Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Office ASR rule triggered from browser spawned office process

Back
Id30580043-2451-4d35-b49f-065728529f4a
RulenameOffice ASR rule triggered from browser spawned office process.
DescriptionThe attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually

presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules.

This detection looks for Office ASR violations triggered by an Office document opened from a browser.

Note: be aware that you need to have the proper ASR rules enabled for this detection to work.
SeverityMedium
TacticsInitialAccess
TechniquesT1566.002
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeASRFromBrowser.yaml
Version1.0.0
Arm template30580043-2451-4d35-b49f-065728529f4a.json
Deploy To Azure
// Add your own browsers here as well. 
let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]);
DeviceEvents
| where ActionType contains "Office"
| where InitiatingProcessFileName in~ (browsers) or InitiatingProcessParentFileName in~ (browsers)
// Ignore docx, xlsx and pptx files. These don't contain macros.
| where not(FileName endswith ".docx" or FileName endswith ".xlsx" or FileName endswith ".pptx")
queryFrequency: 5m
triggerThreshold: 0
name: Office ASR rule triggered from browser spawned office process.
version: 1.0.0
id: 30580043-2451-4d35-b49f-065728529f4a
status: Available
tactics:
- InitialAccess
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Process
  fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
queryPeriod: 5m
description: |
  The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually 
  presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. 
  This detection looks for Office ASR violations triggered by an Office document opened from a browser.
  Note: be aware that you need to have the proper ASR rules enabled for this detection to work.   
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
query: |
  // Add your own browsers here as well. 
  let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]);
  DeviceEvents
  | where ActionType contains "Office"
  | where InitiatingProcessFileName in~ (browsers) or InitiatingProcessParentFileName in~ (browsers)
  // Ignore docx, xlsx and pptx files. These don't contain macros.
  | where not(FileName endswith ".docx" or FileName endswith ".xlsx" or FileName endswith ".pptx")  
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeASRFromBrowser.yaml
triggerOperator: gt
relevantTechniques:
- T1566.002
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/30580043-2451-4d35-b49f-065728529f4a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/30580043-2451-4d35-b49f-065728529f4a')]",
      "properties": {
        "alertRuleTemplateName": "30580043-2451-4d35-b49f-065728529f4a",
        "customDetails": null,
        "description": "The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually \npresents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. \nThis detection looks for Office ASR violations triggered by an Office document opened from a browser.\nNote: be aware that you need to have the proper ASR rules enabled for this detection to work. \n",
        "displayName": "Office ASR rule triggered from browser spawned office process.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeASRFromBrowser.yaml",
        "query": "// Add your own browsers here as well. \nlet browsers = dynamic([\"iexplore.exe\", \"chrome.exe\", \"firefox.exe\", \"msedge.exe\"]);\nDeviceEvents\n| where ActionType contains \"Office\"\n| where InitiatingProcessFileName in~ (browsers) or InitiatingProcessParentFileName in~ (browsers)\n// Ignore docx, xlsx and pptx files. These don't contain macros.\n| where not(FileName endswith \".docx\" or FileName endswith \".xlsx\" or FileName endswith \".pptx\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}