Subscribe to Help Center RSS FeedYou can filter the Directory Insights Data Activity Log with the following filters.
Note:
Please see the Directory Insights API for a list of event types.
DI Activity Log Table
| Field Name | Description | Service Support |
|---|---|---|
| application.name | The application name. |
|
| application.sso_url | The application URL. |
|
| association.connection.from.type | The association object from. |
|
| association.connection.to.type | The association object to. |
|
| attr | A set of attributes to be returned to the client. |
|
| auth_method | Session = console, api-key = api-key |
|
| auth_type | The authentication type. |
|
| client_ip | The IP address the request came from. |
|
| correlation.id | The correlated event ID. |
|
| deref | The alias dereferencing behavior, which indicates how the server should treat any aliases it encounters while processing the search. |
|
| device | All logs associated with the selected device for the supported services. |
|
| dn | Distinguished name (DN) provided for authentication. |
|
| eap_type | The EAP type. |
|
| error_chain.error_code | The mdm error code. |
|
| error_chain.error_domain | The mdm error domain. |
|
| error_code | The result code. |
|
| error_message | Error message in the event. |
|
| event_type | The event type. |
|
| filter | The filter criteria for the search with the scope. |
|
| geoip.continent_code | The client IP continent code. |
|
| geoip.country_code | The client IP country code. |
|
| geoip.region_code | The client IP region code. |
|
| geoip.region_name | The client IP region name. |
|
| geoip.timezone | The client IP region's timezone. |
|
| id | The event’s unique id. |
|
| idp_initiated | True if the request was initiated from the Identity Provider (JumpCloud). False if the auth was initiated from the service provider. |
|
| initiated_by.email | Event initiated by email. |
|
| initiated_by.type | Event initiated by type. |
|
| initiated_by.username | Event initiated by username. |
|
| mech | The authentication method used. Either simple or SASL Note that we don't currently support SASL. |
|
| mfa | If MFA was used on an authentication attempt. |
|
| mfa_meta.type | The type of MFA used. |
|
| nas_mfa_state |
|
|
| number_of_results | The number of rows returned from the search. |
|
| operation_number | All operation requests and operation result pairs are given incremental operation numbers beginning with operation_number=0 to identify the distinct operations being performed. |
|
| outer.eap_type | The outer EAP type. |
|
| outer.username | The outer username. |
|
| process_name | The process that initiated a login attempt. |
|
| provider | The org id of the provider if the org is a provider org. |
|
| request_type | The type of command. |
|
| resource.email | The resource object email. |
|
| resource.hostname | The resource object hostname. |
|
| resource.hostname | The resource object hostname. |
|
| resource.name | The resource object name. |
|
| resource.type | The resource object type. |
|
| resource.username | The resource object username. |
|
| scope | The search scope. This specifies the portion of the target subtree that should be considered. Can be: base, only return the specified entry. singleLevel (1) only the immediate children of the entry are considered. |
|
| service | Which service the event originated from. |
|
| src_ip | The IP address the login request came from. |
|
| start_tls | The starttls protocol that was used to open the LDAP connection. |
|
| status | The command result: acknowledged, error, command format error, and idle. |
|
| success | DeNotes if a login attempt was successful or not. |
|
| system.hostname | The system hostname. |
|
| system.id | System unique ID |
|
| tls_established | The LDAPS protocol was used to open the LDAP connection. |
|
| username | The username provided for the auth attempt. |
|
| user | All logs associated with the selected user. |
|
| windows elevated | If the user had elevated privileges at the time of log in. |
|
| windows logon type |
The type of windows log on. Select a number to view logons for a type. 2 - Interactive logon; log ons from a Windows device's local keyboard and screen We've removed the collection of Windows Service Account log ons to reduce the noise in Directory Insights events to make it easier for customers to identify log ins from JumpCloud managed users. We audit data periodically to ensure that we're collecting the most important information for our customers. Though these events aren't included in Directory Insights, the events are available locally on Windows devices using the Windows Event Viewer. These events can be identified by an Events ID of 4624 and 4625 with the logon_type of 5. We've added a PowerShell command to the JumpCloud Command Gallery you can use to query these events. |
|
Back to Top
Learn More