Forum Discussion

rmiranda98's avatar
rmiranda98
Copper Contributor
Mar 02, 2022

MDE import indicators not working

Hello all, 

 

I have an extensive list of indicators in hash sha256 I would like to bulk add to MDE through the indicators page.

However, every time I try to upload the csv file it gives me an error:

 

"Failed to parse CSV file. Invalid line: 2, Reason: Error in parsing field IndicatorType, value: FileSha256;deadbeafd034a66599407e2fa2ccaf15d11f1079fc0d012bb7b2b8ce66673689;;Audit;Low;File SHA256 custom TI example;Red Team Activity;Recommended actions should be here;;Discovery;T1046;TRUE"

As you can see, even using the sample file as the imported file gives me the error (I get the same error when importing my file, respecting all the requirements).

 

Any solution for this?

 

TIA

  • Hi rmiranda98 

    I was also always fighting with the csv import functionality of MDE for indicators. For some reason its always messed up... So I stopped using it.

    In the past I created a small script using app registration that would iterate a csv file with indicators and post those via the graph api.

    Its an old and basic script, but it might give you enough inspiration to make it work. 

    #Basic MDE TI poster script created by Louis Mastelinck
    # get info from csv
    $list = Import-Csv -Path ""
    
    #sanitise url
    #$sanitized = $list[1].INDICATOR_VALUE.Replace("[.]" ,"." )
    
    #authenticate to graph
    $clientsecret = ""
    $tenantID = ""
    $clientid = ""
    
    $TokenBody=@{
        client_id=$clientid
        client_secret=$clientsecret
        scope="https://graph.microsoft.com/.default"
        grant_type="client_credentials"
    }
    
    $accesstoken = Invoke-WebRequest -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $TokenBody -Method Post -UseBasicParsing
    $accessToken=$accessToken.content | ConvertFrom-Json
    
    $authHeader = @{
        'Content-Type'='application/json'
        'Authorization'="Bearer " + $accessToken.access_token
        'ExpiresOn'=$accessToken.expires_in
    }
    
    
    foreach ($domain in $list){
        #$url = $domain.INDICATOR_VALUE.Replace("[.]" ,"." )
        $url = $domain.domain
        Write-Host $domain.domain
        
        $body = @{
              "action"= "alert";
              "activityGroupNames"= "";
              "confidence"= 0;
              "description"= "Covid19 virus indicator";
              "expirationDateTime"= "2020-06-01T21:00:00.5031462+00:00";
              "externalId"= "";
              "domainName"= $url;
              "killChain"= "";
              "malwareFamilyNames"= "";
              "severity"= 0;
              "tags"= "";
              "targetProduct"= "Azure Sentinel"; 
              "threatType"= "WatchList";
              "tlpLevel"= "white"
            }
        $json = ConvertTo-Json $body
        $post = Invoke-WebRequest -Headers $authHeader -Uri "https://graph.microsoft.com/beta/security/tiIndicators"  -Body $json -UseBasicParsing -Method Post -ContentType 'application/json'
    
    }
    

     

    You can also look at the following documentation: Submit or Update Indicator API | Microsoft Docs

    Maybe this is an option for you? 

    Kind Regards

    Louis

     

    • rmiranda98's avatar
      rmiranda98
      Copper Contributor
      Hello LouisMastelinck,

      Thank you very much for your reply and for sharing the script. I ended up finding a way to make it work via the import feature:
      -download the sample file and fill it with the actual indicators/data (in this step you should convert the data into column-like fashion with the "text-to-columns" option in excel so you can work the data easily).
      -make sure the file is in .csv. save it.
      -open that csv file with notepad++ and replace all ";" with "," and paste the data from notepad++ into the csv file. this converts the data from columns into the comma separated values again.
      -now, the upload/import feature works just fine.
      • Cornel07's avatar
        Cornel07
        Copper Contributor

        Sorry for reviving such an old thread but I tried your solution and it still provides me with errors when trying to import the indicators from .csv , is there possibly another solution? 

         

        rmiranda98 

Resources