JumpCloud

JumpCloud’s open directory platform allows the user to unify technology stack across identity, access, and device management, in a manner that doesn’t sacrifice security or functionality.

JumpCloud can be integrated to Coralogix using a designated script

Prerequisites

1. A virtual machine used as an intermediate
2. Access to JumpCloud platform as Administrator for the API Key

It is recommended to create a read-only administrator account for the API key used in the integration

The API key can be found by clicking your initials on the top right of the JumpCloud platform and then clicking “My API Key”

Deployment

• Login to the Instance that will be used for shipping the JumpCloud logs
• Copy the script and configuration file to the instance
• Install PowerShell on the instance by copying and running the following script

# Update the list of packages
sudo apt-get update
# Install pre-requisite packages.
sudo apt-get install -y wget apt-transport-https software-properties-common
# Download the Microsoft repository GPG keys
wget -q "https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb"
# Register the Microsoft repository GPG keys
sudo dpkg -i packages-microsoft-prod.deb
# Update the list of packages after we added packages.microsoft.com
sudo apt-get update
# Install PowerShell
sudo apt-get install -y powershell
# Start PowerShell
pwsh

• Install the JumpCloud module

Install-Module -Name JumpCloud

• Edit the configuration file
  • jumpcloud.api_key – Your private key can be found in your Coralogix account under Settings>Send Your Data. Learn more about your private key.
  • siem.url – https://api.<coralogix domain>/logs/datastream
    • Coralogix domain – the region-specific endpoint associated with your Coralogix Account. You can find your Domain here.
  • custom_log_fields.reqHost – Application name
  • custom_log_fields.customField – Subsystem name
• In the virtual machine instance, create a cronjob with the following command

crontab -e

• In the crontab document, paste the following line

* * * * * /usr/bin/pwsh ~/JC-DI2SIEM/JC-DI2SIEM.ps1 -config_file:~/JC-DI2SIEM/config_coralogix.json 2>&1

• Save & quit the crontab

After successfully completing the provided steps, logs will start to ingest to the provided Coralogix account

Log example

{
  "jumpcloud": {
    "initiated_by": {
      "id": "637212c33f396457d287dad6",
      "type": "admin",
      "email": "[email protected]"
    },
    "geoip": {
      "country_code": "IL",
      "timezone": "Asia/Jerusalem",
      "latitude": 32.0803,
      "continent_code": "AS",
      "region_name": "Tel Aviv",
      "longitude": 34.7805,
      "region_code": "TA"
    },
    "useragent": {
      "minor": "0",
      "os": "Mac OS X",
      "os_minor": "15",
      "os_major": "10",
      "os_version": "10.15.7",
      "version": "108.0.0.0",
      "os_patch": "7",
      "patch": "0",
      "os_full": "Mac OS X 10.15.7",
      "major": "108",
      "name": "Chrome",
      "os_name": "Mac OS X",
      "device": "Mac"
    },
    "mfa": false,
    "event_type": "admin_login_attempt",
    "success": true,
    "service": "directory",
    "organization": "637212c33f396",
    "@version": "1",
    "client_ip": "10.20.30.40",
    "id": "639f9ea9ac5d37",
    "jc_timestamp": "2022-12-18T14:57:03.801Z",
    "reqHost": "jumpcloud",
    "customField": "jumpcloud",
    "severity": "info"
  }
}