cancel
Showing results for 
Search instead for 
Did you mean: 

Jumpcloud intrusion detection

Capsule9659
Novitiate I

Hi everyone,

In response to the recent compromise (that I'm sure has impacted all of us) we (Jumpcloud MSP users) performed an investigation to determine if any of our organisations were affected.  I'm aware it's extremely unlikely but better safe than sorry.

I'm wondering if anyone has any suggestions as to how to perform this check?

We did the following:

  1. Check our users list for any that we don't recognise or that otherwise seem unusual.
  2. Perform similar checks on Commands.
  3. Go through the logs and see if anything there looks wrong.

We looked at the following kinds of log entries between 22/6 and the present:

  • user_create - Duplicating item #1 above
  • command_create, command_run, command_delete - Duplicating #2
  • user_password_change - I'm not sure this is even relevant but I checked it out
  • user_create_provision - Seems like something that could potentially be useful to an attacker
  • association_change - Could be used for privilege escalation
  • software_add, software_change, software_remove - Could be used add malware or remove defensive software such as antivirus
  • admin_access_granted, admin_update - Unlikely to be relevant but generates a small amount of data, so why not?

Has anyone got anything to add to this?

1 REPLY 1

urvashi
Bronze I
Bronze I

We always love to see our customers implementing good security practices.  It is an industry best practice to provide routine review of API key utilization in any SaaS platform. JumpCloud has added admin_old_api_key_attempt to Directory Insights to allow our customers to better understand where older API keys might be in use.  Follow this guide for more information on how to view this event in DI.

You Might Like

New to the site? Take a look at these additional resources:

Community created scripts

Keep up with Product News

Read our community guidelines

Ready to join us? You can register here.