Query Details
Device ASR Office Child Process Audit
Query
//Detects when you have audit hits on the "Block all Office applications from creating child processes" ASR rule.
//For instance if you want to audit the impact for the MSDT vulnerability - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
//Data connector required for this query - M365 Defender - Device* tables
//Microsoft Sentinel query
DeviceEvents
| where TimeGenerated > ago (30d)
| where ActionType == "AsrOfficeChildProcessAudited"
| where AdditionalFields.IsAudit == true
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
FileName,
ProcessCommandLine,
InitiatingProcessFileName
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
DeviceEvents
| where Timestamp > ago (30d)
| where ActionType == "AsrOfficeChildProcessAudited"
| project
Timestamp,
DeviceName,
InitiatingProcessAccountName,
FileName,
ProcessCommandLine,
InitiatingProcessFileNameExplanation
This query detects audit hits on the "Block all Office applications from creating child processes" ASR rule. It retrieves information such as the time generated, device name, initiating process account name, file name, process command line, and initiating process file name for the audited events. The query can be executed using either the M365 Defender - Device* tables or the Advanced Hunting license data connector.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,TimeGenerated,DeviceName,InitiatingProcessAccountName,FileName,ProcessCommandLine,InitiatingProcessFileName,ActionType,AdditionalFields.IsAudit,Timestamp
Operators
| where>ago==project