# Zoom Logs

## Overview

Panther can fetch Zoom operational and activity logs by querying various Zoom API endpoints. Panther can specifically monitor the following Zoom events:

* Changes to Account and Group settings
* Changes in role and license assignments for users
* Changes to subscriptions under Billing
* Changes made to SSO configuration, including changes made by your SSO and SAML mapping configuration

## How to onboard Zoom logs to Panther

To set up this integration, you will create an OAuth2 app in your Zoom account and configure Zoom as a log source in your Panther Console.

### Prerequisites

* Your Zoom user account has an Admin role.

{% hint style="warning" %}
If this Zoom user leaves your organization, this integration may break. You may instead wish to use a shared service account in Zoom.
{% endhint %}

* Your Zoom user account has the following permissions (which you can verify in the [Zoom roles page](https://zoom.us/role#/)—click **Admin** to see the **Role Settings**):
  * The `Usage reports` view permission
  * The `Admin Activity Logs` view permission
    * This is required if you are fetching [Zoom.Operation](#zoom.operation) logs
  * The `Sign In/Sign Out` view permission
    * This is required if you are fetching [Zoom.Activity](#zoom.activity) logs\
      ![The role permissions screen of the Zoom Console is shown. Various permissions are shown with checkboxes; Usage reports, Sign In/Sign Out, and Admin Activity Logs are all selected.](/files/qcjBDup5bhLXvnxnmVdG)

### Step 1: Create a new Zoom log source in Panther

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New.**
3. Select **Zoom** from the list of available log sources. Click **Start Setup**.
4. On the next screen, enter a descriptive name for the source e.g. `My Zoom logs`.
5. Click **Setup**.
6. Copy the Redirect URL from Panther and save it in a secure location. You will need this in the next steps when you create an OAuth app in Zoom.
   * Keep this browser window open, as you will need to complete additional configuration in the next steps.

### Step 2: Create a new OAuth app in Zoom

For additional reference, see the [Zoom documentation on how to create an OAuth app](https://developers.zoom.us/docs/integrations/create/).

1. Navigate to the [Zoom App Marketplace](https://marketplace.zoom.us/).
2. In the top-right corner of the page, click the **Develop** dropdown, then select **Build App**.
3. In the **What kind of app are you creating** pop-up, select **General App**, then click **Create**.
4. On the **Basic Information** page:
   1. Under **Select how the app is managed**, select **Admin-managed**, then click **Save**.\
      ![A header reading "Select how the app is managed" is above two radio buttons with the following labels: Admin-managed and User-managed. At the bottom are "Save" and "Cancel" buttons.](/files/Y8VwfTdbIUPg9RIbf2z0)
   2. Scroll to the **OAuth Information** section. In the **OAuth redirect URL** field, paste the Redirect URL you copied from the Panther Console in Step 1.
      * In the **OAuth allow lists** field, verify the Redirect URL is included. If it isn't, add it to the list.
   3. Copy the **Client ID** and **Client Secret** for your app and store them in a secure location. You will need these in the next steps to finish your setup in the Panther Console.
5. Navigate to the **Scopes** page.
   1. Click **Add Scopes**.
   2. Select **Reports** > **View operation logs** and **View user sign in/out activity logs**.
   3. Add the following scopes, depending on the logs you plan to ingest:
      * `report:read:operation_logs:admin`
        * This is required if you are fetching Zoom operation logs.
      * `report:read:user_activities:admin`
        * This is required if you are fetching Zoom activity logs.
   4. After adding the scopes, click **Done**.\
      ![](/files/7kkiI2ux66s2dae5pCEF)

{% hint style="info" %}
These are [granular scopes](https://developers.zoom.us/docs/integrations/oauth-scopes-granular/). If you created your Zoom app before March 21, 2024, you likely used [classic scopes](https://developers.zoom.us/docs/integrations/oauth-scopes/). Panther supports Zoom apps created using either granular or classic scopes.
{% endhint %}

6. Navigate to the **Local Test** page.
   1. Click **Preview Your App Listing Page**.
   2. Once you are redirected to the App page, click **Approve**.
   3. In the **App approval and authorization** pop-up, designate the specific users who will be granted access to this application.\
      ![](/files/RICAyRlgAKa7o4c1CXLi)
   4. Click **Add**, then **Confirm**.
7. Navigate back to the Panther Console to complete the final setup.

### Step 3: Finish setup in Panther

1. In the Panther Console, on the **Credentials** page, enter the **Client ID** and the **Client Secret** that you obtained from Zoom.
2. Under **Select the type of scopes to use**, choose **Use granular scopes**.
3. Click **Setup.**
4. Click **Grant Access** to grant Panther access to your Zoom logs.
   * Remember that you must be signed in to a Zoom account that has the role and privileges outlined in the [Prerequisites section, above](#prerequisites).\
     ![](/files/ieELp2fIWKuSVMZ3JsLw)
5. You will be directed to a success screen:

   <div align="left"><figure><img src="/files/lJCvylZLzgzxBKPB2fyE" alt="The success screen reads, &#x22;Everything looks good! Panther will now automatically pull &#x26; process logs from your account&#x22;" width="281"><figcaption></figcaption></figure></div>

   * You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
   * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

     <figure><img src="/files/Qjs5L2RqoxDEnhUcjTYh" alt="The &#x22;Trigger an alert when no events are processed&#x22; toggle is set to YES. The &#x22;How long should Panther wait before it sends you an alert that no events have been processed&#x22; setting is set to 1 Day" width="320"><figcaption></figcaption></figure>

## Panther-managed detections

See [Panther-managed](/detections/panther-managed.md) rules for Zoom in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/zoom_operation_rules).

## Supported log types

### Zoom.Activity

Sign in/sign out activity logs of users under a Zoom account.

Reference: [Zoom Documentation on Sign In Sign Out Reports.](https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportSignInSignOutActivities)

```yaml
schema: Zoom.Activity
parser:
    native:
        name: Zoom.Activity
description: Sign in / sign out activity logs of users under a Zoom account
referenceURL: https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportSignInSignOutActivities
fields:
    - name: email
      required: true
      description: The email address of the user used for activity.
      type: string
      indicators:
        - email
    - name: time
      required: true
      description: The timestamp of user activity
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: type
      description: 'Type of user activity: sign in/sign out'
      type: string
    - name: ip_address
      description: The IP address of the device used to access Zoom.
      type: string
      indicators:
        - ip
    - name: client_type
      description: The client interface type using which the activity was performed.
      type: string
    - name: version
      description: Zoom client version of the user.
      type: string
```

### Zoom.Operation

The report allows you to audit admin and user activity, such as adding a new user, changing account settings, and deleting recordings.

Reference: [Zoom Documentation on Operation Log Reports.](https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportOperationLogs)

```yaml
schema: Zoom.Operation
parser:
    native:
        name: Zoom.Operation
description: The report allows you to audit admin and user activity, such as adding a new user, changing account settings, and deleting recordings
referenceURL: https://developers.zoom.us/docs/api/rest/reference/zoom-api/methods/#operation/reportOperationLogs
fields:
    - name: time
      required: true
      description: The time at which the operation was performed.
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: operator
      required: true
      description: The user who performed the operation.
      type: string
      indicators:
        - email
    - name: category_type
      required: true
      description: Operation category type
      type: string
    - name: action
      description: Action descriptions
      type: string
    - name: operation_detail
      description: Operation detail
      type: string
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/supported-logs/zoom.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.