Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Office ASR rule triggered from browser spawned office process

Back
Id30580043-2451-4d35-b49f-065728529f4a
RulenameOffice ASR rule triggered from browser spawned office process.
DescriptionThe attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules.

This detection looks for Office ASR violations triggered by an Office document opened from a browser.

Note: be aware that you need to have the proper ASR rules enabled for this detection to work.
SeverityMedium
TacticsInitialAccess
TechniquesT1566.002
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeASRFromBrowser.yaml
Version1.0.1
Arm template30580043-2451-4d35-b49f-065728529f4a.json
Deploy To Azure
// Add your own browsers here as well. 
let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]);
DeviceEvents
| where ActionType contains "Office"
| where InitiatingProcessFileName in~ (browsers) or InitiatingProcessParentFileName in~ (browsers)
// Ignore docx, xlsx and pptx files. These don't contain macros.
| where not(FileName endswith ".docx" or FileName endswith ".xlsx" or FileName endswith ".pptx")
status: Available
description: |
  The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. 
  This detection looks for Office ASR violations triggered by an Office document opened from a browser.
  Note: be aware that you need to have the proper ASR rules enabled for this detection to work.   
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeASRFromBrowser.yaml
version: 1.0.1
triggerThreshold: 0
kind: Scheduled
queryPeriod: 5m
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Process
  fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
triggerOperator: gt
id: 30580043-2451-4d35-b49f-065728529f4a
name: Office ASR rule triggered from browser spawned office process.
query: |
  // Add your own browsers here as well. 
  let browsers = dynamic(["iexplore.exe", "chrome.exe", "firefox.exe", "msedge.exe"]);
  DeviceEvents
  | where ActionType contains "Office"
  | where InitiatingProcessFileName in~ (browsers) or InitiatingProcessParentFileName in~ (browsers)
  // Ignore docx, xlsx and pptx files. These don't contain macros.
  | where not(FileName endswith ".docx" or FileName endswith ".xlsx" or FileName endswith ".pptx")  
tactics:
- InitialAccess
queryFrequency: 5m
relevantTechniques:
- T1566.002
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/30580043-2451-4d35-b49f-065728529f4a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/30580043-2451-4d35-b49f-065728529f4a')]",
      "properties": {
        "alertRuleTemplateName": "30580043-2451-4d35-b49f-065728529f4a",
        "customDetails": null,
        "description": "The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. \nThis detection looks for Office ASR violations triggered by an Office document opened from a browser.\nNote: be aware that you need to have the proper ASR rules enabled for this detection to work. \n",
        "displayName": "Office ASR rule triggered from browser spawned office process.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OfficeASRFromBrowser.yaml",
        "query": "// Add your own browsers here as well. \nlet browsers = dynamic([\"iexplore.exe\", \"chrome.exe\", \"firefox.exe\", \"msedge.exe\"]);\nDeviceEvents\n| where ActionType contains \"Office\"\n| where InitiatingProcessFileName in~ (browsers) or InitiatingProcessParentFileName in~ (browsers)\n// Ignore docx, xlsx and pptx files. These don't contain macros.\n| where not(FileName endswith \".docx\" or FileName endswith \".xlsx\" or FileName endswith \".pptx\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}