this is a hunting query meant to identify rare microphone devices.

t1123
identity
splunk

Techniques

T1123

Sample rules

Zoom Rare Input Devices

source: splunk
technicques:
- T1123

Description

Detects rare input devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.

Detection logic

`zoom_index` microphone=* NOT (camera=*iPhone* OR camera="*FaceTime*" OR speaker="*AirPods*" OR camera="*MacBook*" OR microphone="*MacBook Pro Microphone*") 
| rare microphone limit=50 
| `zoom_rare_input_devices_filter`