Security feature: Add failed login data to /report/activities

TLDR

It would be nice to get logs of clients attempting and failing to access Zoom in my managed domain. I would use that information to lock suspicious accounts and report compromise. I would also like more information available from the authorization logs.

My Problem:

We currently monitor who logs in and out of our managed domain via https://marketplace.zoom.us/docs/api-reference/zoom-api/reports/reportsigninsignoutactivities . It would be a nice feature to know where failed logins are coming from as well as client and IP information.

Suggestions

I have 2 suggestions:

  1. Add another reporting endpoint that aggregates failed logins ie. /reports/failedsigninaggs or /reports/failedsignins. This would be nice however computing aggregates is difficult depending on your backend, so it may not be advantageous.
  2. PREFERRED add a new type to /report/activities (https://marketplace.zoom.us/docs/api-reference/zoom-api/reports/reportsigninsignoutactivities) like “Sign in failed” and include as much client information as possible, most importantly the data_center and client version.

Preferred event data returned could look something like this:

{
            "email": "sfkjsldfhjdsf@dskjflhdsf.com",
            "time": "2019-09-15T20:56:09Z",
            "type": "Sign in failed",
            "ip_address": "38.99.100.6",
            "client_type": "Browser",
            "device": "WIN",
           "data_center": "SC",
           "connection_type": "P2P",
           "pc_name": "dojo's pc",
           "domain": "Dojo-workspace",
           "mac_addr": " 00:0a:95:9d:68:16",
           "version": "-"
}

if aggregating over the last day something like this:

{
            "email": "sfkjsldfhjdsf@dskjflhdsf.com",
            "ip_address": "38.99.100.6",
            "client_type": "Browser",
            "version": "-",
            "count": 9000
        }

Thanks Zoom Great Product!

3 Likes