Showing results for 
Search instead for 
Did you mean: 

Directory Insight SIEM Integrations

Rising Star III
Rising Star III

Hey Folks, 

As many of you might be wondering (or already asked 🙂) about integrating SIEM solutions with JumpCloud logs - Directory Insights to be more specific, in order to centralise security event monitoring and management, @JuergenKlaassen had a write-up that showed us a few possible options. I had the opportunity to spend some time diving deeper into this topic, and today, I would like to share the steps I took from setup to usage - as a SIEM “user”. 

Here is the list I worked with:

  • Sumo Logic - via AWS serverless app
  • DataDog - via native integration
  • Splunk - Didn’t work out unfortunately

I used our AWS serverless app to extract the DI data to an S3 bucket as the starting point - except for DataDog, thanks to the native integration we have. 

Let’s dive into it. 

(Here is an introduction about DI in case you are not familiar with it) 

Sumo Logic


  • Once finished deploying the AWS serverless app, locate the S3 bucket created during the process.
  • Go to “manage data” -> “collection” -> “add collector”:shawnsong_0-1678179635854.png
  • Select “Hosted Collector” -> name it, and save -> search and select “Amazon S3” as the source. shawnsong_1-1678179655741.png
  • Name the source, and input the bucket name, path expressionshawnsong_2-1678179677314.png
  • Setup AWS access for Sumo Logic as per this guide.    shawnsong_3-1678179698083.png
  • Now here is the most important part 😄(where I spent most of my time figuring this out with Sumo Logic’s support engineer)  -  use a Regex pattern below to define the JSON formatted DI event:


Use Cases

  • Now you can jump straight to log search:                                                         shawnsong_5-1678179830170.png
  • Then use the query example like below to have an overview about the whole directory:
    | json field=_raw "[0].event_type" as _0__event_type | count by _0__event_type
  • If we glide into the query language a bit more, you can enriching the view with country / city info:
    _source=<your_source_name> | json field=_raw "[0].success" as success
    | json field=_raw "[0].event_type" as event_type 
    | json field=_raw "[0].geoip.country_code" as country_code 
    | json field=_raw "[0].geoip.region_name" as region_name
    | count by country_code,region_name,event_type,success
  • And then you can create a dashboard for it: shawnsong_7-1678179972251.png
  • Of course, you can create a monitor for alerting:shawnsong_8-1678180021067.png




Relatively straightforward thanks to the native integration.

  • Go to ‘Integrations” -> search Jumpcloud -> config -> input your API key (supports multiple tenants):shawnsong_9-1678180080126.png


    (Optional) You can also utilise the DI logs (JSON formatted) in S3 buckets to DataDog similarly to Sumo Logic, via a DD maintained AWS lambda function.

Use Cases

  • Now you can do log search like this - for identifying the geo location for the admin logins, and save it to a dashboard:shawnsong_10-1678180117523.png
  • Then you can use a geo map like this on the dashboard:shawnsong_11-1678180138188.png
  • And, of course create a monitor for alerting:shawnsong_12-1678180158444.png

That's it!


I found there are 2 JumpCloud Apps built by:

However I couldn’t make either of those work within the permitted time I had on this topic. Given how sizeable Splunk means to the SIEM market, I will probably revisit it once I have more time. 

Hope the above 2 cases help!