Preparing JumpCloud Data to be Funneled Into SIEM Software

Written by Brenna Lee on September 1, 2021

Share This Article

With the looming threat and prevalence of complex cyber attacks on organizations, compliance standards and regulations are constantly tightening and evolving, which makes automation more important than ever. Whether you’re automating onboarding and offboarding, user access provisioning, policy rollouts, or full IT system reporting including data transfer to a third party, each automation lends itself to the end goal of compliance.

Although the requirements vary, a common thread among many compliance standards is the ability to control access to critical information based on identity. This is often done via least privilege access and group provisioning within a directory service or identity provider (IdP). As a part of this standard requirement, IT admins need to have a framework in place to prove that these controls exist and are working properly. 

One common approach to this problem is the use of Security Information Event Management (SIEM) software to provide IT admins and auditors with enhanced insight into the activity logs from their IT environment. 

Collecting Compliance Data with JumpCloud

JumpCloud Directory Platform is an all-in-one identity management platform that provides access control and device management capabilities from a single cloud admin portal. The Directory Insights™ service from JumpCloud provides comprehensive activity log data across all JumpCloud-managed endpoints that can be ingested by SIEM software to serve organizations’ auditing and compliance needs. This data includes Windows, Mac, and Linux systems; RADIUS network authentications; LDAP access; SAML single sign-on (SSO) usage; and any changes admins make to end-users’ identities and authorization privileges. 

This trail of events is a crucial step in passing an audit and complying with regulations like SOC 2, HIPAA, and PCI DSS.

Exporting Directory Insights For SIEMs

At JumpCloud, we recognize that being able to prepare and collect data to be ingested by a SIEM solution is paramount for managing organizational security. To this end, we provide an AWS serverless app and API solution to facilitate data export for consumption by third party SIEM software.

AWS Serverless App

Directory Insights stores an organization’s event information for 90 days. For data storage outside of that window, we built an AWS serverless app to migrate Directory Insights information into an organization’s AWS S3 bucket. The AWS serverless app is also a mechanism for extracting data and making it available for SIEM tools and other data analytics tools to pick up, as long as they’re set up properly.

To get started with this, you can enter your API key within the app, define your data collection interval, and click deploy. It’s that easy. We will automatically set up the infrastructure in your Amazon environment to poll the API and save the Directory Insights logs in a new S3 bucket, so you never miss a beat in your audit logs. There, your data will sit until the SIEM or log management tool you set up collects it for further analysis.

Setting up the serverless app automates the process of exporting data, and we recommend that every JumpCloud user set this up so the data is available right when it’s needed and manual processes don’t get in the way. Some JumpCloud customers collect large amounts of data about their environment and their users, so it’s incredibly helpful to have access to JumpCloud logs in context with all of the other information collected — this strategy provides the surface visibility needed to make quick decisions about the environment and its users.

API

JumpCloud is built around a RESTful API framework, allowing organizations to administer their directory service as they see fit outside of the limits of the Admin Portal interface. Our API allows users to access our Directory Insights logs and data about JumpCloud’s cloud directory and device management. There are two main types of data collected in JumpCloud, and both are essential to understanding the entire picture of what goes on inside of your IT environment. Those two types of data are: events-based information which describes what happened and when and stateful information about what exists today.

To export this data so that a SIEM or other data analytics tool can pick it up, you can look for generic API connectors from your tool that allow you to ingest data from an API data source. With an admin API key, found in the JumpCloud Admin Portal, admins can poll the JumpCloud API for any information about the directory, identities, and devices.

Get Started with JumpCloud and Directory Insights

Use the JumpCloud Directory Platform and Directory Insights to manage user identities, devices, networks, and other IT resources while maintaining consistent event logging across each endpoint. Try the full functionality of the platform out for free for up to 10 users and 10 devices by creating a JumpCloud Free account to see how it impacts your security and compliance efforts. On top of that, enjoy 10 days of 24×7 live chat support to help get you started.

Continue Learning with our Newsletter