JumpCloud Appliance¶
About¶
JumpCloud is a U.S.-based enterprise software company headquartered in Denver, Colorado.The company was formally launched in 2013 at TechCrunch Disrupt Battlefield as an automated server management tool. JumpCloud’s cloud based directory platform is used to securely manage users identity, devices, and access.
Product Details¶
Vendor URL: JumpCloud
Product Type: Cloud-based directory platform/LDAP
Product Tier: Tier III
Integration Method: Chronicle/API
Log Guide: Jumpcloud Directory Insights - Cyderes Documentation
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: JUMPCLOUD_DAAS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Hard-coded | extensions.auth.type |
| association.op, changes.0.field, changes.1.field, changes.0.to, resource.name | metadata.description |
| Hard-coded | metadata.event_type |
| event_type, | metadata.product_event_type |
| Hard-coded | metadata.vendor_name |
| client_ip | principal.ip |
| port | principal.port |
| username, initiated_by.email, initiated_by.username, resource.username | principal.user.userid |
| Hard-coded | security_result |
| association.connection.from.name, changes.0.from | src.hostname |
| association.connection.from.type, changes.1.from | src.user.groupid |
| organization | target.administrative_domain |
| association.connection.to.name, resource.email, changes.0.to, resource.hostname | target.hostname |
| association.connection.to.type, changes.1.to | target.user.groupid |
| username, initiated_by.email, initiated_by.username, resource.username, | target.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All other events | GENERIC_EVENT |
| association_change | STATUS_UPDATE |
| user_password_change | USER_CHANGE_PASSWORD |
| user_update or admin_update | USER_CHANGE_PERMISSIONS |
| user_create | USER_CREATION |
| ldap_bind,radius_auth_attempt,admin_login_attempt,user_login_attempt | USER_LOGIN |
| user_unlocked,user_activated,user_password_warning_email | USER_UNCATEGORIZED |
Log Sample¶
{"error_message":"","geoip":{"longitude":-11.11,"timezone":"America/Chicago","latitude":11.11,"country_code2":"US","continent_code":"NA"},"mfa":true,"id":"888888888abcd","user_agent":{"build":"","name":"Chrome","os_name":"Windows","device":"Other","patch":"4472","os":"Windows","minor":"0","major":"91"},"timestamp":"2021-07-01T12:12:12Z","mfa_meta":{"type":"totp"},"service":"directory","@version":"1","auth_context":{"auth_methods":{"totp":{"success":true},"password":{"success":true}},"policies_applied":[{"id":"888888888abcd","metadata":{"resource_type":"USER_PORTAL","action":"ALLOW_WITH_MFA","targets":["USER_GROUP_INCLUSION"]},"name":"Enforce MFA on All Users in O365 Group"}]},"event_type":"user_login_attempt","success":true,"organization":"888888888abcd","client_ip":"1.2.3.4","initiated_by":{"id":"888888888abcd","type":"user","username":"john.doe"}}
Sample Parsing¶
metadata.event_timestamp.seconds = 1625141532
metadata.event_type = USER_LOGIN
metadata.vendor_name = "Jumpcloud"
metadata.product_event_type = "user_login_attempt"
principal.user.userid = "john.doe"
principal.ip = "1.2.3.4"
target.user.userid = "john.doe"
target.administrative_domain = "888888888abcd"
security_result.summary = "user_login_attempt"
security_result.action = ALLOW
extensions.auth.type = MACHINE
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon