Forum Discussion
ATP ASR - Office apps injecting into other processes blocks insertion of diagrams in Excel
We just turned the rule "Office apps injecting into other processes" to "Audit only" because our users weren't able to insert certain diagrams (eg. bar charts) in PowerPoint, as ASR detects PowerPoin...
shinebar After setting the ASR rules on audit mode, did you see the advanced hunting query and ASR detection as below?
https://security.microsoft.com/asr?viewid=exclusions
Hunting query:
MiscEvents
| where ActionType contains "asr"
| extend JsonOut = parse_json(AdditionalFields)
| sort by ActionType desc
| summarize NumberOfEvents=count() by ActionType,
FileName,ProcessCommandLine, FolderPath,InitiatingProcessCommandLine,
IsAudit=tobool(JsonOut.IsAudit),RuleId=toguid(JsonOut.RuleId)
| project NumberOfEvents, ActionType,
FileName, FolderPath,InitiatingProcessCommandLine,IsAudit,RuleId
For those that are audited you have to decide if the events should be blocked in future or if you would like to create an exception for the specific process or if you leave the rule in audit mode. If some rules were never triggered on the logs/detection, you can set them to block mode.