Zoom Pro

Configure Server-to-Server OAuth app authentication

On October 1, 2023, Zoom is deprecating JWT app authentication for their API. InsightIDR now supports Server-to-Server OAuth app authentication with Zoom Pro. We recommend that you reconfigure your authentication method at the earliest available opportunity to ensure continued ingestion of Zoom log data. Read more about updating the authentication app.

With Zoom Pro, you can send reports and activities logs to InsightIDR to track and generate detections based on user sign-in and sign-out activities. InsightIDR supports the Server-to-Server OAuth authentication method for this event source.

After this event source is configured, Zoom login events appear in the Ingress Authentication log set in Log Search.

There are two ways to send data from your Zoom account to InsightIDR; event collection through the Cloud or through an on-premises Rapid7 Collector.

Cloud event sources are being phased in from December 2023

InsightIDR is adding cloud event collection capabilities to a select number of supported event sources; this one is included. This will be a phased release, so if your environment is not yet displaying the Run on Cloud option, please be patient–your environment will update shortly.

To set up the Zoom event source, complete these steps:

  1. Read the requirements and complete the prerequisite steps.
  2. Configure Zoom to send data to InsightIDR.
  3. Configure InsightIDR to receive data from the event source.
  4. Test the configuration.

You can also:

Requirements

Before you start the configuration:

Configure Zoom to send data to InsightIDR

To allow InsightIDR to receive data from Zoom, you must configure specific permissions and create an OAuth app in your Zoom Pro account.

  1. Log in to your Zoom Pro account and go to User Management.
  2. Update these user permissions:
    • Reports > Usage Reports > View > Enabled
    • Reports > Sign In/Sign Out > View > Enabled
    • Zoom for developers > View + Edit > Enabled
  3. Enable permissions for a Server-to-Server OAuth app. View the instructions at: https://developers.zoom.us/docs/internal-apps/#enable-permissions.
  4. Create a Server-to-Server OAuth app and record the app credentials: Client ID, Account ID, and Client Secret. View the instructions at: https://developers.zoom.us/docs/internal-apps/#create-a-server-to-server-oauth-app.
  5. Assign the OAuth app the scope; report:read:admin. View the instructions at: https://developers.zoom.us/docs/integrations/oauth-scopes/#reportreadadmin.

Configure InsightIDR to receive data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

Task 1: Select Zoom

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Zoom in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Zoom event source tile.

Task 2: Set up your collection method

There are two methods of collecting data from Zoom: through a cloud connection or through a collector.

New credentials are required for cloud event sources

You cannot reuse existing on-premise credentials to create a cloud connection with this event source. You must create new credentials.

Use the Cloud Connection method
  1. In the Add Event Source panel, select Run On Cloud.
  2. Name the event source. This will be the name of the log that contains the event data in Log Search. If you do not name the event source, the log name defaults to Zoom.
  3. Select your LDAP Account Attribution preference:
    • Use short name attribution: Applies the short name of the user without the domain suffix in the username field. For example, if the username was jsmith@myorg.example.com, the short name would be jsmith.
    • Use fully qualified domain name attribution: If you have a multi-domain environment, this option works best to attribute users and assets.
  4. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
  5. Click Add a New Connection.
  6. In the Create a Cloud Connection screen, enter a name for the new connection.
  7. In the Client ID field, enter the Zoom Client ID you obtained in Configure Zoom to send data to InsightIDR.
  8. In the Account ID field, enter your Zoom Account ID you obtained in Configure Zoom to send data to InsightIDR.
  9. In the OAuth Authentication Retry Limit field, enter how many times InsightIDR should attempt to generate a new token in Zoom before failing.
  10. In the Client Secret field, add a new credential:
    • Name your credential.
    • Describe your credential.
    • Select the credential type.
    • Enter the Client Secret that you obtained in Configure Zoom to send data to InsightIDR.
    • Specify the product access for this credential.
  11. Click Save Connection.
  12. Click Save.
Use the Collector method
  1. In the Add Event Source panel, select Run On Collector.
  2. Name the event source. This will be the name of the log that contains the event data in Log Search. If you do not name the event source, the log name defaults to Zoom.
  3. Select a collector.
  4. Select your LDAP Account Attribution preference:
    • Use short name attribution: Applies the short name of the user without the domain suffix in the username field. For example, if the username was jsmith@myorg.example.com, the short name would be jsmith.
    • Use fully qualified domain name attribution: If you have a multi-domain environment, this option works best to attribute users and assets.
  5. From the Authentication Method dropdown menu, select Server-to-Server OAuth.
  6. In the Account ID field, enter your Zoom Account ID.
  7. In the Credential field, select Create new:
    • Enter a name, for example "Zoom Login".
    • In the Client ID field, enter the Zoom Client ID.
    • In the Client Secret field, enter the Zoom Client Secret.
  8. Click Save.

Update the Authentication App

If you are updating your authentication app from JWT to Server-to-Server OAuth, you must complete these steps in your Zoom account:

  1. Log in to your Zoom Pro account and go to User Management.
  2. Update these user permissions:
    • Reports > Usage Reports > View > Enabled
    • Reports > Sign In/Sign Out > View > Enabled
    • Zoom for developers > View + Edit > Enabled
  3. Enable permissions for a Server-to-Server OAuth app. View the instructions at: https://developers.zoom.us/docs/internal-apps/#enable-permissions.
  4. Create a Server-to-Server OAuth app and record the app credentials: Account ID, Client ID, and Client Secret. View the instructions at: https://developers.zoom.us/docs/internal-apps/#create-a-server-to-server-oauth-app.
  5. Assign the OAuth app the scope; report:read:admin. View the instructions at: https://developers.zoom.us/docs/integrations/oauth-scopes/#reportreadadmin.

To change your authentication app from JWT to Server-to-Server OAuth in InsightIDR:

  1. From the left menu, go to Data Collection.
  2. From the Event Sources tab, find the Zoom event source.
  3. Click Edit.
  4. From the Authentication Method dropdown, select Server-to-Server OAuth.
  5. Either update your Zoom credentials or optionally, in the Credential field, select Create new.
    • Enter a name, for example "Zoom Login".
    • In the Client ID field, enter the Zoom Client ID.
    • In the Client Secret field, enter the Zoom Client Secret.
  6. Click Save.

Test the configuration

The event type that InsightIDR parses for this event source is Ingress Authentication.

To test that event data is flowing into InsightIDR:

  1. View the raw logs.
    • From the Data Collection Management page, click the Event Sources tab.
    • Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to InsightIDR.
  2. Use Log Search to find the log entries. After approximately seven minutes, you can verify that log entries are appearing in Log Search.
    • From the left menu, go to Log Search.
    • In the Log Search filter, search for the new event source you created.
    • Select the log sets and the log names under each log set. Zoom logs flow into the Ingress Authentication log set.
    • Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 minutes. The keys and values that are displayed are helpful when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the Ingress Authentication log set.

To help you visualize the event logs that this event source generates, here are some sample logs:

Sample Sign In Log

json
1
{"email":"user@rapid7.com","time":"2020-05-06T09:51:36Z","type":"Sign in","ip_address":"123.45.67.89","client_type":"Browser","version":"-"}

Sample Sign Out Log

json
1
{"email":"user@rapid7.com","time":"2020-05-14T11:31:07Z","type":"Sign out","ip_address":"123.45.67.89","client_type":"Browser","version":"-"}

Troubleshoot common issues

If you experience issues with the Zoom event source, try the solutions provided in this section.

If you do not see logs in InsightIDR as expected, be aware that ingress authentication events are specific to authentication activity that is initiated outside your organization’s internal network. Authentication activity that is initiated inside the internal network will not appear in the Ingress Authentication log set.

To test for this issue:

  1. From the left menu, go to Data Collection.
  2. Select the Event Sources tab and then find the Zoom event source.
  3. Click View Raw Log. If no data appears in the box, then no events have been collected by InsightIDR. You may need to generate some events in the Zoom application.
  4. If you used the Collector method, look in the Collector’s collector.log diagnostic log for errors. This log file will be located on the hard drive of the collector machine in the same folder where the collector software is installed.