Zoom Logs
Panther supports pulling logs directly from Zoom
Overview
Panther can fetch Zoom operational and activity logs by querying various Zoom API endpoints. Panther can specifically monitor the following Zoom events:
Changes to Account and Group settings
Changes in role and license assignments for users
Changes to subscriptions under Billing
Changes made to SSO configuration, including changes made by your SSO and SAML mapping configuration
How to onboard Zoom logs to Panther
To set up this integration, you will create an OAuth2 app in your Zoom account and configure Zoom as a log source in your Panther Console.
Prerequisite
While logged in to Zoom as a user with the Admin role, go to the Zoom roles page and verify that your Zoom user account (to be used later, in Step 2) has the following required permissions:
The
Usage reportsview permission.The
Sign In/Sign Outview permission.This is required if you are fetching Zoom.Activity logs.
The
Admin Activity Logsview permission.This is required if you are fetching Zoom.Operation logs.
Step 1: Create a new Zoom log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Select Zoom from the list of available log sources. Click Start Setup.
On the next screen, enter a descriptive name for the source e.g.
My Zoom logs.Click Setup.
Copy the Redirect URL from Panther and save it in a secure location. You will need this in the next steps when you create an OAuth app in Zoom.
Keep this browser window open, as you will need to complete additional configuration in the next steps.
Step 2: Create a new OAuth app in Zoom
For additional reference, see the Zoom documentation on how to create an OAuth app.
Navigate to the Zoom App Marketplace.
In the top-right corner of the page, click the Develop dropdown, then select Build App.
On the Basic Information page:
Under Select how the app is managed, select Admin-managed, then click Save.
Scroll to the OAuth Information section. In the OAuth redirect URL field, paste the Redirect URL you copied from the Panther Console in Step 1.
In the OAuth allow lists field, verify the Redirect URL is included. If it isn't, add it to the list.
Copy the Client ID and Client Secret for your app and store them in a secure location. You will need these in the next steps to finish your setup in the Panther Console.
Navigate to the Scopes page.
Click Add Scopes.
Select Report > View Report Data.
Add the following scopes, depending on the logs you plan to ingest:
report:read:operation_logs:adminThis is required if you are fetching Zoom operation logs.
report:read:user_activities:adminThis is required if you are fetching Zoom activity logs.
Navigate to the Local Test page.
Click Preview Your App Listing Page.
Click the Approve app toggle
ON.Click the pencil icon to designate the users who will be granted access to this application.
Navigate back to the Panther Console to complete the final setup.
Step 3: Finish setup in Panther
In the Panther Console, on the Credentials page, enter the Client ID and the Client Secret that you obtained from Zoom.
Under Select the type of scopes to use, choose Use granular scopes.
Click Setup.
Click Grant Access to grant Panther access to your Zoom logs.
Remember that you must be signed in to a Zoom account that has the role and privileges outlined in the Prerequisite section, above.
You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Panther-managed detections
See Panther-managed rules for Zoom in the panther-analysis GitHub repository.
Supported log types
Zoom.Activity
Sign in/sign out activity logs of users under a Zoom account.
Reference: Zoom Documentation on Sign In Sign Out Reports.
schema: Zoom.Activity
parser:
native:
name: Zoom.Activity
description: Sign in / sign out activity logs of users under a Zoom account
referenceURL: https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportSignInSignOutActivities
fields:
- name: email
required: true
description: The email address of the user used for activity.
type: string
indicators:
- email
- name: time
required: true
description: The timestamp of user activity
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: type
description: 'Type of user activity: sign in/sign out'
type: string
- name: ip_address
description: The IP address of the device used to access Zoom.
type: string
indicators:
- ip
- name: client_type
description: The client interface type using which the activity was performed.
type: string
- name: version
description: Zoom client version of the user.
type: stringZoom.Operation
The report allows you to audit admin and user activity, such as adding a new user, changing account settings, and deleting recordings.
Reference: Zoom Documentation on Operation Log Reports.
schema: Zoom.Operation
parser:
native:
name: Zoom.Operation
description: The report allows you to audit admin and user activity, such as adding a new user, changing account settings, and deleting recordings
referenceURL: https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportOperationLogs
fields:
- name: time
required: true
description: The time at which the operation was performed.
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: operator
required: true
description: The user who performed the operation.
type: string
indicators:
- email
- name: category_type
required: true
description: Operation category type
type: string
- name: action
description: Action descriptions
type: string
- name: operation_detail
description: Operation detail
type: stringLast updated
Was this helpful?