Zoom Pro

With Zoom Pro, you can send reports and activities logs to InsightIDR to track and generate alerts based on user sign-in and sign-out activities. InsightIDR supports the JSON Web Tokens (JWT) authentication method for this event source.

To set up this event source, you’ll need to:

  1. Read Before you Begin and note any requirements.
  2. Set up Zoom Pro in InsightIDR.
  3. Verify the configuration works.

Before You Begin

Set Up Zoom Pro in InsightIDR

  1. From your dashboard, select Data Collection on the left-hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Cloud Services icon. The “Add Event Source” panel appears.
  4. Select your collector and Zoom from the event source dropdown.
  5. Name your event source.
  6. Select your LDAP account attribution preference.
  7. Your Authentication Method is automatically selected.
  8. Select your Zoom credentials or optionally create a new credential.
  9. Enter the name associated with your JWT app.
  10. Enter your API Key for your JWT app.
  11. Enter the API Secret for your JWT app.
  12. Click Save.

Verify the Configuration

Complete the following steps to view your logs and ensure events are making it to the Collector. On the new event source that was just created, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector. Next, click Log Search in the left menu. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Zoom Pro” if you did not name the event source. Zoom Pro logs flow into the Ingress Authentication log set.

Logs take a minimum of 7 minutes to appear in Log Search

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample Sign In Log

json
1
{"email":"user@rapid7.com","time":"2020-05-06T09:51:36Z","type":"Sign in","ip_address":"123.45.67.89","client_type":"Browser","version":"-"}

Sample Sign Out Log

json
1
{"email":"user@rapid7.com","time":"2020-05-14T11:31:07Z","type":"Sign out","ip_address":"123.45.67.89","client_type":"Browser","version":"-"}

Troubleshooting

If you do not see logs coming into InsightIDR as expected, note that ingress authentication events are specific to authentication activity that is initiated outside your organization’s internal network. Authentication activity that is initiated inside the internal network will not be in the Ingress Authentication log set.

  1. From the InsightIDR left menu, click Data Collection.
  2. Click the Event Sources tab. and then look for the Zoom event source in the list.
  3. Click View Raw Log. If no data appears in the box, then no events have been collected by InsightIDR. You may need to generate some events in the Zoom application.
  4. Look in the collector’s collector.log diagnostic log for errors. This log file will be located on the hard drive of the collector machine in the same folder where the collector software is installed.