feat: add --siem flag to security-audit report for NDJSON export#1876
Open
jlima8900 wants to merge 1 commit intoKeeper-Security:masterfrom
Open
feat: add --siem flag to security-audit report for NDJSON export#1876jlima8900 wants to merge 1 commit intoKeeper-Security:masterfrom
jlima8900 wants to merge 1 commit intoKeeper-Security:masterfrom
Conversation
jlima8900
force-pushed
the
feat/siem-output-format
branch
from
0460eea to
465e68a
Compare
jlima8900
changed the title
Adds SIEM-ready output to security-audit report using NDJSON format (one JSON event per line). Compatible with Splunk HEC, Elastic Filebeat, Datadog log pipelines, and any NDJSON/JSON Lines consumer. Usage: security-audit report --siem --output posture.ndjson security-audit report --siem --breachwatch --output breach.ndjson Design decisions: - NDJSON not wrapped JSON — supports streaming ingestion at scale - --siem flag not --format siem — avoids modifying shared parser - Risk factors from data, no hardcoded severity thresholds - .ndjson extension for file output - twoFactorChannel values verified: 'Off' or 'On' (from security_audit.py:356) - params.server verified: exists as property on KeeperParams Existing formats (table, csv, json, pdf) unchanged.
jlima8900
force-pushed
the
feat/siem-output-format
branch
from
465e68a to
d46b168
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds SIEM-ready output to
security-audit reportusing NDJSON format (one JSON event per line). The existingaudit-logcommand has SIEM export (Splunk, syslog, Sumo, Azure) for event streaming, butsecurity-audit report(posture snapshots) has no SIEM output.Usage
Output format (NDJSON — one line per user)
{"event_type":"keeper.security_audit","timestamp":"2026-03-14T22:30:00+00:00","source":"keepersecurity.eu","user":{"email":"user@company.com","securityScore":52,"weak":8,"reused":6,"twoFactorChannel":"none"},"security_score":52,"risk_factors":["weak_passwords","reused_passwords","no_2fa"]}Design decisions
jq -c, Filebeat, Splunk HEC, Datadog logs.--siemflag not--format siem— avoids modifying the sharedreport_output_parserused by all commands. Clean addition, no side effects.risk_factorsandsecurity_score. SIEM correlation rules should define what's critical for each organization, not Commander..ndjsonextension — standard for newline-delimited JSON files.No breaking changes
--siemis additive — only affects output when explicitly usedaudit-logSIEM targets unaffectedTest plan
--siemproduces valid NDJSON (one JSON object per line)jq--breachwatch --siemincludes at_risk/passed/ignored--outputwrites to file with.ndjsonextension--output, prints to stdout--format jsonoutput unchanged