Forum Discussion
shinebar
Jan 08, 2020Copper Contributor
ATP ASR - Office apps injecting into other processes blocks insertion of diagrams in Excel
We just turned the rule "Office apps injecting into other processes" to "Audit only" because our users weren't able to insert certain diagrams (eg. bar charts) in PowerPoint, as ASR detects PowerPoint injecting Code in Excel.
The rule disables many features in Office so that it isn't usable for us. Sending mails from office application while having Adobe Acrobat DC installed is blocked as well under certain circumstances.
Any idea how to configure this right? Is the rule activated in your organizations?
best regards
Danny
- ambarishrhIron Contributor
shinebar After setting the ASR rules on audit mode, did you see the advanced hunting query and ASR detection as below?
https://security.microsoft.com/asr?viewid=exclusions
Hunting query:
MiscEvents| where ActionType contains "asr"| extend JsonOut = parse_json(AdditionalFields)| sort by ActionType desc| summarize NumberOfEvents=count() by ActionType,FileName,ProcessCommandLine, FolderPath,InitiatingProcessCommandLine,IsAudit=tobool(JsonOut.IsAudit),RuleId=toguid(JsonOut.RuleId)| project NumberOfEvents, ActionType,FileName, FolderPath,InitiatingProcessCommandLine,IsAudit,RuleIdFor those that are audited you have to decide if the events should be blocked in future or if you would like to create an exception for the specific process or if you leave the rule in audit mode. If some rules were never triggered on the logs/detection, you can set them to block mode.