JumpCloud Directory Insight Events
JumpCloud Directory Insights logs capture authentication, authorization, and directory management events across your JumpCloud environment, including user logins, group modifications, system access attempts, and policy changes. These logs are crucial for security monitoring, compliance reporting, and understanding user activity across your organization’s directory services.
When adding a JumpCloud source RunReveal will ingest the last 96 hours of logs before polling every minute for new logs.
Setup
Give your JumpCloud source a descriptive name to help find it later. The two fields we require are a list of services that you want events ingested from and an API Key.
Service List
JumpCloud separates their events into distinct services each with their own schema. Select “All” from the list to ingest all of the current and future services that JumpCloud supports. Otherwise select a subset of services to import.
API Key
To generate an API Key perform the following actions.
- Log into the JumpCloud Admin portal.
- Click the username drop-down menu located in the top-right of the Admin Portal.
- Click API Settings.
API Keys have full access to all data accessible to the admin account that created it. RunReveal recommends creating a service level account with minimal permissions to provide access to your JumpCloud Events.
Verify Its working
Once added the source logs should begin flowing within a minute.
You can validate we are receiving your logs by running the following SQL query.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: jumpcloud_directory_logs (132 columns)
jumpcloud_directory_logs (132 columns)| Column | Type |
|---|---|
id | String |
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime64(3) |
eventTime | DateTime64(3) |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actorId | String |
username | String |
hostname | String |
timestamp | DateTime64(3) |
service | String |
organization | String |
organizationID | String |
initiatedByID | String |
initiatedByType | String |
initiatedByUsername | String |
initiatedByEmail | String |
resourceType | String |
resourceId | String |
resourceName | String |
resourceEmail | String |
resourceUsername | String |
resourceDisplayname | String |
clientIp | String |
userAgent | String |
errorMessage | String |
authContext | String |
mfaStatus | String |
mfaType | String |
mfaProvider | String |
mfaDetails | String |
applicationName | String |
applicationId | String |
applicationDisplayName | String |
applicationSsoUrl | String |
idpType | String |
idpName | String |
spType | String |
spName | String |
radiusNasIp | String |
radiusNasPort | String |
radiusCallingStationId | String |
radiusCalledStationId | String |
| Column | Type |
|---|---|
radiusNasIdentifier | String |
radiusReplyMessage | String |
systemId | String |
systemHostname | String |
ldapDn | String |
ldapFilter | String |
ldapScope | String |
ldapBaseDn | String |
ldapAttributes | String |
changes | String |
previousValues | String |
newValues | String |
changeSource | String |
sessionId | String |
requestId | String |
correlationId | String |
traceId | String |
deviceId | String |
deviceSerialNumber | String |
deviceModel | String |
deviceOsVersion | String |
deviceUdid | String |
mdmCommand | String |
mdmStatus | String |
mdmCommandUuid | String |
mdmDeviceID | String |
vaultId | String |
vaultName | String |
itemType | String |
itemId | String |
folderId | String |
folderName | String |
shared | String |
groupId | String |
groupName | String |
groupType | String |
policyId | String |
policyName | String |
policyTemplate | String |
integrationName | String |
integrationType | String |
providerName | String |
providerType | String |
commandId | String |
commandName | String |
commandResult | String |
commandQueries | String |
softwareName | String |
softwareVersion | String |
softwareAction | String |
success | UInt8 |
apiVersion | String |
eventSource | String |
severity | String |
category | String |
tags | String |
metadata | String |
mspId | String |
mspName | String |
tenantId | String |
tenantName | String |
alertId | String |
alertType | String |
alertStatus | String |
notificationType | String |
notificationChannel | String |