Rule : Detection of Adobe Reader Child Processes throug ASR
Asr Adobe Reader Child Process Audited Detection Rule
Query
DeviceEvents
| where ActionType == "AsrAdobeReaderChildProcessAudited"About this query
Rule : Detection of Adobe Reader Child Processes throug ASR
Description
This detection rule identifies child processes spawned by Adobe Reader that have been audited by Advanced Security Rules (ASR). Monitoring for child processes created by Adobe Reader is important because malicious actors can exploit vulnerabilities or use malicious PDFs to launch additional processes, executing malicious payloads. This rule focuses on identifying potentially suspicious activities initiated by Adobe Reader, providing early detection of possible threats.
This rule helps identify and audit unusual child processes initiated by Adobe Reader, serving as an early warning for potential malicious activities.
Detection Logic
- Monitors
DeviceEventsfor events where:- The
ActionTypeis "AsrAdobeReaderChildProcessAudited".
- The
Tags
- Adobe Reader
- Child Processes
- PDF Security
- Malware
- Advanced Security Rules (ASR)
- Suspicious Activity
Search Query
Explanation
This query is designed to detect suspicious activities by monitoring child processes created by Adobe Reader. It uses Advanced Security Rules (ASR) to audit these processes. The goal is to identify potential threats early, as malicious actors might exploit Adobe Reader to execute harmful actions. The query specifically looks for events where the action type is "AsrAdobeReaderChildProcessAudited" in the DeviceEvents data.
In simple terms:
- Purpose: To catch unusual or potentially harmful activities initiated by Adobe Reader.
- How: By checking for specific security events logged by ASR.
- Query: It filters device events to find those where Adobe Reader has created a child process that was audited by ASR.
Details

Ali Hussein
Released: July 15, 2024
Tables
Keywords
Operators