Updated |
Subrule |
Object Modified |
Access Success |
|
Record Deleted |
Subrule |
Object Deleted/Removed |
Access Success |
|
Record Duplicated |
Subrule |
Object Created |
Access Success |
|
Record Password Changed |
Subrule |
Performing Password Change |
Information |
|
Password Copied To Clipboard |
Subrule |
Password Entry |
Other Audit |
|
Record Autofilled |
Subrule |
Object Modified |
Access Success |
|
File Attachment Uploaded |
Subrule |
File Uploaded |
Information |
|
Vault Folder Created |
Subrule |
Object Created |
Access Success |
|
Vault Folder Deleted |
Subrule |
Object Deleted/Removed |
Access Success |
|
Shared Folder Deleted |
Subrule |
Object Deleted/Removed |
Access Success |
|
Record Added To Shared Folder |
Subrule |
Object Added |
Access Success |
|
Record Removed From Shared Folder |
Subrule |
Object Deleted/Removed |
Access Success |
|
Record Shared |
Subrule |
Access Granted Activity |
Access Granted |
|
Record Share Permissions Changed |
Subrule |
Object Attribute Modified |
Access Success |
|
Record Share Removed |
Subrule |
Access Revoked Activity |
Access Revoked |
|
Record Ownership Transferred |
Subrule |
Role Attribute Modified |
Account Modified |
|
Account Transfer Consent Accepted |
Subrule |
General Audit |
Other Audit Success |
|
One-Time Share Link Generated |
Subrule |
General Authentication Information |
Information |
|
One-Time Share Link Opened |
Subrule |
General Authentication Information |
Information |
|
One-Time Share Link Re-Accessed |
Subrule |
General Authentication Information |
Information |
|
One-Time Share Link Expired |
Subrule |
General Authentication Information |
Information |
|
One-Time Share Link Removed |
Subrule |
General Authentication Information |
Information |
|
User Removed From Team |
Subrule |
Account Removed From Group |
Access Revoked |
|
Payment Card Added |
Subrule |
Object Created |
Access Success |
|
Audit Alert Sent |
Subrule |
General Audit |
Other Audit Success |
|
BreachWatch High Risk Password Detected |
Subrule |
General Audit Failure |
Other Audit Failure |
|
BreachWatch High Risk Password Ignored |
Subrule |
General Audit Failure |
Other Audit Failure |
|
Password Reuse Detected |
Subrule |
General Audit Failure |
Other Audit Failure |
|
PAM Gateway Online |
Subrule |
Service Start |
Startup and Shutdown |
|
Secrets Manager App Client Access |
Subrule |
User Logon |
Authentication Success |
|
Secrets Manager Record Updated |
Subrule |
Object Modified |
Access Success |
|
Scheduled Record Rotation Successful |
Subrule |
Scheduled Task Completed |
Information |
|
On-Demand Record Rotation Successful |
Subrule |
Task Completed |
Information |
|
Record Rotation Settings Updated |
Subrule |
Configuration Modified : Application |
Configuration |
|
Role Enforcement Policy Changed |
Subrule |
Role Attribute Modified |
Account Modified |
|
Admin Privilege Reduction Configured |
Subrule |
Configuration Modified : Security |
Configuration |
|
Admin 2FA Enforcement Configured |
Subrule |
Configuration Modified : Security |
Configuration |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
N/A |
N/A |
N/A |
N/A |
|
N/A |
N/A |
N/A |
N/A |
|
N/A |
N/A |
N/A |
N/A |
|
audit_event |
<vendorinfo>, <tag1> |
Text/String |
N/A |
|
username |
<login> |
Text/String |
N/A |
|
client_version |
<version> |
Number |
N/A |
|
remote_address |
<sip> |
IP Address |
N/A |
|
channel |
<sessiontype> |
Text/String |
Login or comms channel (e.g. Web Vault, Browser Extension, KeeperChat). |
|
result_code |
<responsecode> |
Numbers |
Failure code on login_failure-style events. |
|
|
<sender> |
Text/String |
N/A |
|
to_username |
<account> |
Text/String |
Other-party user emails. |
|
client_version_new |
N/A |
N/A |
N/A |
|
username_new |
N/A |
N/A |
N/A |
|
file_format |
N/A |
N/A |
N/A |
|
record_uid |
N/A |
N/A |
UID of a vault record. |
|
folder_uid |
N/A |
N/A |
UID of a folder (user or shared). |
|
folder_type |
<objecttype> |
Text/String |
User or shared. |
|
shared_folder_uid |
<objectname> |
Text/String |
UID of a shared folder. |
|
attachment_id |
<object> |
Text/String |
UID of a file attachment on a record. |
|
team_uid |
<group> |
Text/String |
UID of a team. |
|
role_id |
N/A |
N/A |
Role / team identifiers. |