initial_access_zoom_meeting_with_no_passcode.toml

[metadata]
creation_date = "2020/09/14"
maturity = "production"
updated_date = "2024/05/21"

[rule]
author = ["Elastic"]
description = """
This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to
Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode.
Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video
conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material
that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.
"""
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "Zoom Meeting with no Passcode"
references = [
    "https://blog.zoom.us/a-message-to-our-users/",
    "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic",
]
risk_score = 47
rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba"
setup = """## Setup

The Zoom Filebeat module or similarly structured data is required to be compatible with this rule."""
severity = "medium"
tags = ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.type:creation and event.module:zoom and event.dataset:zoom.webhook and
  event.action:meeting.created and not zoom.meeting.password:*
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"