Share This Article
Directory Insights, JumpCloud’s new event logging feature, provides IT administrators with a complete picture of an end user’s access and access rights — from onboarding to all the resources they access day-in, day-out.
It’s a challenge to track all the changes that can happen to a user’s access, all of the applications they access, and furthermore when things go wrong, pinpoint the root cause of an issue. Directory Insights gives administrators a central place to audit activity across all of JumpCloud’s core services.
Leveraging our APIs, Powershell Module, and the Activity Log available within the Admin Portal, it’s easier than ever to gain visibility into the actions a user takes throughout the workday. Directory Insights logs events on admin changes in the directory, logins to the User/Admin Portal, user authentications to SAML applications and via RADIUS, logins to macOS, Windows, and Linux systems, and authentications via LDAP.
IT administrators can use event logs to track which SSO applications users access, see if MFA is used, identify failed login attempts, and so much more. Directory Insights extends JumpCloud’s all-in-one access management system with a full 360° view of your end users to ensure your directory identities are secure.
Giving Users Access to Resources
Giving users the right access to their resources is critical to ensure your identities and intellectual property are protected. It all starts with the creation of the user. With Directory Insights, admins can query a list of all users created within a time frame using a curl request to our API endpoint: https://api.jumpcloud.com/insights/directory/v1/events.
We have an array of event types, such as “user_create” and “association_change”, to make it easy for administrators to find what they are looking for.
We designed our API with our admins in mind to make it simple to extract the data but also extremely flexible for filtering and searching. All you need is an API key and a JSON POST body to define the “start_time”, the date in which you would like to start your query, and “service”, the core service the from which the event originated from such as “directory”, “sso”, “systems”, “radius”, and “ldap”. We conveniently provide an “all” option to gather events across all services in a single call.
curl -X POST -H “x-api-key: [YOUR API KEY HERE]” -H “Content-Type: application/json” –data ‘{“service”: [“all”], “start_time”: “2020-05-14T00:00:00Z”}’ https://api.jumpcloud.com/insights/directory/v1/events
To query “user_create” events, you can provide a “search_term” parameter to define the fields you would like to filter by.
curl -X POST -H “x-api-key: [YOUR API KEY HERE]” -H “Content-Type: application/json” –data ‘{“service”: [“all”],”start_time”: “2020-05-14T00:00:00Z”,”search_term”: {“and”: {“event_type”: [“user_create”]}}}’
In the JSON response, we capture metadata about the event to provide a complete picture on what occurred. We surface who initiated the event, when did it happen, the user agent information about the browser and system used, client ip and geoip data on the location of an event, and the exact details on what was changed. In the example below we create user “slucero” who can be identified by a “resource” object and the “user_create” event type. The changes object will show all of the attribute values saved when the user was created.
{
“initiated_by”: {
“id”: “5ce434e77128503e528e747c”,
“type”: “admin”,
“email”: “[email protected]”
},
“geoip”: {
“timezone”: “America/Denver”,
“country_code2”: “US”,
“continent_code”: “NA”,
“region_name”: “Colorado”,
“region_code”: “CO”
},
“resource”: {
“id”: “5eda6ab54fd13527dcd9ccf9”,
“type”: “user”,
“username”: “slucero”
},
“changes”: [
{
“field”: “firstname”,
“to”: “Sarah”
},
{
“field”: “lastname”,
“to”: “Lucero”
},
{
“field”: “password_date”,
“to”: “2020-06-05T15:54:29.477Z”
},
{
“field”: “password_expiration_date”,
“to”: “2020-09-03T15:54:29.477Z”
},
{
“field”: “username”,
“to”: “slucero”
},
{
“field”: “created”,
“to”: “2020-06-05T15:54:29.275Z”
},
{
“field”: “id”,
“to”: “5eda6ab54fd13527dcd9ccf9”
}, …
],
“auth_method”: “session”
“event_type”: “user_create”,
“provider”: null,
“service”: “directory”,
“organization”: “5ce434e77128503e528e747b”,
“@version”: “1”,
“client_ip”: “97.122.249.157”,
“id”: “5eda6ab54fd13527dcd9ccfb”,
“user_agent”: {
“patch”: “4103”,
“minor”: “0”,
“major”: “83”,
“os”: “Mac OS X”,
“build”: “”,
“os_minor”: “15”,
“os_major”: “10”,
“name”: “Chrome”,
“os_name”: “Mac OS X”,
“device”: “Other”
},
“timestamp”: “2020-06-05T15:54:29.568Z”
}
This is one of many events Directory Insights logs for slucero in their lifecycle as an employee. When IT admins associate users to groups and associate users to systems we will capture similar information and describe which resources and groups a user was assigned to. Having logs on what users are given permissions to access is a critical piece of information administrators use to demonstrate users have the right permissions for compliance, audits, and security.
Authentications to User Portal
Tracking authentications to the directory, SSO applications, RADIUS, LDAP and macOS, Windows, and Linux systems is a valuable task for IT administrators. Not only is it important to know what resources are being used but it’s also critical to quickly identify authentication issues and suspicious activity. Knowing the common authentication behaviors of your users is the first step towards identifying abnormal behavior.
A “user_login_attempt” also provides an easy-to-parse JSON response with details on when the user attempted to login, user agent and geoip data at the time of authentication, whether the login was successful and if MFA was used. The power of Directory Insights comes when you string together a series of events to provide a complete picture of every change to a user and all of the resources they authenticate to.
{
“initiated_by”: {
“id”: “5eda6ab54fd13527dcd9ccf9”,
“type”: “user”,
“username”: “slucero”
},
“geoip”: {
“timezone”: “America/Denver”,
“country_code2”: “US”,
“continent_code”: “NA”,
“region_name”: “Colorado”,
“region_code”: “CO”
},
“event_type”: “user_login_attempt”,
“success”: true,
“service”: “directory”,
“organization”: “5ce434e77128503e528e747b”,
“@version”: “1”,
“mfa”: false,
“client_ip”: “97.122.249.157”,
“id”: “5edf96163cd5d34ff313b685”,
“user_agent”: {
“minor”: “0”,
“os”: “Mac OS X”,
“major”: “77”,
“build”: “”,
“os_minor”: “15”,
“os_major”: “10”,
“name”: “Firefox”,
“os_name”: “Mac OS X”,
“device”: “Other”
},
“timestamp”: “2020-06-09T14:00:54Z”
}
Securing Identities With Complete visibility
Securing your identities starts with having complete visibility and awareness on what is happening across the JumpCloud directory. With Directory Insights, IT admins can easily see how end users are accessing resources as they traverse across different applications, services, networks and devices. The data can assist customers with audits and compliance, monitoring and tracking user activity, and investigating security incidents. We are excited to launch this new feature and finally give IT administrators a 360° view of the end user to ensure their identities are secure.
Directory Insights is available today as a premium add-on to JumpCloud’s Directory-as-a-Service, the all-in-one platform for managing identities and systems in the cloud. Learn more about how JumpCloud can securely connect your users with the resources they need.
