Keeper Security Password Manager

SamurAI [Local] Collector	SamurAI [Cloud] Collector

This integration ingests security event data from Keeper Security Password Manager using Keeper’s built-in SIEM push capability, delivered to the SamurAI platform via Splunk HTTP Event Collection (HEC).

Prerequisites

Ensure that a Samurai Cloud Collector of type Splunk HTTP Event Collector (HEC) has been deployed via the SamurAI Portal.

Guide available here

If you are planning to reuse an already deployed Samurai HEC Cloud Collector you will need (displayed only upon creation):

API URL
Token

Take note of the API URL and Token from the SamurAI HEC Cloud Collector as these will be required when you Activate the integration in Keeper.

Activate the Integration in Keeper

Keeper’s SIEM push capability requires the Advanced Reporting & Alerts Module (ARAM). If ARAM is not included in your current Keeper subscription, contact your Keeper Security account manager or upgrade via the Secure Add Ons interface within the Keeper Admin Console.

Only one external SIEM sync method can be active at a time within Keeper. If an existing integration is already configured, it must be disabled before activating the SamurAI HEC Cloud Collector integration.

For additional information you can refer to the Keeper documentation on Splunk integration.

Keeper Administrator credentials are required to configure SIEM integrations in the Keeper Admin Console.

To configure Keeper to push events to the SamurAI HEC Cloud Collector, follow the steps below:

Log in to the Keeper Admin Console
Navigate to Reporting & Alerts in the left menu
Click Setup next to the external logging option
Select Splunk as the integration type
Perform the following steps using the values recorded from the SamurAI HEC Cloud Collector:
5.1 In the Host field, enter the API URL of the SamurAI HEC Cloud Collector
5.2 In the Port field, enter 443
5.3 In the Token field, enter the SamurAI HEC Cloud Collector Token
Click Test Connection to verify that Keeper can reach the SamurAI HEC Cloud Collector
Once the test is successful, click Save to activate the integration

If the integration status shows Paused after saving, this indicates a communications error when transmitting events to the SamurAI HEC Cloud Collector. Verify the Host, Port, and Token values are correct and retry.

Once activated, security event data will begin appearing in the SamurAI platform within 15 minutes.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the SamurAI MDR Portal and we shall get it updated.