MDE Attack Surface Reduction rules question

Question

Hi,

started to investigate audit events from MDE ASR. Get some events regarding the rule Block Office applications from injecting code into other processes.

Now, I executed the following query in AH:

DeviceEvents

| where ActionType == "AsrOfficeProcessInjectionAudited"

The problem I have now, is that, when looking at the event it doesn't really tell me much ...

It tells me the timestamp, filename, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessParentId. HOWEVER for this the parent PID, initiating ProcessID, device, source app, file etc. I’ve got over 250 events!

So, is the ASR event related to the most previous event?

Or am I supposed now to investigate through all 250 events and try to figure out what could have triggered this ? I might have a guess that this might by due to a Power Query add-in that uses a container env to execute queries and transformations. I could imagine that Excel is injecting code into that “container” triggering this alert.

But rally, I was thinking that the alert provide much more clue, rather than giving an alert and the identification is on me (although the rule triggered based on something) - that's just ridiculous IMO.

Aother event is even more cryptic to me. It reports source app as OneNote.exe and Detected file as Outlook.exe, and from what it seams the only event that I could think of triggering this is where an mail embedded in OneNote is being opened but IMO that’s just so ridiculous that idk. What am I supposed to add to an exclusion in this case ? OneNote? Outlook ? What sense does the report or running this in audit mode provide when it even can’t exactly point to the particular even that triggered the rule. That’s just breaking my brain.