The 'Zoom Rare Input Devices' detection rule is designed to identify unusual input devices being utilized in Zoom sessions. This is particularly relevant for monitoring Remote Employment Fraud (REF) activities, where malicious actors may use atypical audio and video devices compared to standard employee profiles. The rule examines Zoom logs, specifically focusing on microphone inputs, while excluding commonly used devices such as iPhones, FaceTime cameras, AirPods, and MacBook microphones. By setting a threshold for rarity (focusing on the top 50 rare microphones), the rule aims to highlight potential fraud activities that deviate from expected patterns in device usage. Regular analysis and review of the data are essential to effectively identify anomalies in the device landscape that could signify fraudulent behavior. Implementation requires proper ingestion of Zoom logs via Splunk's software, and this detection method is exploratory in nature, categorized as experimental and primarily for hunting purposes. Users should be mindful of potential false positives, as the query is finely tuned to spotlight rare devices but not necessarily indicative of malicious intent on its own.