Jumpcloud intrusion detection
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
โ07-17-2023 04:28 AM
Hi everyone,
In response to the recent compromise (that I'm sure has impacted all of us) we (Jumpcloud MSP users) performed an investigation to determine if any of our organisations were affected. I'm aware it's extremely unlikely but better safe than sorry.
I'm wondering if anyone has any suggestions as to how to perform this check?
We did the following:
- Check our users list for any that we don't recognise or that otherwise seem unusual.
- Perform similar checks on Commands.
- Go through the logs and see if anything there looks wrong.
We looked at the following kinds of log entries between 22/6 and the present:
- user_create - Duplicating item #1 above
- command_create, command_run, command_delete - Duplicating #2
- user_password_change - I'm not sure this is even relevant but I checked it out
- user_create_provision - Seems like something that could potentially be useful to an attacker
- association_change - Could be used for privilege escalation
- software_add, software_change, software_remove - Could be used add malware or remove defensive software such as antivirus
- admin_access_granted, admin_update - Unlikely to be relevant but generates a small amount of data, so why not?
Has anyone got anything to add to this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
โ07-31-2023 04:19 AM
We always love to see our customers implementing good security practices. It is an industry best practice to provide routine review of API key utilization in any SaaS platform. JumpCloud has added admin_old_api_key_attempt to Directory Insights to allow our customers to better understand where older API keys might be in use. Follow this guide for more information on how to view this event in DI.
![](/skins/images/C210B62239BAF37B0AB0FAEB086BB5F1/responsive_peak/images/icon_anonymous_message.png)
![](/skins/images/C210B62239BAF37B0AB0FAEB086BB5F1/responsive_peak/images/icon_anonymous_message.png)