trendmicro · mcdequiroz · Jan 27, 2026 · Jan 27, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/...hird_party_logs/Keeper Security/Enterprise Security/Account - Master Password Changed.yml b/...hird_party_logs/Keeper Security/Enterprise Security/Account - Master Password Changed.yml
@@ -0,0 +1,17 @@
+title: Account - Master Password Changed
+description: Detects when Keeper Security Account master password is changed.
+references: 
+    - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Keeper Security
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    cat: 
+        category: '*account*'
+    string_condition_0:
+        eventName: '*change_master_password*'
+    condition: cat and string_condition_0
+level: info
+taxonomy: tm-v1
diff --git a/.../Keeper Security/Enterprise Security/BreachWatch - Detected High-Risk Record Password.yml b/.../Keeper Security/Enterprise Security/BreachWatch - Detected High-Risk Record Password.yml
@@ -0,0 +1,17 @@
+title: BreachWatch - Detected High-Risk Record Password
+description: Detects when Keeper Security's BreachWatch service identifies a high-risk password record.
+references: 
+    - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Keeper Security
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    cat: 
+        category: '*breachwatch*'
+    string_condition_0:
+        eventName: '*bw_record_high_risk*'
+    condition: cat and string_condition_0
+level: info
+taxonomy: tm-v1
diff --git a/...s/Keeper Security/Enterprise Security/BreachWatch - Ignored High-Risk Record Password.yml b/...s/Keeper Security/Enterprise Security/BreachWatch - Ignored High-Risk Record Password.yml
@@ -0,0 +1,17 @@
+title: BreachWatch - Ignored High-Risk Record Password
+description: Detects when Keeper Security's BreachWatch service identifies a high-risk password record that has been ignored by the user.
+references: 
+    - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Keeper Security
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    cat: 
+        category: '*breachwatch*'
+    string_condition_0:
+        eventName: '*bw_record_ignored*'
+    condition: cat and string_condition_0
+level: info
+taxonomy: tm-v1
diff --git a/...hird_party_logs/Keeper Security/Enterprise Security/General Usage - Audit Sync Failed.yml b/...hird_party_logs/Keeper Security/Enterprise Security/General Usage - Audit Sync Failed.yml
@@ -0,0 +1,17 @@
+title: General Usage - Audit Sync Failed
+description: Detects when Keeper Security Audit Sync fails.
+references: 
+    - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Keeper Security
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    cat: 
+        category: '*usage*'
+    string_condition_0:
+        eventName: '*audit_sync_failed*'
+    condition: cat and string_condition_0
+level: info
+taxonomy: tm-v1
diff --git a/..._party_logs/Keeper Security/Enterprise Security/General Usage - User Deleted a Record.yml b/..._party_logs/Keeper Security/Enterprise Security/General Usage - User Deleted a Record.yml
@@ -0,0 +1,17 @@
+title: General Usage - User Deleted a Record
+description: Detects when Keeper Security users delete a record from their vault.
+references: 
+    - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Keeper Security
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    cat: 
+        category: '*usage*'
+    string_condition_0:
+        eventName: '*record_delete*'
+    condition: cat and string_condition_0
+level: info
+taxonomy: tm-v1
diff --git a/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Login Failed.yml b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Login Failed.yml
@@ -0,0 +1,17 @@
+title: Login Failed
+description: Detects when Keeper Security Login fails
+references: 
+    - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Keeper Security
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    cat: 
+        category: '*login*'
+    string_condition_0:
+        eventName: '*login_failure*'
+    condition: cat and string_condition_0
+level: info
+taxonomy: tm-v1
diff --git a/.../third_party_logs/Keeper Security/Enterprise Security/Policy - Admin Permission Added.yml b/.../third_party_logs/Keeper Security/Enterprise Security/Policy - Admin Permission Added.yml
@@ -0,0 +1,17 @@
+title: Policy - Admin Permission Added
+description: Detects when Keeper Security Admin permissions are added via Policy.
+references: 
+    - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Keeper Security
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    cat: 
+        category: '*policy*'
+    string_condition_0:
+        eventName: '*admin_permission_added*'
+    condition: cat and string_condition_0
+level: info
+taxonomy: tm-v1
diff --git a/...hird_party_logs/Keeper Security/Enterprise Security/Policy - Admin Permission Removed.yml b/...hird_party_logs/Keeper Security/Enterprise Security/Policy - Admin Permission Removed.yml
@@ -0,0 +1,17 @@
+title: Policy - Admin Permission Removed
+description: Detects when Keeper Security Admin permissions are removed via Policy.
+references: 
+    - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Keeper Security
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    cat: 
+        category: '*policy*'
+    string_condition_0:
+        eventName: '*admin_permission_removed*'
+    condition: cat and string_condition_0
+level: info
+taxonomy: tm-v1
diff --git a/...ogs/Keeper Security/Enterprise Security/Security - Two-Factor Authentication Disabled.yml b/...ogs/Keeper Security/Enterprise Security/Security - Two-Factor Authentication Disabled.yml
@@ -0,0 +1,17 @@
+title: Security - Two-Factor Authentication Disabled
+description: Detects when Keeper Security Two-Factor Authentication is disabled.
+references: 
+    - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Keeper Security
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    cat: 
+        category: '*security*'
+    string_condition_0:
+        eventName: '*set_two_factor_off*'
+    condition: cat and string_condition_0
+level: info
+taxonomy: tm-v1
diff --git a/...party_logs/Keeper Security/Enterprise Security/Security - User Blocked via IP Address.yml b/...party_logs/Keeper Security/Enterprise Security/Security - User Blocked via IP Address.yml
@@ -0,0 +1,17 @@
+title: Security - User Blocked from IP Address
+description: Detects when Keeper Security User is blocked from IP Address.
+references: 
+    - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Keeper Security
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    cat: 
+        category: '*security*'
+    string_condition_0:
+        eventName: '*login_failed_ip_whitelist*'
+    condition: cat and string_condition_0
+level: info
+taxonomy: tm-v1