Users joining meetings from a previously unseen time zone may indicate adversarial activity attempting to mask their location, making proactive hunting in Azure Sentinel critical to identifying potential compromise or reconnaissance efforts. SOC teams should prioritize this behavior as it could signal covert operations or misconfigured accounts used by adversaries to evade detection.
KQL Query
let previous_tz = (
ZoomLogs
| where Event =~ "meeting.participant_joined"
| extend TimeZone = columnifexists('payload_object_timezone_s', "")
| summarize by TimeZone
);
ZoomLogs
| where Event =~ "meeting.participant_joined"
| extend TimeZone = columnifexists('payload_object_timezone_s', "")
| where isnotempty(TimeZone) and TimeZone in (previous_tz)
| extend timestamp = TimeGenerated, AccountCustomEntity = User
id: 5ca3868b-9245-4573-894c-55a935736018
name: New time zone observed
description: |
'This hunting query identifies users joining a meeting from a time zone that a user has not been observed from in the last 30 days.'
requiredDataConnectors: []
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
let previous_tz = (
ZoomLogs
| where Event =~ "meeting.participant_joined"
| extend TimeZone = columnifexists('payload_object_timezone_s', "")
| summarize by TimeZone
);
ZoomLogs
| where Event =~ "meeting.participant_joined"
| extend TimeZone = columnifexists('payload_object_timezone_s', "")
| where isnotempty(TimeZone) and TimeZone in (previous_tz)
| extend timestamp = TimeGenerated, AccountCustomEntity = User
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Community
categories:
domains: [ "Security - Other" ]Scenario: A user joins a meeting from a different time zone due to a scheduled global team meeting that is intentionally held in a new time zone for international participation.
Filter/Exclusion: Exclude meetings that are part of a known global team schedule (e.g., using Microsoft Teams meeting IDs or calendar event titles that include “Global Sync” or “International Team Meeting”).
Scenario: A user is using a time zone conversion tool or a virtual private network (VPN) that temporarily routes traffic through a different geographic location.
Filter/Exclusion: Exclude traffic from known time zone conversion tools (e.g., TimeZones.com) or IP ranges associated with common VPN providers (e.g., NordVPN, ExpressVPN).
Scenario: An admin or IT staff member is performing a system maintenance task that involves logging in from a remote location with a different time zone.
Filter/Exclusion: Exclude login events from admin accounts (e.g., domain\Administrator or svc_account) or IP addresses associated with known IT management tools (e.g., Microsoft Endpoint Manager, Ansible).
Scenario: A scheduled job or automated script runs on a server located in a different time zone, and the user account associated with the job is used to join a meeting.
Filter/Exclusion: Exclude events where the user account is associated with a service account or scheduled task (e.g., SQLAgent or ScheduledTask_12345) or where the meeting was initiated by a system process.
Scenario: A user is using a time zone-aware application (e.g., Zoom, Microsoft Teams) that automatically adjusts the displayed time zone based on the user’s location, but the system reports a different time zone.
Filter/Exclusion: Exclude events where the user is logged into a time zone-aware application (e.g., Zoom Client or Teams) and the meeting