Asr Office Process Injection Audited Query

## Rule: Detection of Process Injection from Office apps throug ASR ### Description This query detects events where an office process injection has been audited by the Advanced Security Audit Policy (ASR). - [Microsoft documentation on ASR](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings) ### Detection Logic Monitors `DeviceEvents` for occurrences where the `ActionType` is `"AsrOfficeProcessInjectionAudited"`. ### Tags - ASR - Office - Process Injection - Auditing ### Search Query ```kql DeviceEvents | where ActionType == "AsrOfficeProcessInjectionAudited" ```

Explanation

Summary of the Query

This query is designed to detect instances where an Office application (like Word or Excel) has attempted to inject a process, and this activity has been logged by the Advanced Security Audit Policy (ASR).

Key Points:

Purpose: To identify and monitor suspicious process injection activities originating from Office applications.
Data Source: The query looks at DeviceEvents.
Condition: It specifically filters events where the ActionType is "AsrOfficeProcessInjectionAudited".

How It Works:

Monitors Device Events: The query scans through device event logs.
Filters Specific Action: It filters out events where the action type indicates that an Office process injection has been audited by ASR.

Search Query:

DeviceEvents
| where ActionType == "AsrOfficeProcessInjectionAudited"

In simple terms, this query helps in identifying and logging any attempts by Office applications to inject processes, which is a common tactic used in cyber attacks.

KQL Search