Zoom Pro

Configure Server-to-Server OAuth app authentication

On October 1, 2023, Zoom is deprecating JWT app authentication for their API. InsightIDR now supports Server-to-Server OAuth app authentication with Zoom Pro. We recommend that you reconfigure your authentication method at the earliest available opportunity to ensure continued ingestion of Zoom log data. Read more about updating the authentication app.

With Zoom Pro, you can send reports and activities logs to InsightIDR to track and generate alerts based on user sign-in and sign-out activities. InsightIDR supports the Server-to-Server OAuth authentication method for this event source.

To set up this event source, you’ll need to:

  1. Read Before you Begin and note any requirements.
  2. Set up Zoom Pro in InsightIDR.
  3. Verify the configuration works.

Before You Begin

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Zoom in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Zoom event source tile.
  4. From the Select Event Source Type dropdown menu, select Zoom.
  5. Name the event source, for example "Zoom".
  6. Select a collector.
  7. Select your LDAP account attribution preference.
  8. From the Authentication Method dropdown menu, select Server-to-Server OAuth.
  9. In the Account ID field, enter your Zoom Account ID.
  10. In the Credential field, select Create new:
    • Enter a name, for example "Zoom Login".
    • In the Client ID field, enter the Zoom Client ID.
    • In the Client Secret field, enter the Zoom Client Secret.
  11. Click Save.

Update the Authentication App

If you are updating your authentication app from JWT to Server-to-Server OAuth, you must complete these prerequisite steps in your Zoom account:

To change your authentication app from JWT to Server-to-Server OAuth in InsightIDR:

  1. From the left menu, go to Data Collection.
  2. From the Event Sources tab, find the Zoom event source.
  3. Click Edit.
  4. From the Authentication Method dropdown, select Server-to-Server OAuth.
  5. Either update your Zoom credentials or optionally, in the Credential field, select Create new.
    • Enter a name, for example "Zoom Login".
    • In the Client ID field, enter the Zoom Client ID.
    • In the Client Secret field, enter the Zoom Client Secret.
  6. Click Save.

Verify the Configuration

After the event source setup is complete, you can view your logs and ensure events are making it to the Collector.

To verify the event source is working:

  1. From the Event Sources tab, find the event source that you created.
  2. Click View Raw Log. If you see log messages in the box, then this demonstrates that logs are flowing to the Collector.
  3. From the left menu, select Log Search.
  4. Select the Ingress Authentication log set and select the new log, for example "Zoom".

Note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample Sign In Log

json
1
{"email":"user@rapid7.com","time":"2020-05-06T09:51:36Z","type":"Sign in","ip_address":"123.45.67.89","client_type":"Browser","version":"-"}

Sample Sign Out Log

json
1
{"email":"user@rapid7.com","time":"2020-05-14T11:31:07Z","type":"Sign out","ip_address":"123.45.67.89","client_type":"Browser","version":"-"}

Troubleshooting

If you do not see logs in InsightIDR as expected, be aware that ingress authentication events are specific to authentication activity that is initiated outside your organization’s internal network. Authentication activity that is initiated inside the internal network will not appear in the Ingress Authentication log set.

  1. From the left menu, go to Data Collection.
  2. Select the Event Sources tab and then find the Zoom event source.
  3. Click View Raw Log. If no data appears in the box, then no events have been collected by InsightIDR. You may need to generate some events in the Zoom application.
  4. Look in the Collector’s collector.log diagnostic log for errors. This log file will be located on the hard drive of the collector machine in the same folder where the collector software is installed.