Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Office ASR rule triggered from browser spawned office process

Back
Id30580043-2451-4d35-b49f-065728529f4a
RulenameOffice ASR rule triggered from browser spawned office process.
DescriptionThe attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules.

This detection looks for Office ASR violations triggered by an Office document opened from a browser.

Note: be aware that you need to have the proper ASR rules enabled for this detection to work.
SeverityMedium
TacticsInitialAccess
TechniquesT1566.002
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeASRFromBrowser.yaml
Version1.0.1
Arm template30580043-2451-4d35-b49f-065728529f4a.json
Deploy To Azure
// Add your own browsers here as well. 
let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]);
DeviceEvents
| where ActionType contains "Office"
| where InitiatingProcessFileName in~ (browsers) or InitiatingProcessParentFileName in~ (browsers)
// Ignore docx, xlsx and pptx files. These don't contain macros.
| where not(FileName endswith ".docx" or FileName endswith ".xlsx" or FileName endswith ".pptx")
status: Available
queryFrequency: 5m
description: |
  The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. 
  This detection looks for Office ASR violations triggered by an Office document opened from a browser.
  Note: be aware that you need to have the proper ASR rules enabled for this detection to work.   
severity: Medium
version: 1.0.1
relevantTechniques:
- T1566.002
name: Office ASR rule triggered from browser spawned office process.
triggerThreshold: 0
kind: Scheduled
query: |
  // Add your own browsers here as well. 
  let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]);
  DeviceEvents
  | where ActionType contains "Office"
  | where InitiatingProcessFileName in~ (browsers) or InitiatingProcessParentFileName in~ (browsers)
  // Ignore docx, xlsx and pptx files. These don't contain macros.
  | where not(FileName endswith ".docx" or FileName endswith ".xlsx" or FileName endswith ".pptx")  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeASRFromBrowser.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
tactics:
- InitialAccess
id: 30580043-2451-4d35-b49f-065728529f4a
queryPeriod: 5m
entityMappings:
- fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
  entityType: Process
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/30580043-2451-4d35-b49f-065728529f4a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/30580043-2451-4d35-b49f-065728529f4a')]",
      "properties": {
        "alertRuleTemplateName": "30580043-2451-4d35-b49f-065728529f4a",
        "customDetails": null,
        "description": "The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. \nThis detection looks for Office ASR violations triggered by an Office document opened from a browser.\nNote: be aware that you need to have the proper ASR rules enabled for this detection to work. \n",
        "displayName": "Office ASR rule triggered from browser spawned office process.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeASRFromBrowser.yaml",
        "query": "// Add your own browsers here as well. \nlet browsers = dynamic([\"iexplore.exe\", \"chrome.exe\", \"firefox.exe\", \"msedge.exe\"]);\nDeviceEvents\n| where ActionType contains \"Office\"\n| where InitiatingProcessFileName in~ (browsers) or InitiatingProcessParentFileName in~ (browsers)\n// Ignore docx, xlsx and pptx files. These don't contain macros.\n| where not(FileName endswith \".docx\" or FileName endswith \".xlsx\" or FileName endswith \".pptx\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1566.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}