feat: add --format siem option to security-audit report

jlima8900 · jlima8900 · commit 0460eea1a9fb · 2026-03-14T22:31:04.000+01:00
Adds SIEM-ready JSON output format for security audit posture reports.
Designed for ingestion by Splunk, Elastic, Datadog, and other SIEMs.

Output includes:
- schema_version for parser stability across upgrades
- Per-user severity classification (critical/high/medium/low/info)
  based on security score, weak passwords, reused passwords, 2FA status
- Risk factors array per user for correlation rules
- Summary with aggregate stats (avg score, users at risk, 2FA gaps)
- ISO timestamp with timezone for accurate event ordering
- Source metadata (host, enterprise, commander version)
- BreachWatch mode support (at_risk/passed/ignored fields)

Usage:
  security-audit report --format siem --output audit.json
  security-audit report --format siem --breachwatch --output bw.json

Existing formats (table, csv, json, pdf) are unchanged.
Atomic file writes with 0o600 permissions on output.
diff --git a/keepercommander/commands/security_audit.py b/keepercommander/commands/security_audit.py
@@ -1,7 +1,11 @@
 import argparse
 import base64
+import datetime
 import json
 import logging
+import os
+import platform
+import tempfile
 from json import JSONDecodeError
 from typing import Dict, List, Optional, Any
 
@@ -30,6 +34,11 @@ def register_command_info(aliases, command_info):
 
 report_parser = argparse.ArgumentParser(prog='security-audit-report', description='Run a security audit report.',
                                         parents=[report_output_parser])
+# Override format choices to include 'siem' for SIEM-ready JSON output
+for action in report_parser._actions:
+    if hasattr(action, 'dest') and action.dest == 'format':
+        action.choices = ['table', 'csv', 'json', 'pdf', 'siem']
+        break
 report_parser.add_argument('--syntax-help', dest='syntax_help', action='store_true', help='display help')
 node_filter_help = 'name(s) or UID(s) of node(s) to filter results of the report by'
 report_parser.add_argument('-n', '--node', action='append', help=node_filter_help)
@@ -492,12 +501,17 @@ def decrypt_security_data(sec_data, key_type):
         fields = ('email', 'name', 'sync_pending', 'at_risk', 'passed', 'ignored') if show_breachwatch else \
             ('email', 'name', 'sync_pending', 'weak', 'fair', 'medium', 'strong', 'reused', 'unique', 'securityScore',
              'twoFactorChannel', 'node')
-        field_descriptions = fields
 
+        report_title = f'Security Audit Report{" (BreachWatch)" if show_breachwatch else ""}'
+
+        # SIEM-ready JSON output
+        if fmt == 'siem':
+            return self._export_siem(params, rows, fields, show_breachwatch, out, report_title)
+
+        field_descriptions = fields
         if fmt == 'table':
             field_descriptions = (field_to_title(x) for x in fields)
 
-        report_title = f'Security Audit Report{" (BreachWatch)" if show_breachwatch else ""}'
         table = []
         for raw in rows:
             row = []
@@ -506,6 +520,106 @@ def decrypt_security_data(sec_data, key_type):
             table.append(row)
         return dump_report_data(table, field_descriptions, fmt=fmt, filename=out, title=report_title)
 
+    @staticmethod
+    def _export_siem(params, rows, fields, show_breachwatch, filename, title):
+        """Export security audit report in SIEM-ready JSON format.
+
+        Each user becomes an event with metadata for ingestion by
+        Splunk, Elastic, Datadog, or any JSON-based SIEM.
+        """
+        now = datetime.datetime.now(tz=datetime.timezone.utc)
+        events = []
+
+        for raw in rows:
+            user_data = {f: raw.get(f) for f in fields}
+
+            # Compute severity based on security score and risk factors
+            severity = 'info'
+            risk_factors = []
+            if not show_breachwatch:
+                score = raw.get('securityScore', 0)
+                weak = raw.get('weak', 0)
+                reused = raw.get('reused', 0)
+                two_fa = raw.get('twoFactorChannel', '')
+
+                if weak > 0:
+                    risk_factors.append('weak_passwords')
+                if reused > 0:
+                    risk_factors.append('reused_passwords')
+                if not two_fa or two_fa == 'none':
+                    risk_factors.append('no_2fa')
+
+                if score < 40 or weak > 5:
+                    severity = 'critical'
+                elif score < 60 or weak > 2:
+                    severity = 'high'
+                elif score < 80:
+                    severity = 'medium'
+                elif risk_factors:
+                    severity = 'low'
+            else:
+                at_risk = raw.get('at_risk', 0)
+                if at_risk > 5:
+                    severity = 'critical'
+                    risk_factors.append('high_breach_exposure')
+                elif at_risk > 0:
+                    severity = 'high'
+                    risk_factors.append('breach_exposure')
+
+            event = {
+                'event_type': 'keeper.security_audit',
+                'timestamp': now.isoformat(timespec='seconds'),
+                'severity': severity,
+                'source': {
+                    'host': platform.node(),
+                    'enterprise': params.server if hasattr(params, 'server') else '',
+                    'commander_version': 'Commander',
+                },
+                'user': user_data,
+                'risk_factors': risk_factors,
+            }
+            events.append(event)
+
+        # Compute summary
+        total = len(events)
+        scores = [r.get('securityScore', 0) for r in rows if 'securityScore' in r]
+        summary = {
+            'total_users': total,
+            'avg_security_score': round(sum(scores) / max(len(scores), 1), 1),
+            'users_critical': sum(1 for e in events if e['severity'] == 'critical'),
+            'users_high': sum(1 for e in events if e['severity'] == 'high'),
+            'users_without_2fa': sum(1 for e in events if 'no_2fa' in e['risk_factors']),
+        }
+
+        output = {
+            'schema_version': '1.0',
+            'event_type': 'keeper.security_audit_report',
+            'generated': now.isoformat(timespec='seconds'),
+            'title': title,
+            'summary': summary,
+            'events': events,
+        }
+
+        report = json.dumps(output, indent=2, default=str)
+
+        if filename:
+            if not os.path.splitext(filename)[1]:
+                filename += '.json'
+            logging.info('SIEM report path: %s', os.path.abspath(filename))
+            fd, tmp_path = tempfile.mkstemp(dir=os.path.dirname(os.path.abspath(filename)), suffix='.tmp')
+            try:
+                os.write(fd, report.encode())
+                os.close(fd)
+                os.replace(tmp_path, filename)
+                os.chmod(filename, 0o600)
+            except Exception:
+                os.close(fd)
+                if os.path.exists(tmp_path):
+                    os.unlink(tmp_path)
+                raise
+        else:
+            return report
+
     def get_updated_security_report_row(self, sr, rsa_key, ec_key, last_saved_data):
         # type: (APIRequest_pb2.SecurityReport, rsa.RSAPrivateKey, ec.EllipticCurvePrivateKey, Dict[str, int]) -> Dict[str, int]
 
