Skip to main content
 
Splunk Lantern

Number of all Zoom meetings created over time

 

Your workforce is fully remote. To ensure network security, you want to report on how many Zoom meetings were hosted on your network during certain time periods each day.

Required data

Zoom

Procedure  

Run the following search. You can optimize it by specifying a time range​​​​​​​.

search (index=zoom sourcetype="zoom:webhook" (event="meeting.ended" OR event="meeting.started") (TERM(meeting.ended) OR TERM(meeting.started)))
| eval endtime = strptime('payload.object.end_time',"%FT%TZ"), starttime = strptime('payload.object.start_time',"%FT%TZ"), duration = round((endtime - starttime)/60,2)
| timechart span=1h dc(payload.object.uuid) AS "Number of Meetings" avg(duration) AS "Average Meeting Duration (min)"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
search (index=zoom sourcetype="zoom:webhook" (event="meeting.ended" OR event="meeting.started") (TERM(meeting.ended) OR TERM(meeting.started)))

Search the Zoom sourcetype for events related to starting and stopping Zoom meetings and webinars.

If you use a different telecommunications provider integrated with Splunk, such as Cisco WebEx Meetings Add-on for Splunk, you may need to make adjustments to the fields and parameters.

| eval endtime = strptime('payload.object.end_time',"%FT%TZ"), starttime = strptime('payload.object.start_time',"%FT%TZ"), duration = round((endtime - starttime)/60,2) Parse the start and end times of the Zoom meetings into UNIX timestamps. Then, calculate the duration of each meeting, rounded to 2 decimals.
| timechart span=1h dc(payload.object.uuid) AS "Number of Meetings" avg(duration) AS "Average Meeting Duration (min)" Create a chart that shows the distinct count of meetings for each payload object ID and the average duration, bucketed into one hour increments.

Next steps

This search returns a table and chart of Zoom meetings held each day over the specified time frame, along with their duration. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network. 

Finally, you might be interested in other processes associated with the Securing a work-from-home organization use case.