Zoom Logs

Overview

Panther can fetch Zoom operational and activity logs by querying various Zoom API endpoints. Panther can specifically monitor the following Zoom events:

• Changes to Account and Group settings

• Changes in role and license assignments for users

• Changes to subscriptions under Billing

• Changes made to SSO configuration, including changes made by your SSO and SAML mapping configuration

How to onboard Zoom logs to Panther

To set up this integration, you will create an OAuth2 app in your Zoom account and configure Zoom as a log source in your Panther Console.

Prerequisite

While logged in to Zoom as a user with the Admin role, go to the Zoom roles page and verify that your Zoom user account (to be used later in Step 2) has the following required permissions:

• The Usage reports view permission.

• The Sign In/Sign Out view permission.

  • This is required if you are fetching Zoom.Activity logs.

• The Admin Activity Logs view permission.

Step 1: Create a new Zoom log source in Panther

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Select Zoom from the list of available log sources. Click Start Setup.

4. On the next screen, enter a descriptive name for the source e.g. My Zoom logs.

5. Click Setup.

6. Copy the Redirect URL from Panther and save it in a secure location. You will need this in the next steps when you create an OAuth2 App in Zoom.

7. Keep this browser window open, as you will need to complete additional configuration in the next steps.

Step 2: Create a new OAuth2 app in Zoom

For reference, Zoom's Create an OAuth app documentation can be found here.

1. Log in to your Zoom account.

2. Register your app in the Zoom App Marketplace.

   1. Navigate to the Zoom App Marketplace.

   2. Click Develop in the dropdown menu in the top-right corner of the page.

   3. Select Build App.

      • A new page will appear displaying the available app types.

   4. Click Create in the OAuth option to continue.

3. Create an OAuth app with the following parameters:

   • App Name: The app’s name.

   • App Type: Choose Account-level app as the app type.

   • Distribution: You can choose Enabled to make the app publicly available in the Zoom App Marketplace, or toggle to Disabled to make the app private. The app does not need to be publicly available for this integration.

4. When finished, click Create.

   • A new window displaying your new OAuth app will appear.

5. Copy the Client ID and Client Secret for your app and store them in a secure location.

   • You will need these in the next steps to finish your setup in the Panther Console.

6. In the Redirect URL field, paste in the Redirect URL that you copied from the Panther Console in the earlier steps of this documentation.

7. In the OAuth Allow List field, paste in the Redirect URL that you copied from the Panther Console in the earlier steps of this documentation.

8. Navigate to Scopes > Add Scopes and Select Report with "View report data" ticked.

9. Click Done.

   • After you click Done, do not click Continue in Zoom.

10. Navigate back to the Panther Console to complete the final setup.

Step 3: Finish setup in Panther

1. In the Panther Console, on the Set Credentials page, enter the Client ID and the Client Secret that you obtained from Zoom, and click Setup.

2. Click Grant Access to grant Panther access to your Zoom logs.
3. You will be directed to a success screen:

   • You can optionally enable one or more Detection Packs.

   • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Panther-Built Detections

See Panther's built in rules for Zoom in panther-analysis in Github.

Supported log types

Zoom.Activity

Sign in/sign out activity logs of users under a Zoom account.

Reference: Zoom Documentation on Sign In Sign Out Reports.

schema: Zoom.Activity
parser:
    native:
        name: Zoom.Activity
description: Sign in / sign out activity logs of users under a Zoom account
referenceURL: https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportSignInSignOutActivities
fields:
    - name: email
      required: true
      description: The email address of the user used for activity.
      type: string
      indicators:
        - email
    - name: time
      required: true
      description: The timestamp of user activity
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: type
      description: 'Type of user activity: sign in/sign out'
      type: string
    - name: ip_address
      description: The IP address of the device used to access Zoom.
      type: string
      indicators:
        - ip
    - name: client_type
      description: The client interface type using which the activity was performed.
      type: string
    - name: version
      description: Zoom client version of the user.
      type: string

Zoom.Operation

The report allows you to audit admin and user activity, such as adding a new user, changing account settings, and deleting recordings.

Reference: Zoom Documentation on Operation Log Reports.

schema: Zoom.Operation
parser:
    native:
        name: Zoom.Operation
description: The report allows you to audit admin and user activity, such as adding a new user, changing account settings, and deleting recordings
referenceURL: https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportOperationLogs
fields:
    - name: time
      required: true
      description: The time at which the operation was performed.
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: operator
      required: true
      description: The user who performed the operation.
      type: string
      indicators:
        - email
    - name: category_type
      required: true
      description: Operation category type
      type: string
    - name: action
      description: Action descriptions
      type: string
    - name: operation_detail
      description: Operation detail
      type: string