Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Office ASR rule triggered from browser spawned office process

Office ASR rule triggered from browser spawned office process

Back
Id30580043-2451-4d35-b49f-065728529f4a
RulenameOffice ASR rule triggered from browser spawned office process.
DescriptionThe attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules.

This detection looks for Office ASR violations triggered by an Office document opened from a browser.

Note: be aware that you need to have the proper ASR rules enabled for this detection to work.
SeverityMedium
TacticsInitialAccess
TechniquesT1566.002
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeASRFromBrowser.yaml
Version1.0.1
Arm template30580043-2451-4d35-b49f-065728529f4a.json
Deploy To Azure
// Add your own browsers here as well. 
let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]);
DeviceEvents
| where ActionType contains "Office"
| where InitiatingProcessFileName in~ (browsers) or InitiatingProcessParentFileName in~ (browsers)
// Ignore docx, xlsx and pptx files. These don't contain macros.
| where not(FileName endswith ".docx" or FileName endswith ".xlsx" or FileName endswith ".pptx")

description: |
  The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. 
  This detection looks for Office ASR violations triggered by an Office document opened from a browser.
  Note: be aware that you need to have the proper ASR rules enabled for this detection to work.   
version: 1.0.1
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeASRFromBrowser.yaml
triggerOperator: gt
status: Available
id: 30580043-2451-4d35-b49f-065728529f4a
name: Office ASR rule triggered from browser spawned office process.
queryFrequency: 5m
severity: Medium
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
  entityType: Process
relevantTechniques:
- T1566.002
query: |
  // Add your own browsers here as well. 
  let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]);
  DeviceEvents
  | where ActionType contains "Office"
  | where InitiatingProcessFileName in~ (browsers) or InitiatingProcessParentFileName in~ (browsers)
  // Ignore docx, xlsx and pptx files. These don't contain macros.
  | where not(FileName endswith ".docx" or FileName endswith ".xlsx" or FileName endswith ".pptx")  
requiredDataConnectors:
- dataTypes:
  - DeviceEvents
  connectorId: MicrosoftThreatProtection