Zoom Pro

With Zoom Pro, you can send reports and activities logs to InsightIDR to track and generate alerts based on user sign-in and sign-out activities. InsightIDR supports the JSON Web Tokens (JWT) authentication method for this event source.

To set up this event source, you’ll need to:

  1. Read Before you Begin and note any requirements.
  2. Set up Zoom Pro in InsightIDR.
  3. Verify the configuration works.

Before You Begin

Set Up Zoom Pro in InsightIDR

  1. From the left menu, go to Data Collection.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Cloud Service section, click the Zoom icon. The Add Event Source panel appears.
  4. Choose your collector and event source. You can edit the Display Name of your event source if you want.
  5. Select the Credential dropdown menu, and select Create New from the options.
  6. Name your credential, and enter the API Key and API Secret for your JWT app.
  7. Click Save.

Verify the Configuration

Complete the following steps to view your logs and ensure events are making it to the Collector. On the new event source that was just created, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector. Next, click Log Search in the left menu. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Zoom Pro” if you did not name the event source. Zoom Pro logs flow into the Ingress Authentication log set.

Logs take a minimum of 7 minutes to appear in Log Search

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample Sign In Log

json
1
{"email":"user@rapid7.com","time":"2020-05-06T09:51:36Z","type":"Sign in","ip_address":"123.45.67.89","client_type":"Browser","version":"-"}

Sample Sign Out Log

json
1
{"email":"user@rapid7.com","time":"2020-05-14T11:31:07Z","type":"Sign out","ip_address":"123.45.67.89","client_type":"Browser","version":"-"}

Troubleshooting

If you do not see logs coming into InsightIDR as expected, note that ingress authentication events are specific to authentication activity that is initiated outside your organization’s internal network. Authentication activity that is initiated inside the internal network will not be in the Ingress Authentication log set.

  1. From the InsightIDR left menu, click Data Collection.
  2. Click the Event Sources tab. and then look for the Zoom event source in the list.
  3. Click View Raw Log. If no data appears in the box, then no events have been collected by InsightIDR. You may need to generate some events in the Zoom application.
  4. Look in the collector’s collector.log diagnostic log for errors. This log file will be located on the hard drive of the collector machine in the same folder where the collector software is installed.