Defender threat hunt .csv file failing to parse in WDAC wizard

[bldm0202]

Hi everyone, this is my first time on Github and I'm not the most technical of persons.

I am hoping someone can provide some advice about why my Defender Advanced Threat Hunt outputs are not successfully parsing in the WDAC wizard.

I have followed the threat hunt query template outlined here:
https://github.com/MicrosoftDocs/WDAC-Toolkit/blob/main/WDAC-Policy-Wizard/docs/using/advanced-hunting.md

I've ensured my .csv output has all the data fields.

However, in the WDAC wizard policy editor I am not able to parse the threat hunting events and receive an error message. At a loss as to how to troubleshoot further.

Would appreciate any advice you may have.

Many thanks!

[a-shina]

Hi @bldm0202, in my experience when I ran into this issue I was missing either of those ActionType(s): AppControlCodeIntegrityPolicyAudited or AppControlCodeIntegritySigningInformation. Make sure they are both present in your query if not already. Hope that helps!

[snodecoder]

@bldm0202, I know this is an old issue, but if your still struggling with this, use this advanced hunting query instead of the official Microsoft query.
And also see this issue.