← Back to Explore
splunk_escuHunting
Zoom Rare Video Devices
Detects rare video devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.
MITRE ATT&CK
Detection Query
`zoom_index` camera=* NOT (camera=*iPhone* OR camera="*FaceTime*" OR speaker="*AirPods*" OR camera="*MacBook*" OR microphone="*MacBook Pro Microphone*")
| rare camera limit=50
| `zoom_rare_video_devices_filter`Author
Marissa Bower, Raven Tait
Created
2026-02-25
Tags
Remote Employment Fraud
Raw Content
name: Zoom Rare Video Devices
id: 9b2b819d-c76b-4dc6-bd3d-148edb8de83e
version: 2
date: '2026-02-25'
author: Marissa Bower, Raven Tait
status: experimental
type: Hunting
description: Detects rare video devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.
data_source: []
search: |-
`zoom_index` camera=* NOT (camera=*iPhone* OR camera="*FaceTime*" OR speaker="*AirPods*" OR camera="*MacBook*" OR microphone="*MacBook Pro Microphone*")
| rare camera limit=50
| `zoom_rare_video_devices_filter`
how_to_implement: The analytic leverages Zoom logs to be ingested using Splunk Connect for Zoom (https://splunkbase.splunk.com/app/4961)
known_false_positives: This is a hunting query meant to identify rare video devices.
tags:
analytic_story:
- Remote Employment Fraud
asset_type: Identity
mitre_attack_id:
- T1123
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: identity