Skip to Content
Insightidr- HIDDEN

JumpCloud

JumpCloud is a cloud directory used to authorize, authenticate and manage users, applications, and devices. InsightIDR gathers and produces raw logs from JumpCloud’s Directory Insights API.

To set up JumpCloud, you’ll need to:

  1. Review the requirements.
  2. Obtain API key and Organization ID from JumpCloud.
  3. Set up the JumpCloud event source in InsightIDR.
  4. Verify the configuration works.

Requirements

To complete the tasks outlined in this article, you’ll need the following:

  • Access to an Admin account for JumpCloud.
  • An API Key and Organization ID.

Obtain API key and Organization ID from JumpCloud

Complete the following steps to obtain your API key and Organization ID. However, you can check out JumpCloud’s documentation for the most up to date version: https://jumpcloud-insights.api-docs.io/1.0/authentication-and-authorization/authentication, https://support.jumpcloud.com/support/s/article/Settings-in-the-JumpCloud-Admin-Portal#AccessOrgID.

  1. Log in to the JumpCloud Admin portal, and click on the Account dropdown.
  2. Now, click API Settings and locate the API key. We recommend copying it into a temporary text file so you can easily access it later.
  3. Go to your Organization Profile, click the eye icon to remove the obscured view which will reveal your Organization ID. There may be multiple IDs, so copy them all into a temporary text file so you can easily access it later.

Resetting API key

You may receive an error within InsightIDR stating that authentication failed due to a bad API key if the key has been reset by an admin. Find out more about resetting your key here: https://jumpcloud-insights.api-docs.io/1.0/authentication-and-authorization/authentication.

Set up JumpCloud in InsightIDR

  1. From the left menu, go to Data Collection.
  2. When the Data Collection page appears, click the Setup Event Source drop-down and choose Add Event Source.
  3. From the Security Data section, click the Cloud Service icon. The Add Event Source panel appears.
  4. Choose your collector and JumpCloud from the event source drop-down.
  5. Name your event source. If you do not, InsightIDR will apply the default event source name “JumpCloud”.
  6. Optionally choose to send unparsed data.
  7. Enter the Organization ID that you obtained from your JumpCloud Organization Profile. If you wish to enter multiple Organization IDs you must separate them using a comma.
  8. Select your credentials, or create a new credential. If you’re creating a new credential, enter your API key that you obtained from your JumpCloud admin account for the token/secret field.
  9. Click Save.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. On the new event source that was just created, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu.
  3. Under Log Sets, select Raw Logs, and select the log set for JumpCloud. The log set name will be “JumpCloud” if you did not name the event source.
⚠️

Logs take a minimum of 7 minutes to appear in Log Search.

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample Logs

Example of JSON input logs:

{
       "initiated_by": {
           "id": "617fe228c8ca986f4608abba",
           "type": "admin",
           "email": "user@rapid7.com"
       },
       "geoip": {
           "country_code": "US",
           "timezone": "America/New_York",
           "latitude": 42.3634,
           "continent_code": "NA",
           "region_name": "Massachusetts",
           "longitude": -71.0713,
           "region_code": "MA"
       },
       "resource": {
           "id": "617fe228c8ca986f4608abba",
           "type": "admin",
           "email": "user@rapid7.com"
       },
       "changes": [
           {
               "field": "apiKey"
           }
       ],
       "auth_method": "session",
       "event_type": "admin_update",
       "provider": null,
       "service": "directory",
       "organization": "617fe228c8ca986f4608abbc",
       "@version": "1",
       "client_ip": "208.118.227.19",
       "id": "61a4b92304e3b42e59b0de54",
       "user_agent": {
           "patch": "4664",
           "minor": "0",
           "os": "Mac OS X",
           "major": "96",
           "build": "",
           "os_minor": "15",
           "os_major": "10",
           "name": "Chrome",
           "os_name": "Mac OS X",
           "device": "Other"
       },
       "timestamp": "2021-11-29T11:27:31.562Z"
   }