
Summary
The 'Zoom Rare Audio Devices' hunting rule is designed to detect anomalies in audio device usage among employees based on Zoom logs. Investigations into Remote Employment Fraud (REF) have revealed that malicious actors often utilize uncommon or rarely seen audio devices in comparison to typical users. Therefore, this rule identifies audio devices that are less frequently reported in the Zoom environment by filtering out well-known devices like iPhones, AirPods, and MacBook-related products. To implement this rule, Splunk Connect for Zoom should be used to ensure appropriate ingestion of the relevant logs, enabling the analytics to effectively perform its checks against identified audio devices. By continually analyzing these logs, organizations can gain insights into potential fraudulent activities associated with unusual device usage.
Categories
- Identity Management
- Endpoint
- Application
Data Sources
- User Account
- Application Log
ATT&CK Techniques
- T1123
Created: 2025-06-02