Name:Zoom High Video Latency id:6ad6b548-adfa-452c-aa77-9ff94877e832 version:1 date:2025-06-02 author:Marissa Bower, Raven Tait status:experimental type:Anomaly Description:Detects particularly high latency from Zoom logs. Latency observed from threat actors performing Remote Employment Fraud (REF) is typically well above what’s normal for the majority of employees. Data_source:
search:`zoom_index` | spath "payload.object.participant.qos{}.type" | search "payload.object.participant.qos{}.type"=video_input | rename payload.object.participant.qos{}.details.avg_latency as avg_latency "payload.object.participant.qos{}.details.latency" as latency payload.object.participant.email as email | rex field=avg_latency "(?<average_latency>\d+) ms" | rex field=latency "(?<overall_latency>\d+) ms" | search email="*" | table email overall_latency latency avg_latency average_latency _raw | stats latest(overall_latency) as overall_latency by email _raw | where overall_latency>300 | `zoom_high_video_latency_filter`
how_to_implement:The analytic leverages Zoom logs to be ingested using Splunk Connect for Zoom (https://splunkbase.splunk.com/app/4961) known_false_positives:While latency could simply indicate a slow network connection, when combined with other indicators, it can help build a more complete picture. Tune the threshold as needed for your environment baseline. References: drilldown_searches: name:'View the detection results for - "$email$"' search:'%original_detection_search% | search payload.object.participant.email = "$email$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$email$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$email$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Remote Employment Fraud' asset_type:Identity mitre_attack_id: - 'T1078' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:identity
