Zoom Pro

With Zoom Pro, you can send reports and activities logs to InsightIDR to track and generate alerts based on user sign-in and sign-out activities. InsightIDR supports the Server-to-Server OAuth authentication method for this event source.

To set up this event source, you’ll need to:

1. Read Before you Begin and note any requirements.
2. Set up Zoom Pro in InsightIDR.
3. Verify the configuration works.

Before You Begin

• Verify that you have a license for Zoom Pro.
• Set the Zoom Pro User Management permissions to:
  • Reports > Usage Reports > View > Enabled
  • Reports > Sign In/Sign Out > View > Enabled
  • Zoom for developers > View + Edit > Enabled
• Enable permissions for a Server-to-Server OAuth app. View the instructions at: https://developers.zoom.us/docs/internal-apps/#enable-permissions.
• Create a Server-to-Server OAuth app and obtain the app credentials: Account ID, Client ID, and Client Secret. View the instructions at https://developers.zoom.us/docs/internal-apps/#create-a-server-to-server-oauth-app.
• Assign the OAuth app the scope to view report data; report:read:admin. Learn more at: https://developers.zoom.us/docs/integrations/oauth-scopes/#reportreadadmin.
• Read our documentation on how to manage credentials.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
2. Do one of the following:
   • Search for Zoom in the event sources search bar.
   • In the Product Type filter, select Cloud Service.
3. Select the Zoom event source tile.
4. From the Select Event Source Type dropdown menu, select Zoom.
5. Name the event source, for example "Zoom".
6. Select a collector.
7. Select your LDAP account attribution preference.
8. From the Authentication Method dropdown menu, select Server-to-Server OAuth.
9. In the Account ID field, enter your Zoom Account ID.
10. In the Credential field, select Create new:
    • Enter a name, for example "Zoom Login".
    • In the Client ID field, enter the Zoom Client ID.
    • In the Client Secret field, enter the Zoom Client Secret.
11. Click Save.

Update the Authentication App

If you are updating your authentication app from JWT to Server-to-Server OAuth, you must complete these prerequisite steps in your Zoom account:

• Set the Zoom Pro User Management permissions to:
  • Reports > Usage Reports > View > Enabled
  • Reports > Sign In/Sign Out > View > Enabled
  • Zoom for developers > View + Edit > Enabled
• Enable permissions for a Server-to-Server OAuth app. View the instructions at: https://developers.zoom.us/docs/internal-apps/#enable-permissions.
• Create a Server-to-Server OAuth app and obtain the app credentials: Account ID, Client ID, and Client Secret. View instructions at: https://developers.zoom.us/docs/internal-apps/#create-a-server-to-server-oauth-app .
• Assign the OAuth app the scope to view report data "report:read:admin". Learn more at: https://developers.zoom.us/docs/integrations/oauth-scopes/#reportreadadmin .

To change your authentication app from JWT to Server-to-Server OAuth in InsightIDR:

1. From the left menu, go to Data Collection.
2. From the Event Sources tab, find the Zoom event source.
3. Click Edit.
4. From the Authentication Method dropdown, select Server-to-Server OAuth.
5. Either update your Zoom credentials or optionally, in the Credential field, select Create new.
   • Enter a name, for example "Zoom Login".
   • In the Client ID field, enter the Zoom Client ID.
   • In the Client Secret field, enter the Zoom Client Secret.
6. Click Save.

Verify the Configuration

After the event source setup is complete, you can view your logs and ensure events are making it to the Collector.

To verify the event source is working:

1. From the Event Sources tab, find the event source that you created.
2. Click View Raw Log. If you see log messages in the box, then this demonstrates that logs are flowing to the Collector.
3. From the left menu, select Log Search.
4. Select the Ingress Authentication log set and select the new log, for example "Zoom".

Sample Sign In Log

json
1
{"email":"user@rapid7.com","time":"2020-05-06T09:51:36Z","type":"Sign in","ip_address":"123.45.67.89","client_type":"Browser","version":"-"}

Sample Sign Out Log

json
1
{"email":"user@rapid7.com","time":"2020-05-14T11:31:07Z","type":"Sign out","ip_address":"123.45.67.89","client_type":"Browser","version":"-"}

Troubleshooting

If you do not see logs in InsightIDR as expected, be aware that ingress authentication events are specific to authentication activity that is initiated outside your organization’s internal network. Authentication activity that is initiated inside the internal network will not appear in the Ingress Authentication log set.

1. From the left menu, go to Data Collection.
2. Select the Event Sources tab and then find the Zoom event source.
3. Click View Raw Log. If no data appears in the box, then no events have been collected by InsightIDR. You may need to generate some events in the Zoom application.
4. Look in the Collector’s collector.log diagnostic log for errors. This log file will be located on the hard drive of the collector machine in the same folder where the collector software is installed.