Deployable detection rules
3 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
3 shown of 3Zoom Rare Audio Devices
Detects rare audio devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.
Show query
`zoom_index` speaker=* NOT (camera=*iPhone* OR camera="*FaceTime*" OR speaker="*AirPods*" OR camera="*MacBook*" OR microphone="*MacBook Pro Microphone*") | rare speaker limit=50 | `zoom_rare_audio_devices_filter`
Zoom Rare Input Devices
Detects rare input devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.
Show query
`zoom_index` microphone=* NOT (camera=*iPhone* OR camera="*FaceTime*" OR speaker="*AirPods*" OR camera="*MacBook*" OR microphone="*MacBook Pro Microphone*") | rare microphone limit=50 | `zoom_rare_input_devices_filter`
Zoom Rare Video Devices
Detects rare video devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.
Show query
`zoom_index` camera=* NOT (camera=*iPhone* OR camera="*FaceTime*" OR speaker="*AirPods*" OR camera="*MacBook*" OR microphone="*MacBook Pro Microphone*") | rare camera limit=50 | `zoom_rare_video_devices_filter`
Showing 1-3 of 3