From f04f33d8cd2100ec51037500099e98675dca6fbc Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Fri, 12 Jan 2024 17:31:46 -0500 Subject: [PATCH] Drive-by update of the MDE AH query for the WDAC Wizard --- .../design/wdac-wizard-parsing-event-logs.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-parsing-event-logs.md b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-parsing-event-logs.md index 6710d78572..fee227057a 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-parsing-event-logs.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-parsing-event-logs.md @@ -57,7 +57,7 @@ To create rules from the WDAC events in [MDE Advanced Hunting](../operations/que 1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export: ```KQL - | project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName + | project-keep Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName ``` The following Advanced Hunting query is recommended: @@ -76,7 +76,7 @@ To create rules from the WDAC events in [MDE Advanced Hunting](../operations/que | extend PolicyId = parsejson(AdditionalFields).PolicyID | extend PolicyName = parsejson(AdditionalFields).PolicyName // Keep only required fields for the WDAC Wizard - | project Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName + | project-keep Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName ``` 2. Export the WDAC event results by selecting the **Export** button in the results view.