Techniques
Sample rules
Zoom Rare Audio Devices
- source: splunk
- technicques:
- T1123
Description
Detects rare audio devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.
Detection logic
`zoom_index` speaker=* NOT (camera=*iPhone* OR camera="*FaceTime*" OR speaker="*AirPods*" OR camera="*MacBook*" OR microphone="*MacBook Pro Microphone*")
| rare speaker limit=50
| `zoom_rare_audio_devices_filter`