NetNXT Logo

How to Use JumpCloud Directory Insights for Forensics and Compliance?

January 29, 2026
3 min read
ByNetNXT

Introduction

For modern IT teams, "knowing what happened" is just as important as "preventing it." Directory Insights is JumpCloud's event logging and compliance engine. It records virtually every transaction—from a user changing their password to an admin unlocking a computer.

This guide explains how to use Directory Insights not just for reading logs, but for forensic investigation and compliance reporting.

1. Core Event Types You Must Monitor

While Directory Insights captures thousands of events, these four are critical for security monitoring:

  • user_locked: Indicates a user failed their password too many times. High volume suggests a brute-force attack.

  • admin_login_attempt_failed: Someone is trying to breach your JumpCloud Admin Portal.

  • system_fde_key_escrow: A critical event verifying that a device’s BitLocker/FileVault recovery key was successfully backed up to JumpCloud.

  • radius_auth_failed: Wi-Fi login failures. Often helps diagnose bad certificates or rogue devices.

2. How to Investigate a "Suspicious Login" (Forensic Workflow)

Scenario: You see a login from an unknown IP in China. Here is the investigation workflow:

  1. Open Directory Insights: Go to Insights > Directory.

  2. Filter by User: Enter the username in the search bar (e.g., john.doe).

  3. Add Service Filter: Select SSO (to see App logins) or Systems (to see Device logins).

  4. Look for geoip_country_code:

    • If you see CN (China) or RU (Russia) and your employee is in IN (India), this is a compromise.

  5. Correlate with MFA:

    • Look for the event user_mfa_validate_success immediately following the login.

    • If MFA succeeded: The attacker has the user's MFA token/device. Action: Revoke all sessions immediately.

    • If MFA failed: The attacker has the password but was stopped by 2FA. Action: Force password reset.

3. Exporting for External SIEM (Splunk/Datadog)

For regulated industries (Banking/FinTech), keeping logs in JumpCloud isn't enough. You need to pipe them to a SIEM.

  • The AWS Serverless Method: JumpCloud provides a pre-built "Serverless Application Repository" app in AWS.

    • NetNXT Recommendation: Use the JumpCloud S3 Adapter. It pulls logs every 5 minutes and dumps them into an Amazon S3 bucket. From there, your SIEM (Splunk/SumoLogic) can ingest them cheaply without hitting API rate limits.

4. "Time Travel" Troubleshooting

Directory Insights is the only way to prove when a policy applied.

  • Problem: User claims "My laptop rebooted randomly."

  • Investigation: Search for system_policy_apply events for that hostname.

  • Result: You see Windows Update Policy applied at 2:00 PM. This proves it was a scheduled patch, not a hardware crash.

FAQ

1) What is JumpCloud Directory Insights used for?

Directory Insights logs all user, admin, device, and authentication events, helping IT teams perform forensic investigations and maintain compliance audit trails.

2) How can I detect suspicious logins using Directory Insights?

Filter logs by user and check geoip_country_code. Compare login location with user’s actual location and correlate with MFA success or failure.

3) Which critical events should I monitor in Directory Insights?

Monitor user_locked, admin_login_attempt_failed, system_fde_key_escrow, and radius_auth_failed for signs of attacks, compliance, and device security status.

4) Can I export JumpCloud logs to a SIEM like Splunk?

Yes. Use JumpCloud’s S3 Adapter or AWS Serverless app to export logs regularly to S3, where SIEM tools can ingest them.

5) How do I prove when a JumpCloud policy was applied to a device?

Search for system_policy_apply events for the device hostname to verify exact timestamps of policy enforcement or patch deployment.

Was this article helpful?