[New Rule] Zoom Meeting with no Passcode (#292)

rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml

@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2020/09/14"
+ecs_version = ["1.6.0"]
+maturity = "development"
+query_schema_validation = false
+updated_date = "2020/09/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to
+Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode.
+Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video
+conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material
+that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.
+"""
+index = ["filebeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Zoom Meeting with no Passcode"
+note = "This rule requires the Zoom Filebeat module."
+references = [
+    "https://blog.zoom.us/a-message-to-our-users/",
+    "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic",
+]
+risk_score = 47
+rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba"
+severity = "medium"
+tags = ["Elastic", "SecOps", "Continuous Monitoring", "Configuration Audit"]
+type = "query"
+
+query = '''
+event.type:creation and event.module:zoom and event.dataset:zoom.webhook
+ and event.action:meeting.created and not zoom.meeting.password:*
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1190"
+name = "Exploit Public-Facing Application"
+reference = "https://attack.mitre.org/techniques/T1190/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"