Query Details

Asr Office Process Injection Audited Query

Query

DeviceEvents
| where ActionType == "AsrOfficeProcessInjectionAudited"

About this query

Rule: Detection of Process Injection from Office apps throug ASR

Description

This query detects events where an office process injection has been audited by the Advanced Security Audit Policy (ASR).

Detection Logic

Monitors DeviceEvents for occurrences where the ActionType is "AsrOfficeProcessInjectionAudited".

Tags

  • ASR
  • Office
  • Process Injection
  • Auditing

Search Query

Explanation

Summary of the Query

This query is designed to detect instances where an Office application (like Word or Excel) has attempted to inject a process, and this activity has been logged by the Advanced Security Audit Policy (ASR).

Key Points:

  • Purpose: To identify and monitor suspicious process injection activities originating from Office applications.
  • Data Source: The query looks at DeviceEvents.
  • Condition: It specifically filters events where the ActionType is "AsrOfficeProcessInjectionAudited".

How It Works:

  1. Monitors Device Events: The query scans through device event logs.
  2. Filters Specific Action: It filters out events where the action type indicates that an Office process injection has been audited by ASR.

Tags:

  • ASR: Advanced Security Audit Policy
  • Office: Refers to Microsoft Office applications
  • Process Injection: A technique often used in cyber attacks
  • Auditing: The process of logging and monitoring security-related events

Search Query:

DeviceEvents
| where ActionType == "AsrOfficeProcessInjectionAudited"

In simple terms, this query helps in identifying and logging any attempts by Office applications to inject processes, which is a common tactic used in cyber attacks.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 15, 2024

Tables

DeviceEvents

Keywords

DeviceEventsActionTypeASROfficeProcessInjectionAuditing

Operators

|where==

Actions

GitHub