hawk icon indicating copy to clipboard operation
hawk copied to clipboard
verified publisher icon T0pCyber

Bug: Data and Time not being accecpted [USA / UK Date Format]

Open Tularis1 opened this issue 6 months ago • 3 comments

What happened?

I want to run Hawk between "11th of March 2025" and "9th of June 2025" but I always seem to get the error;

Write-ErrorMessage : ||Audit log search argument startDate (03/11/2025 00:00:00) is later than endDate (06/10/2025 00:00:00).

I am in the UK and my PC is set to use the UK Locale.

[Using the USA Date Format MM/DD/YYY] Start-HawkTenantInvestigation -StartDate "03/11/2025" -EndDate "06/09/2025" -FilePath "C:\Investigation" -SkipUpdate

[2025-06-09 16:40:28Z] - [ACTION] - Running Unified Audit Log Search
Write-ErrorMessage : ||Audit log search argument startDate (03/11/2025 00:00:00) is later than endDate (06/10/2025 00:00:00).
At C:\Users\PeterHopkins\AppData\Local\Temp\tmpEXO_cf3k5qyq.11f\tmpEXO_cf3k5qyq.11f.psm1:1189 char:13
+             Write-ErrorMessage $ErrorObject
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Search-UnifiedAuditLog], ArgumentException
    + FullyQualifiedErrorId : [Server=LNXP265MB1081,RequestId=4a062ed6-a9e6-5968-5f7d-8a21f3a8581c,TimeStamp=Mon, 09 Jun 2025 16:40:28 GMT],Write-ErrorMessage

[Using the UK Date Format DDMM/YYY]

Start-HawkTenantInvestigation -StartDate "11/03/2025" -EndDate "09/06/2025" -FilePath "C:\Investigation" -SkipUpdate

EndDate cannot be more than one day in the future

Even if I run with the -DaysToLookBack 30 command

Start-HawkTenantInvestigation -DaysToLookBack 30 -FilePath "C:\Hawk"

[2025-06-09 16:42:37Z] - [ACTION] - Running Unified Audit Log Search Write-ErrorMessage : ||Audit log search argument startDate (03/11/2025 00:00:00) is later than endDate (06/10/2025 00:00:00). At C:\Users\PeterHopkins\AppData\Local\Temp\tmpEXO_cf3k5qyq.11f\tmpEXO_cf3k5qyq.11f.psm1:1189 char:13 Write-ErrorMessage $ErrorObject ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CategoryInfo : InvalidArgument: (:) [Search-UnifiedAuditLog], ArgumentException FullyQualifiedErrorId : [Server=LNXP265MB1081,RequestId=43bad51a-406e-715c-744a-c97bbe051ec1,TimeStamp=Mon, 09 Jun 2025 16:42:36 GMT],Write-ErrorMessage

Steps to Reproduce

Set PC to UK Date and Time Local Run Start-HawkTenantInvestigation -DaysToLookBack 30 -FilePath "C:\Hawk"

Hawk Version

4.0

Technical Analysis

No response

Implementation Plan

No response

Acceptance Criteria

No response

Tularis1 avatar Jun 09 '25 16:06 Tularis1

I'm having the same issue with the date on my machine and nothing i changes seems to fix it can you guys please assist

[2025-07-04 18:03:10Z] - [ACTION] - Running Unified Audit Log Search Write-ErrorMessage : Cannot process argument transformation on parameter 'StartDate'. Cannot convert value "06/29/2025" to type "Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String '06/29/2025' was not recognized as a valid DateTime." At C:\Users\Mo\AppData\Local\Temp\tmpEXO_zodhubq4.0zv\tmpEXO_zodhubq4.0zv.psm1:1189 char:13

  •         Write-ErrorMessage $ErrorObject

  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:) [Search-UnifiedAuditLog], ParameterTransformationException
    • FullyQualifiedErrorId : [Server=AM8P193MB0899,RequestId=a07d37e7-569a-4528-a24f-389bfa6a9525,TimeStamp=Fri, 04 Jul 2025 18:03:10 GMT],Write-ErrorMessage

mebrahim7 avatar Jul 04 '25 18:07 mebrahim7

Sorry, I haven't been able to figure out how to replicate this due to being in the US. Will continue to see how to fix this.

T0pCyber avatar Jul 16 '25 19:07 T0pCyber

Perhaps we could use the ISO 8601 format for dates that is YYYY-MM-DD ?

Or if you need to debug it you could run a win11 Hyper-V set to EN-GB (UK) for the DD/MM/YYYY Date, as I'm doing the reverse as a work around.

Tularis1 avatar Jul 24 '25 09:07 Tularis1