Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for JumpCloud

JumpCloud
JumpCloud icon

Coralogix Extension For JumpCloud Includes:

Alerts - 23

Stay on top of JumpCloud key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

A Device Was Added to a User

'Summary This alert triggers when a user is added or connected to a device. To ensure your organization''s security after you''ve created or imported your users and added your devices to your JumpCloud organization, you must grant access or bind those users to your devices. Once bound, the user can utilize their JumpCloud password to access those device(s). If a user isn''t bound to a device, they''re unable to log in. Impact After a user is added/connected to a device, an adversary can utilize JumpCloud credentials to log in and control the device. Mitigation Check with the user if this action was legitimate. If not, revert changes and investigate for any malicious/suspicious actions performed afterward. MITRE Tactic: TA0003 MITRE Technique: T1098'

A user profile updated

This alert triggers whenever a user profile is updated or modified. Impact An adversary can update settings such as passwords, MFA factor, keys, etc. for a user to escalate their privileges or to be persistent in a network. Mitigation Check with the user if the updates made were legitimate or not. If not, revert changes and investigate it further, and review any actions done by that user after the profile update. Check the field ''Changes'' for more details on the parameter updated for the user. Note: Please fine-tune this alert as per your requirement to reduce the possible noise. MITRE Tactic: TA0003 MITRE Technique: T1098

A user deleted

This alert triggers when a user is removed/deleted from JumpCloud. Deleted users are permanently removed. You must recreate the user''s account to add a deleted user again. Impact An adversary may attempt to delete a user that it previously added to perform malicious activities in a network to remove its trace from the network. Mitigation Check if the user was aware of this action and validate if the user was authorized to perform the remove/deletion action. If not, revert changes and investigate it further. MITRE Tactic: TA0005 MITRE Technique: T1562

Multiple user accounts locked out

This alert triggers when multiple Jumpcloud accounts are locked out. A JumpCloud account can get locked out for various reasons, such as exceeding failed login attempts, suspicious activity, or if the account administrator manually locks it. When an account is locked, it prevents further access until an administrator unlocks it. Impact The impact of a locked JumpCloud account can vary depending on the user''s role and the organization''s reliance on JumpCloud services. Generally, it can disrupt a user''s ability to access resources, applications, or services tied to their account. This can lead to productivity loss, delays in work, and potential frustration for the affected user. Mitigation Check if the account lockout is due to some technical issue or any changes in the environment. If a legitimate reason can''t be established, investigate further for any malicious activity. Additionally, 1. Contact the administrator: If your account is locked, reach out to your organization''s JumpCloud administrator or IT support team. They can investigate the reason for the lockout and help you regain access. 2. Verify login credentials: Ensure you are using the correct username and password combination. Double-check for any typing errors or password changes that may have occurred. 3. Reset your password: If you suspect that a forgotten or expired password caused the lockout, try initiating a password reset process. JumpCloud typically provides password reset options through email, security questions, or other authentication methods. 4. Check for suspicious activity: If you suspect unauthorized access attempts or suspicious activity on your account, inform your administrator immediately. They can investigate and take appropriate measures to secure your account and prevent further incidents. MITRE Tactic: TA0006 MITRE Technique: T1110

Administrator Role Assigned to a User

'Summary This alert triggers when administrative privileges are provisioned to a JumpCloud user. Impact An adversary may attempt to assign an administrator role/privileges to a Jumpcloud user to assign additional permissions to a compromised user account and maintain access to their target''s environment. Mitigation Check with the JumpCloud admin to confirm that the users or devices should have administrative privileges. If not, revoke the privileges and investigate for any malicious activities from the admin. MITRE Tactic: TA0004 MITRE Technique: T1078'

Admin granted system privileges to a user

This alert triggers when a JumpCloud admin grants a user administrative privileges on a user endpoint. Impact An adversary may attempt to assign an administrator role/privileges to a Jumpcloud user to assign additional permissions to a compromised system and maintain access to their target''s environment. Mitigation Check with the admin making the change to confirm that the user should have administrative privileges on the specified resource. If not, revert the changes and investigate for any malicious activities from that admin. MITRE Tactic: TA0004 MITRE Technique: T1078

Admin triggered impossible travel scenario

This alert triggers when an admin logs in to their Jumpcloud account from more than 1 country within a time interval of 1 hour. Authentications from different countries can be caused mainly by 3 reasons: 1. the user is traveling. 2. the user used a VPN solution. 3. the user's credentials were compromised. Impact An admin's login activity from more than one country location within a short span of time could indicate their user account was compromised. Mitigation Verify if the login activity is legitimate. If not, investigate further for any signs of compromise. If the user account is compromised, force a password change as well as enable MFA if not done already. MITRE Tactic: TA0001 MITRE Technique: T1078

Multiple Failed Login Attempts

This alert triggers whenever failed login attempts for more than 15 unique user accounts from the same source IP address were observed within a time interval of 10 minutes Impact Multiple failed login attempts in a short time frame might indicate a potential brute-force attack against the relevant accounts. Mitigation Check if the failed login attempts are genuine attempts. If not, investigate further. Make sure to enable MFA for all the user accounts. MITRE Tactic: TA0006 MITRE Technique: T1110

Building Block - Successful login attempt

This alert triggers whenever a user or an admin successfully logs into their JumpCloud account. This alert is one of the building blocks for the flow alert ''JumpCloud - Flow Alert - Possible Credential stuffing attack'' Note: Since this is an informational event and is part of a flow alert, administrators can choose not to enable webhook on it.'

A policy created

This alert triggers when a policy is created. You can create policies in JumpCloud''s Admin Portal, and deploy them to a single device or groups of devices. You can set up policies to enforce specific behavior on the devices you manage. Impact An adversary may attempt to create a policy in order to enforce malicious behavior on the devices you manage. Mitigation Check if the user is aware of the created policy and if the policy is legitimate. If not, revert changes and investigate the newly enforced policy. MITRE Tactic: TA0003 MITRE Technique: T1098

A User Added to a User Group

'Summary This alert triggers when a user is added to a user group in JumpCloud. JumpCloud allows you to create groups for users either manually or through attributes. With user groups, it is easy to grant users access to common resources. Impact An adversary may attempt to add a user to a user group in order to receive access to the same resources as other users in that group. Mitigation Check with the user if this action was legitimate. If not, review the changes and investigate for any malicious/suspicious actions performed afterward. MITRE Tactic: TA0003 MITRE Technique: T1098'

A New User Created

'Summary This alert triggers when a new user is created in JumpCloud. Please see the below link for tips and best practices for creating users in JumpCloud: https://support.jumpcloud.com/s/article/Tips-and-Best-Practices-for-Creating-Users-in-JumpCloud Impact An adversary may attempt to create a user to maintain persistence in a network. He can then add that user to a privileged group and thus can escalate privileges. Mitigation Check if the user was aware of this action and validate if the user was authorized to perform the creation action. If not, revert changes and investigate it further. MITRE Tactic: TA0003 MITRE Technique: T1136'

MFA disabled for an admin account

This alert triggers when a JumpCloud MFA policy is disabled for an admin account. Impact An adversary may disable MFA enforcement in order to weaken an organization''s security controls. An Admin user without MFA could pose a grave risk and be susceptible to brute force attacks. Mitigation Investigate the policy change and the admin who disabled the service and determine if the action was authorized. If not, re-enable MFA and investigate all actions performed by the admin at the time MFA was off for malicious activity. MITRE Tactic: TA0004 MITRE Technique: T1078

An Admin logged-in successfully without MFA

This alert triggers when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled. Impact Without enabling MFA, adversaries can easily gain access to an account. Once the username and password are acquired, they can just own the system. Mitigation Reach out to the authenticated user to determine if the login was legitimate. If the login was legitimate, request the user to enable MFA. If the login wasn''t legitimate, rotate the credentials, and enable MFA. Review all user accounts to ensure MFA is enabled. MITRE Tactic: TA0001 MITRE Technique: T1078

JumpCloud Protect app device deleted

This alert triggers when a user deletes the JumpCloud Protect app device. JumpCloud Protect is a mobile authenticator app (2FA/MFA). The app allows employees to receive 2FA/MFA codes on their corporate-issued or BYOD device in order to authenticate into protected apps and resources on the company network. Impact An adversary may delete the JumpCloud Protect app in order to weaken an organization''s security controls or to prevent a user from accessing company resources. Mitigation Investigate the user who deleted the Protect app and all actions performed by the user following this action. MITRE Tactic: TA0004 MITRE Technique: T1078

A policy attached to a device group

This alert triggers when a policy is assigned or attached to a device group. Impact Threat actors can attach a policy to a device group to escalate their privileges. Mitigation Check if this action was legitimate and that the user who performed the action has the right permissions to do so. If not, revert the action and investigate further. MITRE Tactic: TA0004 MITRE Technique: T1078

A policy deleted

This alert triggers when a policy is deleted. Please note that you must unbind the device from the policy before deleting the policy. Impact An adversary may attempt to delete a policy in order to weaken an organization''s security controls. Mitigation Validate if the user was authorized to perform the action. If not, revert changes and Investigate further. MITRE Tactic: TA0005 MITRE Technique: T1562

A policy updated

This alert triggers when a policy is updated in the JumpCloud portal. Impact An adversary may attempt to modify an existing policy in order to weaken an organization''s security controls. Mitigation Validate if the user was authorized to perform the update action. If not, revert changes and Investigate further. MITRE Tactic: TA0005 MITRE Technique: T1562

A policy group created

This alert triggers when a policy group is created. Users and administrators can save time by creating a policy group, adding multiple policies to it, and applying the group to multiple devices or device groups. Impact An adversary may attempt to create a policy group in order to enforce malicious behavior on the devices or device groups you manage. Mitigation Check if the admin is aware of the created policy group and if the policy group is legitimate. If not, revert the changes and investigate the newly enforced policy group. MITRE Tactic: TA0003 MITRE Technique: T1098

A device group deleted

This alert triggers when a device group is deleted. With device groups, you can pool together your devices for policy enforcement and user account provisioning at scale. Impact An adversary may attempt to delete a device group so that the multiple policies enforced on the devices part of a group can be removed. This can make individual devices an easy target. Mitigation Review the change and validate if the user was authorized to perform the remove/deletion action. If not, revert changes and investigate it further. MITRE Tactic: TA0005 MITRE Technique: T1562

A user group deleted

This alert triggers when a user group is removed/deleted. With user groups, you can grant users access to resources. Impact An adversary may attempt to delete a user group to weaken the security controls of an organization. Mitigation Review the change and validate if the user was authorized to perform the remove/deletion action. If not, revert changes and investigate it further. MITRE Tactic: TA0005 MITRE Technique: T1562

A Device Added to a Device Group

'Summary This alert triggers when a device is added or bound to a device group. JumpCloud saves you time by letting you create groups of devices. Impact An adversary may attempt to add an infected device to a device group to move laterally in a network or assign more privileges to the devices by making them part of another privileged group. Mitigation Check with the admin if binding/adding the device to a device group was legitimate. If not, revert changes and investigate for any malicious/suspicious actions performed afterward. MITRE Tactic: TA0003 MITRE Technique: T1098'

Flow Alert - Possible credential stuffing attack

This flow alert triggers when there is a possible credential-stuffing attack against a Jumpcloud account. Credential stuffing is a type of cyber attack where attackers use automated tools to try a large number of stolen usernames and passwords across various websites or applications. The idea is that people often reuse passwords across multiple accounts, so attackers try to gain unauthorized access to accounts using these stolen credentials. Impact If successful, attackers can gain access to personal information, financial details, or even take control of accounts. This can lead to identity theft, financial loss, and reputational damage. Mitigation Check if the failed login attempts and the subsequent successful login attempts were legitimate. If not, investigate for a possible brute force attack. Additionally, Use unique passwords: Always create strong, unique passwords for each of your online accounts. Password managers can help you generate and store complex passwords securely. Enable multi-factor authentication (MFA): MFA adds an extra layer of security by requiring additional verification steps, such as a fingerprint scan or a one-time password, along with your username and password. MITRE Tactic: TA0006 MITRE Technique: T1110 MITRE Sub-Technique: 004

Integration

Learn more about Coralogix's out-of-the-box integration with JumpCloud in our documentation.

Read More
Schedule Demo