Name:Zoom Rare Input Devices id:d290eeef-d05e-49a8-b598-72296023b87b version:1 date:2025-06-02 author:Marissa Bower, Raven Tait status:experimental type:Hunting Description:Detects rare input devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment. Data_source:
search:`zoom_index` microphone=* NOT (camera=*iPhone* OR camera="*FaceTime*" OR speaker="*AirPods*" OR camera="*MacBook*" OR microphone="*MacBook Pro Microphone*") | rare microphone limit=50 | `zoom_rare_input_devices_filter`
how_to_implement:The analytic leverages Zoom logs to be ingested using Splunk Connect for Zoom (https://splunkbase.splunk.com/app/4961) known_false_positives:This is a hunting query meant to identify rare microphone devices. References: drilldown_searches:
: tags: analytic_story: - 'Remote Employment Fraud' asset_type:Identity mitre_attack_id: - 'T1123' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:identity
