Zoom E2E Encryption Disabled

ZoomLogs
| where Event =~ "account.settings_updated"
| extend NewE2ESetting = columnifexists("payload_object_settings_in_meeting_e2e_encryption_b", "")
| extend OldE2ESetting = columnifexists("payload_old_object_settings_in_meeting_e2e_encryption_b", "")
| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'
| extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])

queryPeriod: 1d
query: |
  ZoomLogs
  | where Event =~ "account.settings_updated"
  | extend NewE2ESetting = columnifexists("payload_object_settings_in_meeting_e2e_encryption_b", "")
  | extend OldE2ESetting = columnifexists("payload_old_object_settings_in_meeting_e2e_encryption_b", "")
  | where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'
  | extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])  
name: Zoom E2E Encryption Disabled
entityMappings:
- fieldMappings:
  - columnName: User
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/E2EEDisbaled.yaml
requiredDataConnectors: []
description: |
    'This alerts when end to end encryption is disabled for Zoom meetings.'
kind: Scheduled
version: 1.0.3
metadata:
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Others
  support:
    tier: Community
  source:
    kind: Community
queryFrequency: 1d
severity: Medium
relevantTechniques:
- T1040
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- Discovery
id: e4779bdc-397a-4b71-be28-59e6a1e1d16b