Zoom

Communication and Collaboration

Zoom - Video conferencing tool for remote meetings and webinars

Provider: Zoom

Detection Rule MITRE Tactic MITRE Technique Criticality
MFA Failure Credential Access T1556.001 – Multi-Factor Authentication High
Investigation Actions (APIs) Get User Activity API to view failed MFA events.
Incident Creation Criteria 3+ MFA failures within 5 minutes for the same user or IP.
New Device Login Persistence T1078 – Valid Accounts Medium
Investigation Actions (APIs) Get User API for user login details (device and IP).
Incident Creation Criteria New device accessing the account outside the user's usual devices.
Unusual Geolocation Access Defense Evasion T1027 – Obfuscated Files or Information Medium
Investigation Actions (APIs) Get Account Information API for login geolocation.
Incident Creation Criteria User logging in from a location outside their usual regions (geo-anomalies).
Meeting Bombing Attempts Impact T1499 – Endpoint Denial of Service High
Investigation Actions (APIs) Get Meeting Reports API to view attendee attempts.
Incident Creation Criteria Multiple unauthorized attempts to join a meeting.
Suspicious Meeting Links Phishing T1566 – Phishing High
Investigation Actions (APIs) Get Meeting Details API to retrieve chat logs.
Incident Creation Criteria Sharing of suspicious URLs or unapproved domains in chat during meetings.
Data Leakage (Screen/File Sharing) Exfiltration T1071 – Application Layer Protocol Critical
Investigation Actions (APIs) Get Meeting Reports API for screen sharing/file transfer logs.
Incident Creation Criteria Sensitive files shared or screen sharing outside of authorized users.
High Number of Participants Impact T1070.004 – Indicator Removal on Host Medium
Investigation Actions (APIs) Get Meeting Reports API for participant details.
Incident Creation Criteria Sudden spike in participant numbers (above defined threshold).
API Key Misuse Credential Access T1078 – Valid Accounts Critical
Investigation Actions (APIs) Get Account API Key Details API to review key usage.
Incident Creation Criteria API key usage from unknown IP or used beyond typical timeframes.
Admin Account Changes Privilege Escalation T1078.004 – Valid Accounts: Cloud Accounts Critical
Investigation Actions (APIs) Get Admin Activity API to review changes by high-privilege accounts.
Incident Creation Criteria Admin accounts making configuration changes like disabling MFA or encryption.
Configuration Drift Persistence / Defense Evasion T1484.001 – Domain Policy Modification High
Investigation Actions (APIs) Get Account Settings API to retrieve current security settings.
Incident Creation Criteria Key security configurations disabled (e.g., waiting rooms, passcodes, MFA).
Recording Retrieval Collection T1071.004 – Video Capture Medium
Investigation Actions (APIs) Get Recordings API to retrieve stored meeting recordings.
Incident Creation Criteria Meetings with sensitive data shared without security controls (e.g., no encryption).
Unusual Meeting Time Activity Defense Evasion T1027 – Obfuscated Files or Information Medium
Investigation Actions (APIs) Get Meeting Reports API to check meeting logs.
Incident Creation Criteria Meetings held outside of normal business hours with unexpected participants.
Anomalous File Transfer Exfiltration T1041 – Exfiltration Over Web Service High
Investigation Actions (APIs) Get Meeting Reports API for transferred files during meetings.
Incident Creation Criteria Unusual or unauthorized file transfer activity detected in a Zoom session.
External Participant Spike Reconnaissance T1595 – Active Scanning Medium
Investigation Actions (APIs) Get Meeting Reports API to retrieve participant logs.
Incident Creation Criteria An unusually high number of external participants joining sensitive meetings.
Suspicious Admin API Calls Privilege Escalation / Execution T1078.004 – Cloud Accounts High
Investigation Actions (APIs) Get Admin Activity API to track unusual admin API activity.
Incident Creation Criteria Admin account making unusual API calls, especially to change security settings.

APIs and Their Scopes

Detection / Hunting Rule Required API Scopes Required Description
MFA Failure GET /users/{userId}/login_history user:read:admin Retrieves user login history to identify MFA failures.
New Device Login GET /users/{userId}/login_history user:read:admin Accesses login history to check for new device logins.
Unusual Geolocation Access GET /users/{userId}/login_history user:read:admin Retrieves geolocation data for user logins.
Meeting Bombing Attempts GET /report/meetings meeting:read:admin Accesses meeting report data to analyze participant activity.
Suspicious Meeting Links GET /meetings/{meetingId} meeting:read:admin Retrieves meeting details, including chat logs and invites.
Data Leakage (Screen/File Sharing) GET /report/meetings meeting:read:admin Retrieves meeting reports to check for screen/file sharing activities.
High Number of Participants GET /report/meetings meeting:read:admin Accesses meeting participant lists to analyze spikes in attendance.
API Key Misuse GET /users/{userId}/api_keys user:read:admin Retrieves API key usage details for the user.
Admin Account Changes GET /users/{userId}/activity_logs user:read:admin Accesses admin activity logs for changes made by privileged accounts.
Configuration Drift GET /accounts/{accountId}/settings account:read:admin Retrieves current security settings for the account.
Recording Retrieval GET /meetings/{meetingId}/recordings recording:read:admin Accesses recordings for specific meetings.
Unusual Meeting Time Activity GET /report/meetings meeting:read:admin Retrieves meeting logs to identify unusual activity patterns.
Anomalous File Transfer GET /report/meetings meeting:read:admin Accesses meeting reports to check for file transfers.
External Participant Spike GET /report/meetings meeting:read:admin Retrieves meeting reports to analyze external participant logs.
Suspicious Admin API Calls GET /users/{userId}/activity_logs user:read:admin Accesses logs of admin API calls to track unusual activities.

Reports and Widgets for CISO

Report Name Widgets Description / Insights for CISO
User Access & Login Activity Failed Login Attempts (Bar/Line chart) Provides a detailed view of user login attempts, geolocation, and new devices accessing Zoom. Highlights potential brute-force attacks or unauthorized access attempts.

Successful Logins by Geolocation (Map)

New Device Logins (Pie chart)
Multi-Factor Authentication (MFA) Overview MFA Failure Rate (Bar chart) Tracks MFA authentication attempts and any suspicious patterns related to MFA failures or accounts bypassing MFA. Ensures secure access management.

Successful MFA Logins (Line chart)

MFA Exceptions (Table)
Meeting Security Report Suspicious Meeting Activity (Table) Monitors meeting activities with a focus on unauthorized access attempts (e.g., meeting bombing), high participation anomalies, and general meeting security trends.

Unauthorized Meeting Join Attempts (Bar chart)

High Participant Count (Line chart)
Data Sharing & Exfiltration File Sharing Activity (Bar chart) Tracks all file and screen sharing activities to identify potential data exfiltration or inappropriate sharing of sensitive information during meetings.

Screen Sharing Usage (Pie chart)

External File Transfers (Table)
Zoom API Usage & Misuse API Key Usage (Line chart) Provides insight into Zoom API key usage and identifies any misuse or anomalous API activity that could indicate compromised keys or unauthorized access.

Suspicious API Calls (Bar chart)

New API Keys Created (Table)
Admin Activity & Configuration Drift Admin Changes (Bar chart) Monitors high-privilege admin activity, ensuring that security settings remain intact and highlighting any configuration drifts that could weaken the security posture.

Configuration Changes (Table)

Security Setting Deviations (Heatmap)
Recording & Webinar Monitoring Recorded Meetings (Line chart) Focuses on meeting recordings and webinars, identifying when sensitive meetings are recorded or shared externally, which may pose risks to data confidentiality.

Webinar Participation (Bar chart)

External Sharing of Recordings (Pie chart)
Incident Response Summary Active Incidents (List/Table) Provides an overview of all security incidents related to Zoom, tracking their resolution and highlighting any trends in incident generation. This is crucial for incident response planning.

Incident Status (Bar chart)

Incident Trends (Line chart)
Unusual Meeting Time Activity After-Hours Meetings (Bar chart) Highlights meetings that occur outside of normal business hours or have suspiciously long durations, which could be indicators of unauthorized activities.

Weekend Meeting Activity (Line chart)

Meeting Duration Anomalies (Table)
External Participant & Access Monitoring External Participants in Sensitive Meetings (Table) Tracks the presence of external participants in sensitive meetings and identifies any unfamiliar domains attempting to access meetings. Helps prevent external eavesdropping.

External Meeting Joins (Bar chart)

Unrecognized External Domains (Pie chart)