Directory Insights API

Directory Insights allows you to read event logs, view activity in your directory, and monitor user authentications to the User Portal, RADIUS, LDAP, and SSO apps. Directory Insights analyzes the audit trails that lead to critical events so you know all about your directory activities, including the what, where, when, how, and who. You can monitor:

  • Directory Events: Activity in JumpCloud Portals, including admin changes in the directory and admin / user authentications to the Admin and User Portals.
  • Software Events: Application changes on a device.
  • RADIUS Events: User authentications to RADIUS used for WiFi and VPNs.
  • Systems Events (MacOS, Windows, and Linux): User authentications to devices, including agent-related events on lockout, OS upgrades and rollback events, password changes, and File Disk Encryption. Only SSH login events are logged for Linux devices.
  • LDAP Events: User authentications to LDAP, including LDAP bind and search event types.
  • MDM Events: MDM command results.
  • SSO: When an authorized SSO connector is created, updated, or deleted, as well as when a user authenticates to an SSO application.
  • Password Manager: Invites, activations, and deactivation of users, as well as all events related to folders and their members, including their assigned permissions.

Directory Insights is available in JumpCloud's API, Powershell, and Activity Log. The API uses a single POST endpoint:
https://api.jumpcloud.com/insights/directory/v1/events.

For more information on the Directory Insights API, see the complete Directory Insights API documentation.

API Key Considerations

This API key is associated with the administrator currently logged in. Only administrator roles can access the API. Command runners receive a 403 error.

Warning:

Do not share this API key, as it grants full access to any data accessible via your JumpCloud admin account.

Important:

It's very important to exercise strong security posture when handling your JumpCloud API key. If you believe for any reason that your API key may have been shared or compromised, we recommend generating a new API key. See JumpCloud APIs to learn more.

Row Size Limit

By default, the system returns a maximum of 10,000 rows. You can change the number of rows returned by adding a value for the limit field in the JSON body you send to the service.

HTTP Response Header Metadata

You find information about your query in the HTTP Response headers, including the number of rows returned to you in the results array (result_count), the search order used (based on the event timestamp), and other fields (limit).

HTTP Response Header Metadata

HTTP Response Header Metadata Description
X-Result-Count Number of elements in the array returned by the service.
X-Limit Maximum number of rows the service can return in one call.
X-Sort Sort direction of the result array timestamp column.
X-Search_after Token you'll send to the service to get subsequent pages of data.
X-Request-Id Tracing header used to follow a specific query through the system.

Example Response Header:

{
"X-Result-Count": 1000,
"X-Limit": 1000,
"X-Sort": "ASC",
"X-Search_after": [
1576181718000,
"DZrPyW8BNsa9iKWoOm7h"
],
"X-Request-Id": "f5b277fc-7b0b-4c1e-9bee-c5ea1d79302f"
}

Schemas

The schemas available in the Directory Insights API are:

The event types available in the Directory Insights API are:

The AWS Serverless App

The AWS Serverless Application automatically provisions all of the resources required to export JumpCloud Directory Insights Data into an AWS S3 bucket. For more information, see The JumpCloud Directory Insights AWS Serverless Application.

View Old API Keys Actively Being Used

The Directory Insights event ‘admin_old_api_key_attempt’ can be used to identify any old admin API key that’s still being used. When an admin API key is rotated, you’ll see these events until you replace all instances of your old admin API key with the newly rotated key value. Each attempted usage of an old admin API key will generate a new instance of this event detailing the extent of its usage.

To view old API Keys:

  1. Log in to the JumpCloud Admin Portal.
  2. In the left hand navigation, click INSIGHTS > Directory.
  3. Select a Time Range.  Only events within that Time Range will be displayed.
  4. In the Event Type dropdown menu, select admin_old_api_key_attempt to filter the events.
  5. A list of results will populate if there are any old API keys being actively used for the selected Time Range.
    • You can also pinpoint usage by searching your code base for the specific JumpCloud API Path value ‘console.jumpcloud.com’ endpoint or for the following ‘api.jumpcloud.com’ path snippets:
      • ‘/insights/directory/v1’
      • ‘/reports’
      • ‘/import/users’
  6. Click the dropdown arrow next to the timestamp of an event to see a Summary.
  7. Click the JSON tab to see the event details to identify the source of where the old API key is being used. The following details are provided:
    • initiated_by: Identifies the admin who’s API key is being used.
    • client_ip: The IP Address from which the API call was sourced to JumpCloud.
    • geoip: Identifies the geography associated with the client IP address.
    • Resource:  Identifies the base URL for the JumpCloud API being called.
    • useragent: Standard information about the program making the api call.
  8. Now, your old API key might be coming from various integrations with JumpCloud. You will have to generate a new API key and update any existing integrations that use an API key with the newly generated value. See which integrations use an API key below.

Accessing Your API Key and Generating a New One

See JumpCloud APIs to learn more.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case