As many of you might be wondering (or already asked 🙂) about integrating SIEM solutions with JumpCloud logs - Directory Insights to be more specific, in order to centralise security event monitoring and management, @JuergenKlaassen had a write-up that showed us a few possible options. I had the opportunity to spend some time diving deeper into this topic, and today, I would like to share the steps I took from setup to usage - as a SIEM “user”.
Here is the list I worked with:
I used our AWS serverless app to extract the DI data to an S3 bucket as the starting point - except for DataDog, thanks to the native integration we have.
Let’s dive into it.
(Here is an introduction about DI in case you are not familiar with it)
| json field=_raw ".event_type" as _0__event_type | count by _0__event_type
_source=<your_source_name> | json field=_raw ".success" as success | json field=_raw ".event_type" as event_type | json field=_raw ".geoip.country_code" as country_code | json field=_raw ".geoip.region_name" as region_name | count by country_code,region_name,event_type,success
Relatively straightforward thanks to the native integration.
(Optional) You can also utilise the DI logs (JSON formatted) in S3 buckets to DataDog similarly to Sumo Logic, via a DD maintained AWS lambda function.
I found there are 2 JumpCloud Apps built by:
However I couldn’t make either of those work within the permitted time I had on this topic. Given how sizeable Splunk means to the SIEM market, I will probably revisit it once I have more time.
Hope the above 2 cases help!