← Back to Explore
splunk_escuHunting
Zoom Rare Input Devices
Detects rare input devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.
MITRE ATT&CK
Detection Query
`zoom_index` microphone=* NOT (camera=*iPhone* OR camera="*FaceTime*" OR speaker="*AirPods*" OR camera="*MacBook*" OR microphone="*MacBook Pro Microphone*")
| rare microphone limit=50
| `zoom_rare_input_devices_filter`Author
Marissa Bower, Raven Tait
Created
2026-02-25
Tags
Remote Employment Fraud
Raw Content
name: Zoom Rare Input Devices
id: d290eeef-d05e-49a8-b598-72296023b87b
version: 2
date: '2026-02-25'
author: Marissa Bower, Raven Tait
status: experimental
type: Hunting
description: Detects rare input devices from Zoom logs. Actors performing Remote Employment Fraud (REF) typically use unusual device information compared to a majority of employees. Detecting this activity requires careful analysis, regular review, and a thorough understanding of the audio and video devices commonly used within your environment.
data_source: []
search: |-
`zoom_index` microphone=* NOT (camera=*iPhone* OR camera="*FaceTime*" OR speaker="*AirPods*" OR camera="*MacBook*" OR microphone="*MacBook Pro Microphone*")
| rare microphone limit=50
| `zoom_rare_input_devices_filter`
how_to_implement: The analytic leverages Zoom logs to be ingested using Splunk Connect for Zoom (https://splunkbase.splunk.com/app/4961)
known_false_positives: This is a hunting query meant to identify rare microphone devices.
tags:
analytic_story:
- Remote Employment Fraud
asset_type: Identity
mitre_attack_id:
- T1123
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: identity