Techniques
Sample rules
Zoom Rare Video Devices
- source: splunk
- technicques:
- T1123
Description
Detects rare video devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.
Detection logic
`zoom_index` camera=* NOT (camera=*iPhone* OR camera="*FaceTime*" OR speaker="*AirPods*" OR camera="*MacBook*" OR microphone="*MacBook Pro Microphone*")
| rare camera limit=50
| `zoom_rare_video_devices_filter`