03-07-2023 04:13 AM - edited 02-13-2024 07:07 PM
Hey Folks,
As many of you might be wondering (or already asked 🙂) about integrating SIEM solutions with JumpCloud logs - Directory Insights to be more specific, in order to centralise security event monitoring and management, @JuergenKlaassen had a write-up that showed us a few possible options. I had the opportunity to spend some time diving deeper into this topic, and today, I would like to share the steps I took from setup to usage - as a SIEM “user”.
Here is the list I worked with:
I used our AWS serverless app to extract the DI data to an S3 bucket as the starting point - except for DataDog, thanks to the native integration we have.
Let’s dive into it.
(Here is an introduction about DI in case you are not familiar with it)
\{\s+(?s)\"initiated_by\"\:\s+\{.*
| json field=_raw "[0].event_type" as _0__event_type | count by _0__event_type
_source=<your_source_name> | json field=_raw "[0].success" as success
| json field=_raw "[0].event_type" as event_type
| json field=_raw "[0].geoip.country_code" as country_code
| json field=_raw "[0].geoip.region_name" as region_name
| count by country_code,region_name,event_type,success
Relatively straightforward thanks to the native integration.
(Optional) You can also utilise the DI logs (JSON formatted) in S3 buckets to DataDog similarly to Sumo Logic, via a DD maintained AWS lambda function.
That's it!
I found there are 2 JumpCloud Apps built by:
However I couldn’t make either of those work within the permitted time I had on this topic. Given how sizeable Splunk means to the SIEM market, I will probably revisit it once I have more time.
Hope the above 2 cases help!
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.