Loading

Zoom Integration for Elastic

Version 1.27.0 (View all)
Subscription level
What's this?
Basic
Developed by
What's this?
Elastic
Ingestion method(s) API, Webhook
Minimum Kibana version(s) 9.1.2
8.19.2

Zoom is a unified communications platform that provides meetings, webinars, phone, team chat, and Zoom Rooms. The Zoom integration for Elastic enables you to collect Zoom event and audit data so you can monitor user activity, investigate security incidents, and analyze platform usage in Elastic.

This integration collects data using two complementary methods:

  • Webhook: a real-time HTTP listener that receives event notifications pushed by Zoom (meeting, webinar, recording, user, account, phone, team chat, and Zoom Room events).
  • REST API: a periodic poll of the Zoom REST API to collect the sign in / sign out activity report, the operation logs report, and the meeting_activity logs report for an account.

Elastic Managed integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to Elastic Managed integrations and the Elastic Managed integrations FAQ. Elastic Managed deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

  • The activity data stream uses the Zoom REST API GET /report/activities endpoint and requires a Zoom Pro (or higher) plan.
  • The operation data stream uses the Zoom REST API GET /report/operationlogs endpoint and requires a Zoom Pro plan or above.
  • The meeting_activity data stream uses the Zoom REST API GET /report/meeting_activities endpoint. The meeting audit trail log feature must be enabled for the account by Zoom Support.

The webhook data stream creates an HTTP listener that accepts incoming webhook callbacks from Zoom. The Elastic Agent running this integration must be reachable from the internet so that Zoom can connect to it. Zoom requires that webhooks are delivered over HTTPS, so you must either configure the integration with a valid TLS certificate or place a reverse proxy that terminates TLS in front of the integration. Incoming events are then routed to the appropriate ingest pipeline based on the Zoom event type.

The activity, operation and meeting_activity data streams poll the Zoom REST API using Server-to-Server OAuth. On each interval, they request records within a date window (a maximum of one month per request) and paginate through the results.

The Zoom integration collects the following data:

  • webhook: real-time Zoom event notifications, including account, team chat (channel and message), meeting, phone, recording, user, webinar, and Zoom Room events.
  • activity: account-wide sign in and sign out activity logs from the Zoom REST API reports endpoint. Note that the API does not provide data for failed sign-in or authentication attempts, so those logs will not be available here.
  • operation: account-wide admin and user operation logs from the Zoom REST API reports endpoint, such as adding a user, changing account settings, or deleting a recording.
  • meeting_activity: meeting activity logs from the Zoom REST API reports endpoint, such as a meeting being created or started, a user joining or leaving, in-meeting chat, remote control, and a meeting ending.

Integrating Zoom with Elastic SIEM provides centralized visibility into collaboration and administrative activity:

  • Webhook events enable real-time monitoring across meetings, recordings, users, and account changes.
  • The activity report provides an account-wide sign in / sign out audit trail for investigating user access and anomalous logins.
  • The operation logs report tracks admin and user operations for auditing configuration changes and detecting unauthorized actions.
  • The meeting_activity logs report provides a meeting-level audit trail of meeting lifecycle and participant activity — meetings being created, started, and ended, participants joining and leaving, in-meeting chat, and remote control — helping you reconstruct what happened in a specific meeting, monitor meeting usage, and support compliance investigations.
  1. Create a Webhook-only app in the Zoom App Marketplace by following the Zoom webhook documentation.
  2. Add the event types you want to receive and set the event notification endpoint URL to the public HTTPS address where this integration is reachable.
  3. Note the Secret Token generated by Zoom. It is used for CRC endpoint validation and to verify the authenticity of incoming events.
  1. Create a Server-to-Server OAuth app in the Zoom App Marketplace by following the Server-to-Server OAuth documentation.
  2. Record the app's Account ID, Client ID, and Client Secret.
  3. Add the report:read:admin scope (or the granular report:read:user_activities:admin, report:read:operation_logs:admin & report:read:meeting_activity_log:admin scopes) to the app and activate it. A Zoom Pro plan or above is required.

Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.

Elastic Agent is required to receive the Zoom webhook callbacks or to poll the Zoom REST API, and to ship the data to Elastic, where the events are then processed via the integration's ingest pipelines.

  1. In the top search bar in Kibana, search for Integrations.

  2. In the search bar, type Zoom.

  3. Select the Zoom integration from the search results.

  4. Select Add Zoom to add the integration.

  5. Enable and configure only the collection methods which you will use.

    • To Collect Zoom logs via Webhook, you'll need to:

      • Configure the Listen Address, Listen Port, and Webhook path where the integration accepts requests.
      • Optionally enable CRC validation and provide the Zoom Secret Token, and/or configure a custom header to verify incoming requests.
      • Provide a valid TLS certificate (or front the integration with a TLS-terminating reverse proxy), since Zoom requires HTTPS.
    • To Collect Zoom logs via REST API, you'll need to:

      • Configure the Account ID, Client ID, and Client Secret of your Server-to-Server OAuth app.
      • Adjust the integration configuration parameters if required, including the Interval and Initial Interval (lookback), to enable data collection.
  6. Select Save and continue to save the integration.

  1. In the top search bar in Kibana, search for Dashboards.
  2. In the search bar, type Zoom.
  3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.

For help with Elastic ingest tools, check Common problems.

The REST API data streams (activity, operation, and meeting_activity) query Zoom's Report endpoints, which are classified as Heavy APIs. Zoom enforces both a per-second (QPS) limit and a daily request quota, and both are shared across every app and user on the account, as well as across all of the Report data streams in this integration:

Plan Per second Per day (shared by Heavy and Resource-intensive APIs)
Pro 10 requests/second 30,000 requests/day
Business+ (Business, Education, Enterprise, and Partner) 40 requests/second 60,000 requests/day

To keep the Report data streams within this shared budget, each REST API data stream has client-side rate limiting enabled by default (Rate Limit and Rate Limit Burst in the data stream settings). The default values are conservative so that the streams can run together without exhausting the account quota, which matters most during the initial backfill when many requests are made.

If you hit an HTTP 429 Too Many Requests response, or you want to tune throughput, adjust these settings per data stream:

  • Reduce the rate (lower the Rate Limit, for example to 0.05) if you are seeing 429 errors, if other applications share the same Zoom account quota, or if the daily quota is being consumed too quickly. A daily-limit 429 is only cleared at 00:00 UTC, so it is better to run slower than to be locked out.
  • Increase the rate (raise the Rate Limit) if you are on a Business+ plan, run fewer Report data streams, or need the initial backfill to complete faster. Keep the combined rate of all enabled Report data streams below your plan's per-second limit.

You can also reduce the total number of requests by increasing the Page Size (up to Zoom's maximum of 300), since fewer, larger pages consume less of the shared quota.

For more information on architectures that can be used for scaling this integration, check the Ingest Architectures documentation.

This is the webhook data stream. It collects real-time event notifications pushed by Zoom over an HTTP endpoint.

This is the activity data stream. It collects sign in / sign out activity logs from the Zoom REST API.

This is the operation data stream. It collects admin and user operation logs from the Zoom REST API.

This is the meeting_activity data stream. It collects meeting activity logs from the Zoom REST API.

These inputs are used in this integration:

This integration uses the following APIs:

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.