Rule : Detection of Office Child Processes Through ASR
Asr Office Child Process Audited Query
Query
DeviceEvents
| where ActionType == "AsrOfficeChildProcessAudited"
| where FileName != "onedrive.exe"About this query
Rule : Detection of Office Child Processes Through ASR
Description
This detection rule identifies child processes spawned by Microsoft Office applications that have been audited by Advanced Security Rules (ASR), excluding onedrive.exe. Monitoring for child processes created by Office applications is crucial because malicious actors often use Office macros to launch additional processes to execute malicious payloads. By excluding known and trusted processes like OneDrive, this rule focuses on identifying potentially suspicious activities that could compromise the system.
This rule helps identify and audit unusual child processes initiated by Office applications, providing an early warning for potential malicious activities.
Detection Logic
- Monitors
DeviceEventsfor events where:- The
ActionTypeis "AsrOfficeChildProcessAudited". - The
FileNameis not "onedrive.exe".
- The
Tags
- Office Security
- Child Processes
- Macro Security
- Malware
- Advanced Security Rules (ASR)
- Suspicious Activity
Search Query
Explanation
This query is designed to detect potentially suspicious activities by monitoring child processes created by Microsoft Office applications. Here's a simplified summary:
- Purpose: To identify and audit unusual child processes spawned by Office applications, excluding the trusted process
onedrive.exe. - Why It Matters: Malicious actors often use Office macros to launch harmful processes. By focusing on these child processes, the rule aims to catch early signs of malicious activity.
- How It Works:
- It looks at
DeviceEventswhere theActionTypeis "AsrOfficeChildProcessAudited". - It filters out any events where the
FileNameis "onedrive.exe".
- It looks at
Search Query Breakdown
DeviceEvents
| where ActionType == "AsrOfficeChildProcessAudited"
| where FileName != "onedrive.exe"
- DeviceEvents: The dataset being queried.
- ActionType == "AsrOfficeChildProcessAudited": Filters for events where Office applications have created child processes that are audited by Advanced Security Rules.
- FileName != "onedrive.exe": Excludes events where the child process is
onedrive.exe, focusing on potentially suspicious processes.
Tags
- Office Security: Related to securing Microsoft Office applications.
- Child Processes: Focuses on processes initiated by other applications.
- Macro Security: Involves security related to Office macros.
- Malware: Pertains to detecting malicious software.
- Advanced Security Rules (ASR): Uses advanced security auditing rules.
- Suspicious Activity: Aims to identify potentially harmful actions.
Details

Ali Hussein
Released: July 15, 2024
Tables
Keywords
Operators