View the Directory Insights Data Activity Log

The Directory Insights Activity Log includes an event frequency chart and a table with individual events for the selected time range. Directory Insights data is useful for auditing & compliance or for troubleshooting issues like user lockouts.

Considerations:

• JumpCloud stores Directory Data for 90 days. Any views in the admin console will only reflect the previous 90 days of activity. If you need to store data longer than 90 days, consider the JumpCloud Directory Insights AWS Serverless Application or export the logs directory using the Directory Insights API.

Prerequisites:

• Directory Insights must be enabled for your account. Email your Account Manager for enablement.

Chart View

The Activity Log chart shows a graphical representation of the number of events that occurred during the selected time range. You can click a bar in the chart to view data for that bar's time range. 

Table View

The Activity Log table shows event data in the following default columns:

• Timestamp: When the event happened; the date and time on which the event occurred.
• Event Type: The event type. Events are gathered from the following services: All, Directory, LDAP, MDM, Password Manager, RADIUS, SSO, Software, and Systems. 
• Result: The result of the logged activity, such as, “System login successful” or “Policy created.”
• Initiated By: Who initiated the event; the username of the JumpCloud user that initiated the event. If no username is available, the user’s email address is shown. If neither a username nor an email address is available, “–” is shown.
• Client IP: Where the event happened; the IP address of the requesting client.

You can choose the columns you want to view in the Activity Log by clicking columns to the left of export. You can select up to 8 columns. Use the search bar at the top of the list to narrow column results. 

Get the Most out of the Activity Log

Filter data:

• Use the service, event type, and user filters to refine log data. You can view data for the following services:
  • All
  • Directory
  • LDAP
  • RADIUS
  • Password Manager
  • SSO
  • Software
  • Systems
  • MDM

• Click add filter to add a filter. You can filter by the following field names listed in DI Activity Log Filters.
• Click clear all to remove any filters you’ve applied. 

Click a specific Event Type or Client IP in the table to apply a filter for the event type or client IP as a filter for the Activity Log. For example, click a Login Attempt event type to view all login attempt events, or click a Client IP to view all events for that client IP.

Use the Time Range selector in the right corner to view data for a specific date range. 

To use the Time Range selector:

1. Click inside the Time Range box. 
2. Specify a date range. You can select a Quick Pick date range or define a range with the Specific Dates fields
3. Click apply.

View current data by clicking refresh in the top right corner of the Activity Log.

View summary details and JSON by clicking the down arrow to the left of an event date.

Export event data in JSON or CSV by clicking export in the right corner.

Activity Log Views

Use the Views list to see pre-filtered Quick Views or to create and save custom views. 

This section covers:

• Using Saved & Quick Views
• Creating and Saving Views
• Modifying Saved Views
• Deleting Saved Views
• Using Quick Views
• Using Search

Using Saved & Quick Views

Considerations:

• If you choose a specific date for a view and then save it, the view defaults to the previous hour of data the next time you load the Saved View. Choose a different Quick Picks time range to view data for a longer time period.
• If you choose a Quick Pick time range for a view and then save it, data for the Quick Pick time range you saved is shown each time you load the Saved View. 
• Saved Views are available to all administrator accounts on a JumpCloud org. All administrators can view, modify, and delete any Saved Views.
• There is a maximum of 1,000 saved views per organization.
  

Creating and Saving Views

To create a saved view:

1. Apply columns and filters for the data you want to see. 
2. Apply a Quick Picks time range.
3. To the right of the Views list, click save view.
4. Give the view a unique name.
5. Click save.

To create a saved view from a quick view:

1. Select Quick View from the View list.
2. Modify the Quick View. 
3. Click save as … .
4. Give the view a unique name.
5. Click save.

Modifying Saved Views

Considerations:

• When you modify a saved view, it’s updated for all admins in your org.
• Currently you can’t rename a Saved View. If you need to rename a view, you can delete a view, then create a new one with the name you want.

To modify an existing saved view:

1. In the Views list, click select view … .
2. Select Saved View.
3. Modify the filters applied to the view by adding new or removing existing columns and filters.
4. Click save view. 
5. Confirm you want to save over the existing view

To create a new saved view from an existing saved view:

1. In the Views list, click select view … .
2. Select a saved view.
3. Modify the filters applied to the view by adding new or removing existing columns and filters.
4. Click save as. 

Deleting Saved Views

Considerations:

• When you delete a saved view, it’s deleted for all admins in your org.
• You can’t undo a delete action.

To delete a saved view:

1. In the Views list, click select view … .
2. Hover over a saved view, then click the trash can icon to the right of the view name.
3. To confirm that you want to delete the view, click delete.

Using Quick Views

Quick Views are shortcuts to pre-filtered views. 

If you select a Quick View that has no data for the time period you've chosen, you can increase your time range to see data for the view.

To choose a Quick View:

1. In the Views list, click select view … .
2.  Select a view from the list of available Quick Views. 
3. (Optional) Click clear view to remove the view from the Activity Log.

Using Search

Considerations: 

• When exporting Directory Insights data, any search terms in use to filter the list view will not be applied to the export.

The DI Search is a full text query that enables you to narrow the table view of individual events in the activity log based on the terms entered.

• Spaces are treated as AND
• Underscores are treated as AND
• OR, NOT operators are not supported
• Exact phrase search with quotations is not supported

Search works in conjunction with applied Saved Views, Time Range, and filters to search within those results for something more specific. You can also apply Saved Views, Time Range, and filters after performing a text search to further narrow results.

See the table below to see which database fields are searched for each Service selected from the Service drop-down menu.

Activity Log Data Availability 

• The Activity Log can show data for up to the last 90 days.
• Keep in mind that your org may not have data available for the previous 90 days.
• Free accounts can see data for up to the last 15 days.

View Old API Keys Actively Being Used

The Directory Insights event ‘admin_old_api_key_attempt’ can be used to identify any old admin API key that’s still being used. When an admin API key is rotated, you’ll see these events until you replace all instances of your old admin API key with the newly rotated key value. Each attempted usage of an old admin API key will generate a new instance of this event detailing the extent of its usage.

To view old API Keys:

1. Log in to the JumpCloud Admin Portal.
2. In the left hand navigation, click INSIGHTS > Directory.
3. Select a Time Range.  Only events within that Time Range will be displayed.
4. In the Event Type dropdown menu, select admin_old_api_key_attempt to filter the events.
5. A list of results will populate if there are any old API keys being actively used for the selected Time Range.
   • You can also pinpoint usage by searching your code base for the specific JumpCloud API Path value ‘console.jumpcloud.com’ endpoint or for the following ‘api.jumpcloud.com’ path snippets:
     • ‘/insights/directory/v1’
     • ‘/reports’
     • ‘/import/users’
6. Click the dropdown arrow next to the timestamp of an event to see a Summary.
7. Click the JSON tab to see the event details to identify the source of where the old API key is being used. The following details are provided:
   • initiated_by: Identifies the admin who’s API key is being used.
   • client_ip: The IP Address from which the API call was sourced to JumpCloud.
   • geoip: Identifies the geography associated with the client IP address.
   • Resource:  Identifies the base URL for the JumpCloud API being called.
     • A URL of `console.jumpcloud.com` will also have a Path value, which specifies the API endpoint being called.
     • A URL of `api.jumpcloud.com` will be any endpoint in the Directory Insights API or SCIM Server API.
   • useragent: Standard information about the program making the api call.
8. Now, your old API key might be coming from various integrations with JumpCloud. You will have to generate a new API key and update any existing integrations that use an API key with the newly generated value. See which integrations use an API key, and generate a new one, see JumpCloud APIs to learn more.