Keeper Security
This application has been developed and is supported by Keeper Security. For more information about Keeper, visit https://keepersecurity.com or email business.support@keepersecurity.com for help.
Keeper is the leading secure password manager and digital vault for businesses and individuals. The Keeper Security App for Sumo Logic helps you monitor admin actions, user activities and security risks. The App consists of dashboards and queries that allow you to monitor events logged by Keeper to Sumo Logic.
Log Types
The Keeper Security App uses Keeper Audit logs in JSON format pushed to Sumo HTTP Log Source by Keeper. For a description of the information available in the logs see Keeper Audit Event List.
Collecting Logs for Keeper Security
This application has been developed and is supported by Keeper Security. For more information about Keeper please visit https://keepersecurity.com or email business.support@keepersecurity.com for help.
This section provides instructions for collecting logs for the Keeper Security App for Sumo Logic. This process is as follows:
Step 1: Configure a collector
To configure a collector for Keeper Security, follow the instructions in the Hosted Collector document.
Step 2: Configure an HTTP source
You can configure sources for collectors that are hosted in Amazon Web Services (AWS), Microsoft, or other hosting services.
To configure an HTTP source for Keeper, do the following:
Go to the Sources for Hosted Collectors page.
Select the hosting service appropriate for your environment.
Follow the instructions for adding an HTTP Log Source, using the default options.
Copy the HTTP Source Address when prompted.
Step 3: Send Keeper logs to Sumo Logic
You configured a collector and an HTTP source for Keeper logs. This section shows you how to send Keeper logs to Sumo Logic for use with the Keeper Security App.
To send Keeper logs to Sumo Logic, do the following:
- Open the Keeper Admin Console and navigate to Reporting & Alerts.
- Select the External Logging tab.
- Click the Sumo Logic Setup button.
- In the Sync Settings dialog, enter the HTTP Source Address from step 4 of the previous task.
- Continue with verifying logging.
Step 4: Verify logging
This task shows you how to verify that events are being generated and received.
To verify logging for Keeper, do the following:
- In the Sync Settings dialog, click Test Connection. If the HTTP source is configured correctly, the Save button is activated.
- Click Save. From this moment on, events generated by your enterprise are collected by Sumo Logic.
Troubleshooting
If your log source gets deleted or changes the URL, Keeper generates an “audit_sync_failed”
event. You can monitor these events in the Keeper Admin Console.
If the connectivity is not restored after a certain number of events (50), Keeper puts the event logging on pause. Keeper generates an “audit_sync_paused”
event.
To resume logging, go to the “External Logging” section of the Keeper Admin Console.
Installing the Keeper Security App
This application has been developed and is supported by Keeper Security. For more information about Keeper please visit https://keepersecurity.com or email business.support@keepersecurity.com for help.
This section provides instructions for installing the Keeper Security App, as well as examples of each of the App dashboards.
Now that you have set up collection for Keeper, install the app to use the pre-configured searches and dashboards that provide visibility into your environment for real-time analysis.
To install the app:
Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.
- From the App Catalog, search for and select the app.
- Select the version of the service you're using and click Add to Library. Version selection is applicable only to a few apps currently. For more information, see the Install the Apps from the Library.
- To install the app, complete the following fields.
- App Name. You can retain the existing name, or enter a name of your choice for the app.
- Data Source. Select either of these options for the data source.
- Choose Source Category, and select a source category from the list.
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (
_sourceCategory=MyCategory
).
- Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
- Click Add to Library.
Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.
Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.
Viewing Keeper Security Dashboards
Each dashboard has a set of filters that you can apply to the entire dashboard, as shown in the following example. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard.
You can use filters to drill down and examine the data on a granular level.
Each panel has a set of filters that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters.
Overview
This is a general dashboard that shows the geographic locations of user activity, slicing the user activity by user, platform and time, most and least frequent events.
**Use this dashboard to analyze the following data:
- Activity locations. See the number of application events across the world on a map in the last 24 hours.
- Activity by platform. See the the number of application events by the client or platform in the last 24 hours.
- Activity by user. See the number of application events by user in the last 24 hours.
- Total users. See the number of users that accessed the Keeper service in the last 30 days.
- Users by country. See the ratio of users that accessed the Keeper service from different countries in the last 30 days.
- Top Events. See the ratio of top events generated by Keeper service users.
- Activity by an hour. See the times when user activity peaked during the last 7 days.
- Alerts last 7 days. See the alerts generated and alerts sent for the last 7 days.
- Security events last 24 hours. See the event from “Security” category in the last 24 hours.
This panel is similar to the “All Security Events” predefined report in the Keeper Admin Console.
Activity
Provides detailed information on user activity, highlighting access and related risks.
Use this dashboard to analyze the following data:
- Throttled logins. If a Keeper user tries to log in repeatedly with an incorrect password, this user logins become “throttled” for some time. This panel shows such login attempts for the last 24 hours, which can be an indication that somebody tries to hack this specific user.
- Failed logins. See the time, event type, username, client version for all login failures (vault, console, 2fa) in the last 24 hours.
- Alert distribution. See the pie chart of all alerts received in the last 7 days grouped by the alert name.
- New user or remote address. See the users that had their first activity or activity from new ip addresses in the last 24 hours.
- Multi-country users. See the users who logged in from more than 1 country in the last 7 days.
- Movement. See the users who logged in from multiple locations that are far from each other in the last 24 hours. Note: while this report would show hacking attempts from foreign countries, users who used both VPN and non-VPN access, can also fall into this category.
Policy and Share
Shows details about user management, team and role management, permission management, sharing information, failed logins, and risk related information.
**Use this dashboard to analyze the following data:
- User management. See the users who were created, removed, locked or unlocked in the last 7 days.
- Team and Role management. See the users who were added to a role or a team in the last 7 days. (Note: Keeper cannot obtain the names of a role and as such cannot log them to Sumo. If you’re interested in the particular role to which the user was added, try adding a test user to roles. Then, compare the ID for the test user role to the ID in which you are interested in.
- Enforcements management. See the permissions that were granted or removed from roles in the last 7 days.
- Export activity. See the users who exported their records to an external file in the last 7 days.
- Share activity. See users who shared information, including changes to share parameters, like being able to edit or being able to re-share in the last 7 days.
- Users who shared information. See users who shared information and how much they shared relatively to each other in the last 7 days.