In response to the recent compromise (that I'm sure has impacted all of us) we (Jumpcloud MSP users) performed an investigation to determine if any of our organisations were affected. I'm aware it's extremely unlikely but better safe than sorry.
I'm wondering if anyone has any suggestions as to how to perform this check?
We did the following:
We looked at the following kinds of log entries between 22/6 and the present:
Has anyone got anything to add to this?
We always love to see our customers implementing good security practices. It is an industry best practice to provide routine review of API key utilization in any SaaS platform. JumpCloud has added admin_old_api_key_attempt to Directory Insights to allow our customers to better understand where older API keys might be in use. Follow this guide for more information on how to view this event in DI.