This detection rule aims to identify rare video devices from Zoom logs as a means of highlighting potential Remote Employment Fraud (REF) activities. REF actors typically employ unique device information that deviates from the standard profiles of employees. By executing a search query on the Zoom index, the rule filters camera data excluding commonly used devices, such as iPhones, MacBooks, and AirPods. The use of the rare function limits the outputs to the 50 least frequently seen devices, allowing for easier identification of unusual patterns in device usage. This analysis is contingent upon the ingestion of Zoom logs, which requires proper integration with Splunk. Regular analysis and a firm understanding of the typical audio and video devices in the environment are critical for effective detection.