This detection rule, named 'Zoom High Video Latency', is primarily focused on identifying instances of abnormally high latency from Zoom logs which may indicate potential Remote Employment Fraud (REF). The rule operates by analyzing Zoom participant quality of service (QoS) metrics, specifically targeting video input latency data. By leveraging keywords from the Zoom QoS payload, such as average latency and overall latency, the rule captures and processes this data to isolate instances where latency exceeds 300 ms, a threshold determined to be indicative of concern based on typical user experiences. Given that attacks can manifest as high latency in communications, this detection aims to surface these anomalies as a preliminary indicator of fraudulent activity, enabling further investigation. Additionally, while high latency may arise from benign causes such as poor network conditions, this rule is designed to operate in conjunction with other security indicators to form a holistic understanding of potential risks. Users can access detailed results through provided drilldown searches tailored for individual email addresses, allowing for specific tracking of latency-related risks across an array of investigations.