Keeper Security Solution v3.0.1 - Add New Analytic Rules and Dashboard

[jpkeepersecurity]

Required items, please complete

Change(s):

• Added two new analytic rules: "Keeper Security - Password Changed" and "Keeper Security - User MFA Changed"
• Introduced a new workbook "Keeper Security Dashboard" with comprehensive visualizations and insights
• Added workbook preview images (6 total: 3 black theme + 3 white theme variations)
• Updated solution package files (createUiDefinition.json, mainTemplate.json, testParameters.json) to include new components
• Enhanced Solution_KeeperSecurity.json metadata to reference new analytic rules and workbook
• Updated WorkbooksMetadata.json to include the new dashboard

Reason for Change(s):

• Enhance the Keeper Security solution with additional security detection capabilities for password changes and MFA status modifications
• Provide users with comprehensive dashboards for visualizing Keeper Security audit events and trends
• Improve monitoring capabilities for critical security events like master password changes and MFA configuration changes
• Expand solution functionality from basic data collection to actionable insights and alerting

Version Updated:

• Yes
• Updated from version 3.0.0 to 3.0.1
• Both analytic rules include version 1.0.3
• Updated ReleaseNotes.md with version 3.0.1 changes dated 25-07-2025

Testing Completed:

• Test in Microsoft Sentinel via Deploy Custom Templates.

---

Summary of New Components:

• Analytic Rule 1: Detects change_master_password events with NRT (Near Real Time) alerting
• Analytic Rule 2: Monitors MFA changes (set_two_factor_off/set_two_factor_on events)
• Workbook: Interactive dashboard for Keeper Security event analysis and visualization
• Both rules create informational incidents with proper entity mapping for accounts and IP addresses

[jpkeepersecurity]

@v-maheshbh I don't why the Solution Integration Testing is broken, can you help me? it seems something about the credentials. Thank you.

[v-maheshbh]

hi @jpkeepersecurity We can ignore this error message.

[v-maheshbh]

hi @jpkeepersecurity Please, check other validations Failure.

[jpkeepersecurity]

WorkbooksValidation is broken Tanium, this object in WorkbooksMetadata.json is missing the field previewImagesFileNames because of that is breaking

{
  workbookKey: 'TaniumWorkbook',
  logoFileName: 'Tanium.svg',
  description: "The Tanium Workbook contains 20+ visualizations across 5 tabs (Threat Response, Comply, Discover, Microsoft Tooling Health and Patch). Each of these tabs shows examples of insights teams can leverage using Tanium's real-time data.",
  dataTypesDependencies: [
    'TaniumComplyCompliance_CL',
    'TaniumComplyVulnerabilities_CL',
    'TaniumDefenderHealth_CL',
    'TaniumDiscoverUnmanagedAssets_CL',
    'TaniumHighUptime_CL',
    'TaniumPatchCoverageStatus_CL',
    'TaniumPatchListApplicability_CL',
    'TaniumPatchListCompliance_CL',
    'TaniumSCCMClientHealth_CL',
    'TaniumThreatResponse_CL'
  ],
  dataConnectorsDependencies: [],
  previewImages: [
    'TaniumComplyWhite.png',
    'TaniumDiscoverWhite.png',
    'TaniumMSToolingHealthWhite.png',
    'TaniumPatchWhite.png',
    'TaniumThreatResponseAlertsWhite.png',
    'TaniumThreatResponseWhite.png'
  ],
  previewImagesDark: [
    'TaniumComplyBlack.png',
    'TaniumDiscoverBlack.png',
    'TaniumMSToolingHealthBlack.png',
    'TaniumPatchBlack.png',
    'TaniumThreatResponseAlertsBlack.png',
    'TaniumThreatResponseBlack.png'
  ],
  version: '2.0',
  title: 'Tanium Workbook',
  templateRelativePath: 'TaniumWorkbook.json',
  subtitle: '',
  provider: 'Tanium'
}

[v-maheshbh]

Hi @jpkeepersecurity Kindly incorporate the relevant techniques into the analytics rule. Thank you!

[jpkeepersecurity]

could you review the PR again v-maheshbh?

[jpkeepersecurity]

could you review the PR again v-maheshbh?