---
title: JumpCloud password manager local export
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > JumpCloud password manager local export
---

# JumpCloud password manager local export
Classification:attackTactic:[TA0010-exfiltration](https://attack.mitre.org/tactics/TA0010)Technique:[T1567-exfiltration-over-web-service](https://attack.mitre.org/techniques/T1567) 
## Goal{% #goal %}

Detect when a JumpCloud password manager export is initiated for download.

## Strategy{% #strategy %}

This rule monitors JumpCloud events for when a password manager export is downloaded. This export action could involve downloading a significant amount of password data. Unauthorized exports could indicate a potential data breach, insider threat, or misuse of administrative privileges.

Potential risks associated with these export actions include:

- Unauthorized access to and exfiltration of sensitive company data and secrets.
- Insider threats downloading and sharing confidential data.

## Triage and response{% #triage-and-response %}

1. Determine if the export download is expected by:

   - Contacting the user or admin `{{@usr.email}}` who initiated the export to verify the legitimacy of the request.
   - Reviewing the context and scope of the export, including:
     - The type of data exported.
     - The time and date of the export and the business justification for the action.
   - Checking JumpCloud logs for other unusual or suspicious activity by the user, such as mass downloads, file sharing, or privilege escalation.

1. If the export is unauthorized or unexpected:

   - Begin your organization's incident response process and investigate further.
   - Analyze the exported data for sensitive information, and determine the scope of exposure.
   - Monitor for any further attempts to export data or download sensitive information across the workspace.