Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
JumpCloud Directory Insights | ✅ | ✅ | jumpcloud_directory_insights | NDJSON | API | ||
JumpCloud Users | ✅ | jumpcloud_users | NDJSON | API |
Overview
JumpCloud is a cloud-based directory platform that simplifies identity and device management for IT teams. It enables organizations to securely manage user access, authentication, and device policies across various operating systems and applications. With features like Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Zero Trust security, JumpCloud helps streamline IT operations while enhancing security and compliance.
Supported data types
JumpCloud Directory Insights
Table name: jumpcloud_directory_insights
JumpCloud Directory Insights is a logging and event monitoring tool that provides IT teams with real-time visibility into user activities, authentication events, and system changes across their environment. It helps organizations track security events, detect anomalies, and ensure compliance by offering detailed audit logs for user access, device modifications, and administrative actions. With Directory Insights, IT teams can proactively manage security risks and troubleshoot issues efficiently.
More information on the event types can be found here.
JumpCloud Users
Table name: jumpcloud_users
JumpCloud User Logs provide detailed records of user activities, authentication attempts, and access events across an organization's IT environment. These logs help IT teams monitor security, detect suspicious behavior, and ensure compliance by tracking successful and failed logins, password changes, and MFA events. With real-time visibility into user actions, admins can quickly investigate issues, enforce security policies, and maintain a secure directory infrastructure.
Send data to Hunters
Hunters supports the collection of logs from JumpCloud using API.
To connect JumpCloud logs:
As an Administrator or Command Runner, login to JumpCloud.
Hover over your account name and then select API Settings.
Your API key will be displayed in the resulting dialogue. Save it in a safe place.
📘Note
The permission needed for the Hunters integration is
["directoryinsights.readonly"].Complete the process on the Hunters platform, following this guide.
📘Learn More
To learn more about the JumpCloud API Keys, check out the JumpCloud Support Community
Expected format
The expected format of the logs is the NDJson format as exported by JumpCloud.
Directory Insights log sample
{"initiated_by": {"type": "user", "username": "user_sample"}, "geoip": {"country_code": "AE", "timezone": "Asia/Dubai", "latitude": xx.xxxxx, "continent_code": "AS", "region_name": "Dubai", "longitude": yy.yyyyy, "region_code": "DU"}, "message": "User user_sample logged in from (unknown), process name: ", "system": {"hostname": "other_user-MacBook-Air.local", "displayName": "other_user-MacBook-Air.local", "id": "654134sdfg897g"}, "event_type": "login_attempt", "service": "systems", "success": true, "organization": "654134sdfg897g", "@version": "1", "system_timestamp": "2022-11-14T03:53:05Z", "client_ip": "x.x.x.x", "id": "654134sdfg897g", "timestamp": "2022-11-14T03:53:40.449220296Z", "username": "user_sample"}
Users log sample
Logs are expected in JSON format.
{
"account_locked": false,
"activated": true,
"addresses": [
{
"type": "work",
"poBox": "",
"extendedAddress": "",
"streetAddress": "",
"locality": "",
"region": "",
"postalCode": "asd",
"country": "asd",
"_id": "asdq2eqadaw"
},
{
"type": "home",
"poBox": "",
"extendedAddress": "",
"streetAddress": "",
"locality": "",
"region": "",
"postalCode": "",
"country": "",
"_id": "asdawd21e"
}
],
"allow_public_key": true,
"alternateEmail": null,
"attributes": [
{
"name": "TestAttr",
"value": "koko@shoko.COM",
"_id": "asdawd21e"
}
],
"company": "koko@shoko.com",
"costCenter": "123124124124124124",
"department": "Koko Shoko Inc",
"description": "DISABLED_ON",
"disableDeviceMaxLoginAttempts": false,
"displayname": "",
"email": "koko@shoko.com",
"employeeIdentifier": "asdasdasdasdasd",
"employeeType": "Employee|Regular",
"enable_managed_uid": false,
"enable_user_portal_multifactor": false,
"external_dn": "",
"external_source_type": "",
"externally_managed": false,
"firstname": "Koko",
"jobTitle": "KOKOKOKO",
"lastname": "Shok",
"ldap_binding_user": true,
"location": "Metula",
"managedAppleId": "",
"manager": null,
"mfa": {
"exclusion": false,
"configured": true
},
"middlename": "",
"password_never_expires": true,
"passwordless_sudo": false,
"phoneNumbers": [
{
"type": "work_mobile",
"number": "1234",
"_id": "123123123123"
}
],
"public_key": "",
"restrictedFields": [],
"samba_service_user": false,
"ssh_keys": [],
"state": "ACTIVATED",
"sudo": false,
"suspended": false,
"systemUsername": "",
"unix_guid": 6996,
"unix_uid": 6996,
"username": "koko.shoko",
"created": "2018-07-09T08:34:32.032Z",
"organization": "awdawedg1234g124g12",
"password_date": "2022-07-01T03:04:54.781Z",
"password_expired": false,
"totp_enabled": true,
"_id": "awdawedg1234g124g12",
"id": "awdawedg1234g124g12",
"mfaEnrollment": {
"totpStatus": "ENROLLED",
"webAuthnStatus": "ENROLLED",
"pushStatus": "ENROLLED",
"overallStatus": "ENROLLED"
}
}