Rule : Detection of Office Macro Win32 API Calls Audited
Asr Office Macro Win32api Calls Audited Deteciton Rule
Query
DeviceEvents
| where ActionType == "AsrOfficeMacroWin32ApiCallsAudited"About this query
Rule : Detection of Office Macro Win32 API Calls Audited
Description
This detection rule identifies audited events where Office Macros make Win32 API calls. Monitoring for such API calls is crucial because macros can be used to execute malicious code on the system. Malicious actors often exploit Office macros to run unauthorized scripts or binaries by leveraging Win32 API calls, which can lead to system compromise or data exfiltration.
This rule monitors for audited actions related to Office macros making Win32 API calls, helping to identify potentially malicious macros that could compromise the system.
Detection Logic
- Monitors
DeviceEventsfor events where:- The
ActionTypeis "AsrOfficeMacroWin32ApiCallsAudited".
- The
Tags
- Office Security
- Macro Security
- Win32 API Calls
- Malware
- Suspicious Activity
Search Query
Note
Exclude trusted file names as this might get noisy
Explanation
Summary of the Query
Purpose: This query is designed to detect when Office Macros make Win32 API calls, which can be a sign of malicious activity. Monitoring these events helps in identifying potentially harmful macros that could compromise the system.
Detection Logic:
- The query looks at
DeviceEvents. - It filters events where the
ActionTypeis "AsrOfficeMacroWin32ApiCallsAudited".
Tags:
- Office Security
- Macro Security
- Win32 API Calls
- Malware
- Suspicious Activity
Search Query:
DeviceEvents
| where ActionType == "AsrOfficeMacroWin32ApiCallsAudited"
Note: To reduce noise, consider excluding events from trusted file names.
Details

Ali Hussein
Released: July 15, 2024
Tables
Keywords
Operators