JumpCloud Office Hours: Join our experts every Friday to talk shop. Register today

A 360° View Of Your End Users to Secure Directory Identities



Directory Insights™, JumpCloud’s new event logging feature, provides IT administrators with a complete picture of an end user’s access and access rights — from onboarding to all the resources they access day-in, day-out.

It’s a challenge to track all the changes that can happen to a user’s access, all of the applications they access, and furthermore when things go wrong, pinpoint the root cause of an issue. Directory Insights gives administrators a central place to audit activity across all of JumpCloud’s core services.

Leveraging our APIs, Powershell Module, and the Activity Log available within the Admin Portal, it’s easier than ever to gain visibility into the actions a user takes throughout the workday. Directory Insights logs events on admin changes in the directory, logins to the User/Admin Portal, user authentications to SAML applications and via RADIUS, logins to macOS®, Windows®, and Linux® systems, and authentications via LDAP. 

IT administrators can use event logs to track which SSO applications users access, see if MFA is used, identify failed login attempts, and so much more. Directory Insights extends JumpCloud’s all-in-one access management system with a full 360° view of your end users to ensure your directory identities are secure.

Giving Users Access to Resources

Giving users the right access to their resources is critical to ensure your identities and intellectual property are protected. It all starts with the creation of the user. With Directory Insights, admins can query a list of all users created within a time frame using a curl request to our API endpoint: https://api.jumpcloud.com/insights/directory/v1/events.

We have an array of event types, such as “user_create” and “association_change”, to make it easy for administrators to find what they are looking for. 

We designed our API with our admins in mind to make it simple to extract the data but also extremely flexible for filtering and searching. All you need is an API key and a JSON POST body to define the “start_time”, the date in which you would like to start your query, and “service”, the core service the from which the event originated from such as  “directory”, “sso”, “systems”, “radius”, and “ldap”. We conveniently provide an “all” option to gather events across all services in a single call.

curl -X POST -H “x-api-key: [YOUR API KEY HERE]” -H “Content-Type: application/json” –data ‘{“service”: [“all”], “start_time”: “2020-05-14T00:00:00Z”}’ https://api.jumpcloud.com/insights/directory/v1/events

To query “user_create” events, you can provide a “search_term” parameter to define the fields you would like to filter by. 

curl -X POST -H “x-api-key: [YOUR API KEY HERE]” -H “Content-Type: application/json” –data ‘{“service”: [“all”],”start_time”: “2020-05-14T00:00:00Z”,”search_term”: {“and”: {“event_type”: [“user_create”]}}}’ https://api.jumpcloud.com/insights/directory/v1/events

In the JSON response, we capture metadata about the event to provide a complete picture on what occurred. We surface who initiated the event, when did it happen, the user agent information about the browser and system used, client ip and geoip data on the location of an event, and the exact details on what was changed. In the example below we create user “slucero” who can be identified by a “resource” object and the “user_create” event type. The changes object will show all of the attribute values saved when the user was created.

{
“initiated_by”: {
“id”: “5ce434e77128503e528e747c”,
“type”: “admin”,
“email”: “jane.doe@company.com”
},
“geoip”: {
“timezone”: “America/Denver”,
“country_code2”: “US”,
“continent_code”: “NA”,
“region_name”: “Colorado”,
“region_code”: “CO”
},
“resource”: {
“id”: “5eda6ab54fd13527dcd9ccf9”,
“type”: “user”,
“username”: “slucero”
},
“changes”: [
{
“field”: “firstname”,
“to”: “Sarah”
},
{
“field”: “lastname”,
“to”: “Lucero”
},
{
“field”: “password_date”,
“to”: “2020-06-05T15:54:29.477Z”
},
{
“field”: “password_expiration_date”,
“to”: “2020-09-03T15:54:29.477Z”
},
{
“field”: “username”,
“to”: “slucero”
},
{
“field”: “created”,
“to”: “2020-06-05T15:54:29.275Z”
},
{
“field”: “id”,
“to”: “5eda6ab54fd13527dcd9ccf9”
}, …
],
“auth_method”: “session”
“event_type”: “user_create”,
“provider”: null,
“service”: “directory”,
“organization”: “5ce434e77128503e528e747b”,
“@version”: “1”,
“client_ip”: “97.122.249.157”,
“id”: “5eda6ab54fd13527dcd9ccfb”,
“user_agent”: {
“patch”: “4103”,
“minor”: “0”,
“major”: “83”,
“os”: “Mac OS X”,
“build”: “”,
“os_minor”: “15”,
“os_major”: “10”,
“name”: “Chrome”,
“os_name”: “Mac OS X”,
“device”: “Other”
},
“timestamp”: “2020-06-05T15:54:29.568Z”
}

This is one of many events Directory Insights logs for slucero in their lifecycle as an employee. When IT admins associate users to groups and associate users to systems we will capture similar information and describe which resources and groups a user was assigned to. Having logs on what users are given permissions to access is a critical piece of information administrators use to demonstrate users have the right permissions for compliance, audits, and security. 

Authentications to User Portal

Tracking authentications to the directory, SSO applications, RADIUS, LDAP and macOS, Windows, and Linux systems is a valuable task for IT administrators. Not only is it important to know what resources are being used but it’s also critical to quickly identify authentication issues and suspicious activity. Knowing the common authentication behaviors of your users is the first step towards identifying abnormal behavior. 
A “user_login_attempt” also provides an easy-to-parse JSON response with details on when the user attempted to login, user agent and geoip data at the time of authentication, whether the login was successful and if MFA was used. The power of Directory Insights comes when you string together a series of events to provide a complete picture of every change to a user and all of the resources they authenticate to.

{
“initiated_by”: {
“id”: “5eda6ab54fd13527dcd9ccf9”,
“type”: “user”,
“username”: “slucero”
},
“geoip”: {
“timezone”: “America/Denver”,
“country_code2”: “US”,
“continent_code”: “NA”,
“region_name”: “Colorado”,
“region_code”: “CO”
},
“event_type”: “user_login_attempt”,
“success”: true,
“service”: “directory”,
“organization”: “5ce434e77128503e528e747b”,
“@version”: “1”,
“mfa”: false,
“client_ip”: “97.122.249.157”,
“id”: “5edf96163cd5d34ff313b685”,
“user_agent”: {
“minor”: “0”,
“os”: “Mac OS X”,
“major”: “77”,
“build”: “”,
“os_minor”: “15”,
“os_major”: “10”,
“name”: “Firefox”,
“os_name”: “Mac OS X”,
“device”: “Other”
},
“timestamp”: “2020-06-09T14:00:54Z”
}

Securing Identities With Complete visibility

Securing your identities starts with having complete visibility and awareness on what is happening across the JumpCloud directory. With Directory Insights, IT admins can easily see how end users are accessing resources as they traverse across different applications, services, networks and devices. The data can assist customers with audits and compliance, monitoring and tracking user activity, and investigating security incidents. We are excited to launch this new feature and finally give IT administrators a 360° view of the end user to ensure their identities are secure. 

Directory Insights is available today as a premium add-on to JumpCloud’s Directory-as-a-Service, the all-in-one platform for managing identities and systems in the cloud. Learn more about how JumpCloud can securely connect your users with the resources they need.


Recent Posts
See all of the new features and updates available in Directory-as-a-Service in the July '20 edition of the JumpCloud Newsletter.

Blog

July ’20 Newsletter

See all of the new features and updates available in Directory-as-a-Service in the July '20 edition of the JumpCloud Newsletter.

You should be celebrated on SysAdmin Appreciation Day, and you can also treat yourself with these five time-savers and tools in JumpCloud.

Blog

SysAdmin Day: 5 Ways to Treat Yourself with JumpCloud

You should be celebrated on SysAdmin Appreciation Day, and you can also treat yourself with these five time-savers and tools in JumpCloud.

IT admins save time and money by automating the management of longterm Linux infrastructure. DaaS helps you automate Linux management for free.

Blog

Automate Linux Management

IT admins save time and money by automating the management of longterm Linux infrastructure. DaaS helps you automate Linux management for free.