From 83b5e89dba761cca86b0d71a7ab2034edb6bbf20 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 2 Feb 2023 11:07:15 -0500 Subject: [PATCH] Update wdac-wizard-parsing-event-logs.md For acrolinx --- .../wdac-wizard-parsing-event-logs.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md index 2f85fde6eb..add695d5a0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md @@ -54,7 +54,7 @@ To create rules from the WDAC event logs on the system: ## WDAC Event Log File Parsing -To create rules from the WDAC .EVTX event logs files on the system: +To create rules from the WDAC `.EVTX` event logs files on the system: 1. Select **Policy Editor** from the WDAC Wizard main page. 2. Select **Convert Event Log to a WDAC Policy**. @@ -108,7 +108,7 @@ To create rules from the WDAC events in [MDE Advanced Hunting](querying-applicat 5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header. 6. Select the .CSV WDAC MDE Advanced Hunting export files from the disk to parse. - The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You will see a notification when the Wizard successfully finishes reading the events. + The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You'll see a notification when the Wizard successfully finishes reading the events. > [!div class="mx-imgBorder"] > ![Parse the Advanced Hunting CSV WDAC event files](images/wdac-wizard-event-log-mde-ah-parsing.png) @@ -116,7 +116,6 @@ To create rules from the WDAC events in [MDE Advanced Hunting](querying-applicat 7. Select the Next button to navigate to the table of software to view the audit and block events and create rules from. 8. [Generate rules from the events](#creating-policy-rules-from-the-events). - ## Creating Policy Rules from the Events On the "Configure Event Log Rules" page, the unique WDAC log events will be shown in the table. Event Ids, filenames, product names, the policy name that audited or blocked the file, and the file publisher are all shown in the table. The table can be sorted alphabetically by clicking on any of the headers.