# Zoom Logs
## Overview
Panther can fetch Zoom operational and activity logs by querying various Zoom API endpoints. Panther can specifically monitor the following Zoom events:
* Changes to Account and Group settings
* Changes in role and license assignments for users
* Changes to subscriptions under Billing
* Changes made to SSO configuration, including changes made by your SSO and SAML mapping configuration
## How to onboard Zoom logs to Panther
To set up this integration, you will create an OAuth2 app in your Zoom account and configure Zoom as a log source in your Panther Console.
### Prerequisites
* Your Zoom user account has an Admin role.
{% hint style="warning" %}
If this Zoom user leaves your organization, this integration may break. You may instead wish to use a shared service account in Zoom.
{% endhint %}
* Your Zoom user account has the following permissions (which you can verify in the [Zoom roles page](https://zoom.us/role#/)—click **Admin** to see the **Role Settings**):
* The `Usage reports` view permission
* The `Admin Activity Logs` view permission
* This is required if you are fetching [Zoom.Operation](#zoom.operation) logs
* The `Sign In/Sign Out` view permission
* This is required if you are fetching [Zoom.Activity](#zoom.activity) logs\
### Step 1: Create a new Zoom log source in Panther
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New.**
3. Select **Zoom** from the list of available log sources. Click **Start Setup**.
4. On the next screen, enter a descriptive name for the source e.g. `My Zoom logs`.
5. Click **Setup**.
6. Copy the Redirect URL from Panther and save it in a secure location. You will need this in the next steps when you create an OAuth app in Zoom.
* Keep this browser window open, as you will need to complete additional configuration in the next steps.
### Step 2: Create a new OAuth app in Zoom
For additional reference, see the [Zoom documentation on how to create an OAuth app](https://developers.zoom.us/docs/integrations/create/).
1. Navigate to the [Zoom App Marketplace](https://marketplace.zoom.us/).
2. In the top-right corner of the page, click the **Develop** dropdown, then select **Build App**.
3. In the **What kind of app are you creating** pop-up, select **General App**, then click **Create**.
4. On the **Basic Information** page:
1. Under **Select how the app is managed**, select **Admin-managed**, then click **Save**.\
2. Scroll to the **OAuth Information** section. In the **OAuth redirect URL** field, paste the Redirect URL you copied from the Panther Console in Step 1.
* In the **OAuth allow lists** field, verify the Redirect URL is included. If it isn't, add it to the list.
3. Copy the **Client ID** and **Client Secret** for your app and store them in a secure location. You will need these in the next steps to finish your setup in the Panther Console.
5. Navigate to the **Scopes** page.
1. Click **Add Scopes**.
2. Select **Reports** > **View operation logs** and **View user sign in/out activity logs**.
3. Add the following scopes, depending on the logs you plan to ingest:
* `report:read:operation_logs:admin`
* This is required if you are fetching Zoom operation logs.
* `report:read:user_activities:admin`
* This is required if you are fetching Zoom activity logs.
4. After adding the scopes, click **Done**.\
{% hint style="info" %}
These are [granular scopes](https://developers.zoom.us/docs/integrations/oauth-scopes-granular/). If you created your Zoom app before March 21, 2024, you likely used [classic scopes](https://developers.zoom.us/docs/integrations/oauth-scopes/). Panther supports Zoom apps created using either granular or classic scopes.
{% endhint %}
6. Navigate to the **Local Test** page.
1. Click **Preview Your App Listing Page**.
2. Once you are redirected to the App page, click **Approve**.
3. In the **App approval and authorization** pop-up, designate the specific users who will be granted access to this application.\
4. Click **Add**, then **Confirm**.
7. Navigate back to the Panther Console to complete the final setup.
### Step 3: Finish setup in Panther
1. In the Panther Console, on the **Credentials** page, enter the **Client ID** and the **Client Secret** that you obtained from Zoom.
2. Under **Select the type of scopes to use**, choose **Use granular scopes**.
3. Click **Setup.**
4. Click **Grant Access** to grant Panther access to your Zoom logs.
* Remember that you must be signed in to a Zoom account that has the role and privileges outlined in the [Prerequisites section, above](#prerequisites).\
5. You will be directed to a success screen:
* You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
* The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
## Panther-managed detections
See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Zoom in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/zoom_operation_rules).
## Supported log types
### Zoom.Activity
Sign in/sign out activity logs of users under a Zoom account.
Reference: [Zoom Documentation on Sign In Sign Out Reports.](https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportSignInSignOutActivities)
```yaml
schema: Zoom.Activity
parser:
native:
name: Zoom.Activity
description: Sign in / sign out activity logs of users under a Zoom account
referenceURL: https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportSignInSignOutActivities
fields:
- name: email
required: true
description: The email address of the user used for activity.
type: string
indicators:
- email
- name: time
required: true
description: The timestamp of user activity
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: type
description: 'Type of user activity: sign in/sign out'
type: string
- name: ip_address
description: The IP address of the device used to access Zoom.
type: string
indicators:
- ip
- name: client_type
description: The client interface type using which the activity was performed.
type: string
- name: version
description: Zoom client version of the user.
type: string
```
### Zoom.Operation
The report allows you to audit admin and user activity, such as adding a new user, changing account settings, and deleting recordings.
Reference: [Zoom Documentation on Operation Log Reports.](https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportOperationLogs)
```yaml
schema: Zoom.Operation
parser:
native:
name: Zoom.Operation
description: The report allows you to audit admin and user activity, such as adding a new user, changing account settings, and deleting recordings
referenceURL: https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportOperationLogs
fields:
- name: time
required: true
description: The time at which the operation was performed.
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: operator
required: true
description: The user who performed the operation.
type: string
indicators:
- email
- name: category_type
required: true
description: Operation category type
type: string
- name: action
description: Action descriptions
type: string
- name: operation_detail
description: Operation detail
type: string
```
