Skip to main content

Keeper Security

thumbnail icon

This application has been developed and is supported by Keeper Security. For more information about Keeper, visit https://keepersecurity.com or email business.support@keepersecurity.com for help.

Keeper is the leading secure password manager and digital vault for businesses and individuals. The Keeper Security App for Sumo Logic helps you monitor admin actions, user activities and security risks. The App consists of dashboards and queries that allow you to monitor events logged by Keeper to Sumo Logic.

Log Types

The Keeper Security App uses Keeper Audit logs in JSON format pushed to Sumo HTTP Log Source by Keeper. For a description of the information available in the logs see Keeper Audit Event List.

Collecting Logs for Keeper Security

This application has been developed and is supported by Keeper Security. For more information about Keeper please visit https://keepersecurity.com or email business.support@keepersecurity.com for help.

This section provides instructions for collecting logs for the Keeper Security App for Sumo Logic. This process is as follows:

Step 1: Configure a collector

To configure a collector for Keeper Security, follow the instructions in the Hosted Collector document.

Step 2: Configure an HTTP source

You can configure sources for collectors that are hosted in Amazon Web Services (AWS), Microsoft, or other hosting services.

To configure an HTTP source for Keeper, do the following:

  1. Go to the Sources for Hosted Collectors page.
  2. Select the hosting service appropriate for your environment.
  3. Follow the instructions for adding an HTTP Log Source, using the default options.
  4. Copy the HTTP Source Address when prompted.

Step 3: Send Keeper logs to Sumo Logic

You configured a collector and an HTTP source for Keeper logs. This section shows you how to send Keeper logs to Sumo Logic for use with the Keeper Security App.

To send Keeper logs to Sumo Logic, do the following:

  1. Open the Keeper Admin Console and navigate to Reporting & Alerts.
  2. Select the External Logging tab.
  3. Click the Sumo Logic Setup button.
  4. In the Sync Settings dialog, enter the HTTP Source Address from step 4 of the previous task.
  5. Continue with verifying logging.

Step 4: Verify logging

This task shows you how to verify that events are being generated and received.

To verify logging for Keeper, do the following:

  1. In the Sync Settings dialog, click Test Connection. If the HTTP source is configured correctly, the Save button is activated.
  2. Click Save. From this moment on, events generated by your enterprise are collected by Sumo Logic.

Troubleshooting

If your log source gets deleted or changes the URL, Keeper generates an “audit_sync_failed” event. You can monitor these events in the Keeper Admin Console.

If the connectivity is not restored after a certain number of events (50), Keeper puts the event logging on pause. Keeper generates an “audit_sync_paused” event.

To resume logging, go to the “External Logging” section of the Keeper Admin Console.

Installing the Keeper Security App

This section provides instructions for installing the Keeper Security App, as well as examples of each of the App dashboards.

Now that you have set up collection for Keeper, install the app to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis.

To install the app:

  1. From the Sumo Logic navigation, select App Catalog.
  2. In the Search Apps field, search for and then select your app.
    App_Catalog.png
  3. Optionally, you can scroll down to preview the dashboards included with the app. Then, click Install App (sometimes this button says Add Integration).
    note

    If your app has multiple versions, you'll need to select the version of the service you're using before installation.

  4. On the next configuration page, under Select Data Source for your App, complete the following fields:
    • Data Source. Select one of the following options:
      • Choose Source Category and select a source category from the list; or
      • Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. For example, _sourceCategory=MyCategory.
    • Folder Name. You can retain the existing name or enter a custom name of your choice for the app.
    • All Folders (optional). Default location is the Personal folder in your Library. If desired, you can choose a different location and/or click New Folder to add it to a new folder.
  5. Click Next.
  6. Look for the dialog confirming that your app was installed successfully.
    app-success.png

Once an app is installed, it will appear in your Personal folder or the folder that you specified. From here, you can share it with other users in your organization. Dashboard panels will automatically start to fill with data matching the time range query received since you created the panel. Results won't be available immediately, but within about 20 minutes, you'll see completed graphs and maps.

Viewing Keeper Security Dashboards

Each dashboard has a set of filters that you can apply to the entire dashboard, as shown in the following example. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard.

You can use filters to drill down and examine the data on a granular level.

Each panel has a set of filters that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters.

Overview

This is a general dashboard that shows the geographic locations of user activity, slicing the user activity by user, platform and time, most and least frequent events.

Keeper_Security dashboards

**Use this dashboard to analyze the following data:

  • Activity locations. See the number of application events across the world on a map in the last 24 hours.
  • Activity by platform. See the the number of application events by the client or platform in the last 24 hours.
  • Activity by user. See the number of application events by user in the last 24 hours.
  • Total users. See the number of users that accessed the Keeper service in the last 30 days.
  • Users by country. See the ratio of users that accessed the Keeper service from different countries in the last 30 days.
  • Top Events. See the ratio of top events generated by Keeper service users.
  • Activity by an hour. See the times when user activity peaked during the last 7 days.
  • Alerts last 7 days. See the alerts generated and alerts sent for the last 7 days.
  • Security events last 24 hours. See the event from “Security” category in the last 24 hours.

This panel is similar to the “All Security Events” predefined report in the Keeper Admin Console.

Activity

Provides detailed information on user activity, highlighting access and related risks.

Keeper_Security dashboards

Use this dashboard to analyze the following data:

  • Throttled logins. If a Keeper user tries to log in repeatedly with an incorrect password, this user logins become “throttled” for some time. This panel shows such login attempts for the last 24 hours, which can be an indication that somebody tries to hack this specific user.
  • Failed logins. See the time, event type, username, client version for all login failures (vault, console, 2fa) in the last 24 hours.
  • Alert distribution. See the pie chart of all alerts received in the last 7 days grouped by the alert name.
  • New user or remote address. See the users that had their first activity or activity from new ip addresses in the last 24 hours.
  • Multi-country users. See the users who logged in from more than 1 country in the last 7 days.
  • Movement. See the users who logged in from multiple locations that are far from each other in the last 24 hours. Note: while this report would show hacking attempts from foreign countries, users who used both VPN and non-VPN access, can also fall into this category.

Policy and Share

Shows details about user management, team and role management, permission management, sharing information, failed logins, and risk related information.

Keeper_Security dashboards

**Use this dashboard to analyze the following data:

  • User management. See the users who were created, removed, locked or unlocked in the last 7 days.
  • Team and Role management. See the users who were added to a role or a team in the last 7 days. (Note: Keeper cannot obtain the names of a role and as such cannot log them to Sumo. If you’re interested in the particular role to which the user was added, try adding a test user to roles. Then, compare the ID for the test user role to the ID in which you are interested in.
  • Enforcements management. See the permissions that were granted or removed from roles in the last 7 days.
  • Export activity. See the users who exported their records to an external file in the last 7 days.
  • Share activity. See users who shared information, including changes to share parameters, like being able to edit or being able to re-share in the last 7 days.
  • Users who shared information. See users who shared information and how much they shared relatively to each other in the last 7 days.
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.