Closed carlitog closed 4 months ago
jgeurten
commented
4 months ago Hello. There is only one event in this csv, and it is a signature event (SigningInformation a.k.a 3089). Without a corresponding audit or block event, the Wizard is correctly not finding any events to display.
Can you share an example with more events?
carlitog
commented
4 months ago Hello, thanks getting back to me.
I've had another look at the file and extracted a group of audit events and have attached the sample file. Are these the correct events?
jgeurten
commented
4 months ago Hi @carlitog, I found the issue with the events. Your policy ID (Apr 23, 2024 10:00:00 AM) contains a comma, and is interestingly not wrapped in quotes like I would expect ("Apr 23, 2024 10:00:00 AM"). The parsing engine splits this into 2 distinct fields causing more than the expected number of fields causing parsing failure.
There are 3 workarounds you can follow:
I have never seen examples where fields with commas are not present, so I think I will defer a code change here.
carlitog
commented
4 months ago Thank you for the explanation.
It was the date issue all along - I just didn't realize there are 2 date columns in the extract. Only one of them had been updated to the correct format.
I have now updated both fields to the correct format and the wizard now recognizes the csv.
Thanks!
Hello, I'm receiving the error message "The wizard could not parse any Advanced Hunting events from the CSV file(s)" when trying to parse mde advanced hunting events to policy in the wizard.
I see there is a similar issue which is caused by the incorrect date format when exporting from Advanced Hunting. I though this was the issue originally as the date format is different. However I have run the PS script FixTimestam.ps1 to set the time format correctly but I still get the same error and no events are parsed.
I'm using the latest version of the wizard 2.4.2.0. I've uploaded a sample file that is failing.
AH-Fixed.csv
Any idea why this is failing to import?
Thanks for your help.