Zoom account sign in requirements changed
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
This detection identifies when authentication requirements in a Zoom account are weakened or disabled.
Strategy
This detection monitors Zoom operation logs for changes to critical authentication settings. The rule looks for account update events where security controls have been changed from enabled to disabled states, including disabling password requirements, allowing password reuse, turning off two-factor authentication, or disabling one-time passcode authentication. The detection focuses on @evt.category of “Account” with @evt.name values of “Update” or “Batch Update” containing specific message patterns that indicate security controls being turned off. Events are grouped by the email address of the user making the changes (@usr.email).
Weakening authentication settings is concerning as it reduces the security posture of the organization’s Zoom environment, potentially making it easier for unauthorized users to access accounts through credential attacks or account takeovers.
Triage & Response
- Verify which specific authentication requirement was changed and assess the security impact.
- Identify which administrator account (
{{@usr.email}}) made the change and confirm this was the legitimate account owner. - Check for other recent administrative actions by the same user to establish a pattern of behavior.
- Look for concurrent security changes across the Zoom environment that might indicate a broader attack.
- Evaluate whether multiple authentication requirements were changed in rapid succession.
- Restore proper authentication requirements if the change was unauthorized.
- Consider temporarily restricting permissions of the administrator account pending investigation.
