Asr Office Process Injection Audited Query
Query
DeviceEvents
| where ActionType == "AsrOfficeProcessInjectionAudited"About this query
Rule: Detection of Process Injection from Office apps throug ASR
Description
This query detects events where an office process injection has been audited by the Advanced Security Audit Policy (ASR).
Detection Logic
Monitors DeviceEvents for occurrences where the ActionType is "AsrOfficeProcessInjectionAudited".
Tags
- ASR
- Office
- Process Injection
- Auditing
Search Query
Explanation
Summary of the Query
This query is designed to detect instances where an Office application (like Word or Excel) has attempted to inject a process, and this activity has been logged by the Advanced Security Audit Policy (ASR).
Key Points:
- Purpose: To identify and monitor suspicious process injection activities originating from Office applications.
- Data Source: The query looks at
DeviceEvents. - Condition: It specifically filters events where the
ActionTypeis"AsrOfficeProcessInjectionAudited".
How It Works:
- Monitors Device Events: The query scans through device event logs.
- Filters Specific Action: It filters out events where the action type indicates that an Office process injection has been audited by ASR.
Tags:
- ASR: Advanced Security Audit Policy
- Office: Refers to Microsoft Office applications
- Process Injection: A technique often used in cyber attacks
- Auditing: The process of logging and monitoring security-related events
Search Query:
DeviceEvents
| where ActionType == "AsrOfficeProcessInjectionAudited"
In simple terms, this query helps in identifying and logging any attempts by Office applications to inject processes, which is a common tactic used in cyber attacks.
Details

Ali Hussein
Released: July 15, 2024
Tables
DeviceEvents
Keywords
DeviceEventsActionTypeASROfficeProcessInjectionAuditing
Operators
|where==