Zoom is a widely used cloud-based video conferencing platform used for video and audio conferencing, webinars, meeting recordings, and more. Panther can collect, normalize, and monitor Zoom logs to help you identify abnormal activity within your Zoom account in real time. Your normalized log data is then retained to power future security investigations in a data lake powered by the cloud-native data platform, Snowflake.
Use Cases for Zoom Audit Logs
Zoom activity and operation logs show various types of activity in your company's Zoom account, such as changes made by admins on the account, specifically changes in the sections under Account Management, User Management, and Advanced. Some common security use cases for Zoom logs include monitoring for:
- Changes to Account and Group settings
- Changes in role and license assignments for users
- Changes to subscriptions under Billing
- Changes made to SSO configuration, including changes made by your SSO and SAML mapping configuration
Onboarding Zoom Logs in Panther
Panther can fetch Zoom operational and activity logs by querying various Zoom API endpoints. Setting Zoom up in Panther is fast and easy - simply select Zoom from the list of log sources in the Panther console, create a new OAuth2 App in Zoom, and submit your credentials into Panther.
For more details on onboarding Zoom logs or for supported log schema, you can view our Zoom documentation here.
Parsing, Normalizing, & Analyzing
As Panther ingests Zoom logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows you to build detections, identify anomalies, and conduct investigations in the context of days, weeks, or months of data.
Panther applies normalization fields to log records, which standardizes names for attributes and enables you to correlate data across all of your log sources. Panther’s handy search tools - such as Query Builder, Data Explorer, and Indicator Search - allow you to investigate your normalized logs for suspicious activity or vulnerabilities. For more information on searching logs, check out our documentation on Investigations & Search.
Detection as Code
With Panther, you aren’t confined to restrictive detections or proprietary code bases as seen in many SIEM solutions. Panther is built around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your security team.
Pre-built detections for Zoom are available in Panther, offering you the ability to immediately monitor for common IoCs and threats. You can explore our built-in detection coverage for Zoom logs here.
Panther generates alerts when your detection rules or policies for Zoom are triggered, and integrates with a variety of alert destinations to allow for intuitive management of any alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.
Alerts are categorized by five different severity levels: Info, Low, Medium, High, and Critical. Your security team has the ability to dynamically assign severity based on specific log event attributes.
If you have any questions about onboarding or monitoring Zoom logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.
You can view our documentation on configuring and monitoring Zoom logs here, or customers can sign up for the Panther Community to share best practices or custom detections for Zoom logs.
The Ideal SIEM for Zoom
With Panther, your team doesn’t have to pay excessive costs to keep up with the growth of cloud app data, struggle with restrictive detection logic, or waste time and resources on operational overhead. Panther is built by a team of security engineers who struggled with other SIEM solutions first-hand, and built an intuitive, cloud-native platform to meet today’s security needs.
Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts. For a powerful, fast, and scalable SIEM solution for Zoom, request a demo today.