Forum Discussion
MDE import indicators not working
Hello all,
I have an extensive list of indicators in hash sha256 I would like to bulk add to MDE through the indicators page.
However, every time I try to upload the csv file it gives me an error:
"Failed to parse CSV file. Invalid line: 2, Reason: Error in parsing field IndicatorType, value: FileSha256;deadbeafd034a66599407e2fa2ccaf15d11f1079fc0d012bb7b2b8ce66673689;;Audit;Low;File SHA256 custom TI example;Red Team Activity;Recommended actions should be here;;Discovery;T1046;TRUE"
As you can see, even using the sample file as the imported file gives me the error (I get the same error when importing my file, respecting all the requirements).
Any solution for this?
TIA
- LouisMastelinckBrass Contributor
Hi rmiranda98
I was also always fighting with the csv import functionality of MDE for indicators. For some reason its always messed up... So I stopped using it.
In the past I created a small script using app registration that would iterate a csv file with indicators and post those via the graph api.
Its an old and basic script, but it might give you enough inspiration to make it work.
#Basic MDE TI poster script created by Louis Mastelinck # get info from csv $list = Import-Csv -Path "" #sanitise url #$sanitized = $list[1].INDICATOR_VALUE.Replace("[.]" ,"." ) #authenticate to graph $clientsecret = "" $tenantID = "" $clientid = "" $TokenBody=@{ client_id=$clientid client_secret=$clientsecret scope="https://graph.microsoft.com/.default" grant_type="client_credentials" } $accesstoken = Invoke-WebRequest -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $TokenBody -Method Post -UseBasicParsing $accessToken=$accessToken.content | ConvertFrom-Json $authHeader = @{ 'Content-Type'='application/json' 'Authorization'="Bearer " + $accessToken.access_token 'ExpiresOn'=$accessToken.expires_in } foreach ($domain in $list){ #$url = $domain.INDICATOR_VALUE.Replace("[.]" ,"." ) $url = $domain.domain Write-Host $domain.domain $body = @{ "action"= "alert"; "activityGroupNames"= ""; "confidence"= 0; "description"= "Covid19 virus indicator"; "expirationDateTime"= "2020-06-01T21:00:00.5031462+00:00"; "externalId"= ""; "domainName"= $url; "killChain"= ""; "malwareFamilyNames"= ""; "severity"= 0; "tags"= ""; "targetProduct"= "Azure Sentinel"; "threatType"= "WatchList"; "tlpLevel"= "white" } $json = ConvertTo-Json $body $post = Invoke-WebRequest -Headers $authHeader -Uri "https://graph.microsoft.com/beta/security/tiIndicators" -Body $json -UseBasicParsing -Method Post -ContentType 'application/json' }
You can also look at the following documentation: Submit or Update Indicator API | Microsoft Docs
Maybe this is an option for you?
Kind RegardsLouis
- rmiranda98Copper ContributorHello LouisMastelinck,
Thank you very much for your reply and for sharing the script. I ended up finding a way to make it work via the import feature:
-download the sample file and fill it with the actual indicators/data (in this step you should convert the data into column-like fashion with the "text-to-columns" option in excel so you can work the data easily).
-make sure the file is in .csv. save it.
-open that csv file with notepad++ and replace all ";" with "," and paste the data from notepad++ into the csv file. this converts the data from columns into the comma separated values again.
-now, the upload/import feature works just fine.- Cornel07Copper Contributor
Sorry for reviving such an old thread but I tried your solution and it still provides me with errors when trying to import the indicators from .csv , is there possibly another solution?