Forum Discussion
MDE import indicators not working
Hi rmiranda98
I was also always fighting with the csv import functionality of MDE for indicators. For some reason its always messed up... So I stopped using it.
In the past I created a small script using app registration that would iterate a csv file with indicators and post those via the graph api.
Its an old and basic script, but it might give you enough inspiration to make it work.
#Basic MDE TI poster script created by Louis Mastelinck
# get info from csv
$list = Import-Csv -Path ""
#sanitise url
#$sanitized = $list[1].INDICATOR_VALUE.Replace("[.]" ,"." )
#authenticate to graph
$clientsecret = ""
$tenantID = ""
$clientid = ""
$TokenBody=@{
client_id=$clientid
client_secret=$clientsecret
scope="https://graph.microsoft.com/.default"
grant_type="client_credentials"
}
$accesstoken = Invoke-WebRequest -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $TokenBody -Method Post -UseBasicParsing
$accessToken=$accessToken.content | ConvertFrom-Json
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $accessToken.access_token
'ExpiresOn'=$accessToken.expires_in
}
foreach ($domain in $list){
#$url = $domain.INDICATOR_VALUE.Replace("[.]" ,"." )
$url = $domain.domain
Write-Host $domain.domain
$body = @{
"action"= "alert";
"activityGroupNames"= "";
"confidence"= 0;
"description"= "Covid19 virus indicator";
"expirationDateTime"= "2020-06-01T21:00:00.5031462+00:00";
"externalId"= "";
"domainName"= $url;
"killChain"= "";
"malwareFamilyNames"= "";
"severity"= 0;
"tags"= "";
"targetProduct"= "Azure Sentinel";
"threatType"= "WatchList";
"tlpLevel"= "white"
}
$json = ConvertTo-Json $body
$post = Invoke-WebRequest -Headers $authHeader -Uri "https://graph.microsoft.com/beta/security/tiIndicators" -Body $json -UseBasicParsing -Method Post -ContentType 'application/json'
}
You can also look at the following documentation: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/post-ti-indicator?view=o365-worldwide
Maybe this is an option for you?
Kind Regards
Louis
- Hello LouisMastelinck,
Thank you very much for your reply and for sharing the script. I ended up finding a way to make it work via the import feature:
-download the sample file and fill it with the actual indicators/data (in this step you should convert the data into column-like fashion with the "text-to-columns" option in excel so you can work the data easily).
-make sure the file is in .csv. save it.
-open that csv file with notepad++ and replace all ";" with "," and paste the data from notepad++ into the csv file. this converts the data from columns into the comma separated values again.
-now, the upload/import feature works just fine.Sorry for reviving such an old thread but I tried your solution and it still provides me with errors when trying to import the indicators from .csv , is there possibly another solution?
Cornel07
I was able to get it working by opening the sample CSV and adding the data like this:IndicatorType IndicatorValue ExpirationTime Action Severity Title Description RecommendedActions RbacGroups Category MitreTechniques GenerateAlert IpAddress x.x.x.x Block Informational Threat Intel N/A Malware TRUE Then export/save as .csv (I didn't select UTF-8) and import into Defender.
***Note: I chose IP Address for indicator type and duplicated that entire row for each malicious/suspect IP entry. I also had to leave some of the 'Category' selections blank because, apparently, "Initial access" doesn't play well with how it parses upon uploading. I may try again by typing it in camel-case like "InitialAccess" to see if that works.
