Directory Insights Activity Log Filters

You can filter the Directory Insights Data Activity Log with the following filters.

Note:

Please see the Directory Insights API for a list of event types. 

DI Activity Log Table

Field Name Description Service Support
application.name The application name.
  • SSO
application.sso_url The application URL.
  • SSO
association.connection.from.type The association object from.
  • Directory
association.connection.to.type The association object to.
  • Directory
attr A set of attributes to be returned to the client.
  • LDAP
auth_method Session = console, api-key = api-key
  • Directory
  • LDAP
auth_type The authentication type.
  • RADIUS
client_ip The IP address the request came from.
  • Directory
  • MDM
  • RADIUS
  • SSO
  • Systems
correlation.id The correlated event ID.
  • Directory
deref The alias dereferencing behavior, which indicates how the server should treat any aliases it encounters while processing the search.
  • LDAP
device All logs associated with the selected device for the supported services.
  • Directory
  • Systems
dn Distinguished name (DN) provided for authentication.
  • LDAP
eap_type The EAP type.
  • RADIUS
error_chain.error_code The mdm error code.
  • MDM
error_chain.error_domain The mdm error domain.
  • MDM
error_code The result code.
  • LDAP
error_message Error message in the event.
  • Directory
  • RADIUS
  • LDAP
event_type The event type.
  • Directory
  • LDAP
  • MDM
  • RADIUS
  • SSO
  • Systems
filter The filter criteria for the search with the scope.
  • LDAP
geoip.continent_code The client IP continent code.
  • Directory
  • RADIUS
  • SSO
  • Systems
geoip.country_code The client IP country code.
  • Directory
  • RADIUS
  • SSO
  • Systems
geoip.region_code The client IP region code.
  • Directory
  • RADIUS
  • SSO
  • Systems
geoip.region_name The client IP region name.
  • Directory
  • RADIUS
  • SSO
  • Systems
geoip.timezone The client IP region's timezone.
  • Directory
  • RADIUS
  • SSO
  • Systems
id The event’s unique id.
  • Directory
  • MDM
  • RADIUS
  • SSO
  • Systems
idp_initiated True if the request was initiated from the Identity Provider (JumpCloud). False if the auth was initiated from the service provider.
  • SSO
initiated_by.email Event initiated by email.
  • Directory
  • SSO
initiated_by.type Event initiated by type.
  • Directory
  • SSO
initiated_by.username Event initiated by username.
  • Directory
  • SSO
mech The authentication method used. Either simple or SASL Note that we don't currently support SASL.
  • LDAP
mfa If MFA was used on an authentication attempt.
  • Directory
  • RADIUS
mfa_meta.type The type of MFA used.
  • Directory
  • RADIUS
nas_mfa_state
  • Disabled: No MFA required
  • Enabled: MFA is required if the user is configured for MFA
  • Required: MFA is required unless the user is excluded and not configured for MFA
  • Always: MFA always required
  • RADIUS
number_of_results The number of rows returned from the search.
  • LDAP
operation_number All operation requests and operation result pairs are given incremental operation numbers beginning with operation_number=0 to identify the distinct operations being performed.
  • LDAP
outer.eap_type The outer EAP type.
  • RADIUS
outer.username The outer username.
  • RADIUS
process_name The process that initiated a login attempt.
  • Systems
provider The org id of the provider if the org is a provider org.
  • Directory
  • Systems
request_type The type of command.
  • MDM
resource.email The resource object email.
  • Directory
  • Systems
resource.hostname The resource object hostname.
  • Directory
  • Systems
resource.hostname The resource object hostname.
  • Directory
  • Systems
resource.name The resource object name.
  • Directory
  • Systems
resource.type The resource object type.
  • Directory
  • Systems
resource.username The resource object username.
  • Directory
  • Systems
scope The search scope. This specifies the portion of the target subtree that should be considered. Can be: base, only return the specified entry. singleLevel (1) only the immediate children of the entry are considered.
  • LDAP
service Which service the event originated from.
  • Directory
  • LDAP
  • MDM
  • RADIUS
  • SSO
  • Systems
src_ip The IP address the login request came from.
  • Systems
start_tls The starttls protocol that was used to open the LDAP connection.
  • LDAP
status The command result: acknowledged, error, command format error, and idle.
  • MDM
success DeNotes if a login attempt was successful or not.
  • Directory
  • LDAP
  • RADIUS
  • Systems
system.hostname The system hostname.
  • Systems
system.id System unique ID
  • System
  • Software
tls_established The LDAPS protocol was used to open the LDAP connection.
  • LDAP
username The username provided for the auth attempt.
  • LDAP
  • RADIUS
  • Systems
user All logs associated with the selected user.
  • Directories
  • LDAP
  • RADIUS
  • SSO
  • Systems
windows elevated If the user had elevated privileges at the time of log in.
  • Windows
windows logon type

The type of windows log on. Select a number to view logons for a type.

2 - Interactive logon; log ons from a Windows device's local keyboard and screen

We've removed the collection of Windows Service Account log ons to reduce the noise in Directory Insights events to make it easier for customers to identify log ins from JumpCloud managed users. We audit data periodically to ensure that we're collecting the most important information for our customers. Though these events aren't included in Directory Insights, the events are available locally on Windows devices using the Windows Event Viewer. These events can be identified by an Events ID of 4624 and 4625 with the logon_type of 5. We've added a PowerShell command to the JumpCloud Command Gallery you can use to query these events. 

  • Windows

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case