Asr Executable Email Content Audited Detection Rule

# Rule :Detection of Executable Email Content Using AsrExecutableEmailContentAudited ASR rule ## Description This detection rule identifies audited events where executable content in emails is detected, excluding files with a ".js" extension. Monitoring for executable email content is essential to identify potential phishing or malware delivery attempts via email. JavaScript files are common vectors for malicious content, but this rule focuses on other executable files that could indicate an attempt to bypass email security measures. This rule monitors for audited actions related to executable content in email attachments, helping to identify potentially malicious files that could compromise the system. ## Detection Logic - Monitors `DeviceEvents` for events where: - The `ActionType` is "AsrExecutableEmailContentAudited". - The `FileName` does not end with ".js". ## Tags - Email Security - Executable Content - Phishing - Malware - Suspicious Activity ## Search Query ```kql DeviceEvents | where ActionType == "AsrExecutableEmailContentAudited" | where FileName !endswith ".js"

Explanation

This query is designed to detect potentially malicious executable content in email attachments, excluding JavaScript files. Here's a simple summary:

Purpose: To identify and monitor email attachments that contain executable files, which could be used for phishing or malware attacks.
Exclusion: It specifically ignores files with a ".js" extension, focusing on other types of executable files.
How it works:
- It looks at DeviceEvents.
- It filters events where the ActionType is "AsrExecutableEmailContentAudited".
- It further filters out files that end with ".js".

Tags: This rule is related to email security, executable content, phishing, malware, and suspicious activity.

Query:

DeviceEvents
| where ActionType == "AsrExecutableEmailContentAudited"
| where FileName !endswith ".js"

KQL Search

Asr Executable Email Content Audited Detection Rule

Query

Explanation

Details

Actions