Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Zoom E2E Encryption Disabled

Zoom E2E Encryption Disabled

Back
Ide4779bdc-397a-4b71-be28-59e6a1e1d16b
RulenameZoom E2E Encryption Disabled
DescriptionThis alerts when end to end encryption is disabled for Zoom meetings.
SeverityMedium
TacticsCredentialAccess
Discovery
TechniquesT1040
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/E2EEDisbaled.yaml
Version1.0.3
Arm templatee4779bdc-397a-4b71-be28-59e6a1e1d16b.json
Deploy To Azure
ZoomLogs
| where Event =~ "account.settings_updated"
| extend NewE2ESetting = columnifexists("payload_object_settings_in_meeting_e2e_encryption_b", "")
| extend OldE2ESetting = columnifexists("payload_old_object_settings_in_meeting_e2e_encryption_b", "")
| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'
| extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])

triggerThreshold: 0
requiredDataConnectors: []
severity: Medium
queryFrequency: 1d
id: e4779bdc-397a-4b71-be28-59e6a1e1d16b
relevantTechniques:
- T1040
queryPeriod: 1d
name: Zoom E2E Encryption Disabled
kind: Scheduled
tactics:
- CredentialAccess
- Discovery
triggerOperator: gt
version: 1.0.3
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: User
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
description: |
    'This alerts when end to end encryption is disabled for Zoom meetings.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/E2EEDisbaled.yaml
query: |
  ZoomLogs
  | where Event =~ "account.settings_updated"
  | extend NewE2ESetting = columnifexists("payload_object_settings_in_meeting_e2e_encryption_b", "")
  | extend OldE2ESetting = columnifexists("payload_old_object_settings_in_meeting_e2e_encryption_b", "")
  | where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'
  | extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])  
metadata:
  categories:
    domains:
    - Security - Others
  source:
    kind: Community
  author:
    name: Microsoft Security Research
  support:
    tier: Community

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e4779bdc-397a-4b71-be28-59e6a1e1d16b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e4779bdc-397a-4b71-be28-59e6a1e1d16b')]",
      "properties": {
        "alertRuleTemplateName": "e4779bdc-397a-4b71-be28-59e6a1e1d16b",
        "customDetails": null,
        "description": "'This alerts when end to end encryption is disabled for Zoom meetings.'\n",
        "displayName": "Zoom E2E Encryption Disabled",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/E2EEDisbaled.yaml",
        "query": "ZoomLogs\n| where Event =~ \"account.settings_updated\"\n| extend NewE2ESetting = columnifexists(\"payload_object_settings_in_meeting_e2e_encryption_b\", \"\")\n| extend OldE2ESetting = columnifexists(\"payload_old_object_settings_in_meeting_e2e_encryption_b\", \"\")\n| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'\n| extend AccountName = tostring(split(User, \"@\")[0]), AccountUPNSuffix = tostring(split(User, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery"
        ],
        "techniques": [
          "T1040"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}