Users joining Zoom meetings from suspicious time zones may indicate adversarial activity attempting to mask their geographic location, as adversaries often exploit time zone discrepancies to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert operations and mitigate the risk of undetected persistent threats.
KQL Query
let schedule_lookback = 14d;
let join_lookback = 1d;
// If you want to whitelist specific timezones include them in a list here
let tz_whitelist = dynamic([]);
let meetings = (
ZoomLogs
| where TimeGenerated >= ago(schedule_lookback)
| where Event =~ "meeting.created"
| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)
| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone));
ZoomLogs
| where TimeGenerated >= ago(join_lookback)
| where Event =~ "meeting.participant_joined"
| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone)
| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName)
| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)
| where JoinedTimeZone !in (tz_whitelist)
| join (meetings) on MeetingId
| where SchedTimezone != JoinedTimeZone
| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1
| extend AccountName = tostring(split(JoiningUser, "@")[0]), AccountUPNSuffix = tostring(split(JoiningUser, "@")[1])
id: 58fc0170-0877-4ea8-a9ff-d805e361cfae
name: User joining Zoom meeting from suspicious timezone
description: |
'The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.
You can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones'
severity: Low
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
let schedule_lookback = 14d;
let join_lookback = 1d;
// If you want to whitelist specific timezones include them in a list here
let tz_whitelist = dynamic([]);
let meetings = (
ZoomLogs
| where TimeGenerated >= ago(schedule_lookback)
| where Event =~ "meeting.created"
| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)
| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone));
ZoomLogs
| where TimeGenerated >= ago(join_lookback)
| where Event =~ "meeting.participant_joined"
| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone)
| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName)
| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)
| where JoinedTimeZone !in (tz_whitelist)
| join (meetings) on MeetingId
| where SchedTimezone != JoinedTimeZone
| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1
| extend AccountName = tostring(split(JoiningUser, "@")[0]), AccountUPNSuffix = tostring(split(JoiningUser, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: JoiningUser
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 1.0.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Others" ]Scenario: User joining from a different timezone due to remote work setup
Description: A user based in the US joins a Zoom meeting scheduled in the EU timezone because they are working remotely and the meeting was set to the host’s local time.
Filter/Exclusion: Exclude users who are part of the company’s remote workforce by checking their location in the Active Directory or Okta user profile. Use a filter like: user.location = "US" or user.remote = true.
Scenario: Scheduled job or automation tool joining a meeting
Description: A scheduled job (e.g., Jenkins, Ansible, or a monitoring tool like Datadog) joins a Zoom meeting to share logs or metrics, but the system’s timezone is set to a different region.
Filter/Exclusion: Exclude system accounts or service accounts by checking the user’s user.account_type = "service" or user.is_service_account = true. Also, filter by user.name to exclude known automation tools.
Scenario: Time zone mismatch due to incorrect meeting time zone setting
Description: A user joins a meeting that was created with an incorrect timezone (e.g., the meeting was set to “Europe/London” but was intended to be in “America/New_York”).
Filter/Exclusion: Whitelist the timezone “Europe/London” in the tz_whitelist rule parameter. Alternatively, filter by the meeting’s actual start time using a time-based condition like meeting.start_time = "2025-04-05T14:00:00Z".
Scenario: User joining from a different timezone due to time zone conversion for international calls
Description: A user joins a Zoom meeting from a different timezone to accommodate international participants, but the meeting was created in the host’s local timezone.
*Filter