Forum Discussion
MDE import indicators not working
Hello all, I have an extensive list of indicators in hash sha256 I would like to bulk add to MDE through the indicators page. However, every time I try to upload the csv file it gives me an err...
Hello LouisMastelinck,
Thank you very much for your reply and for sharing the script. I ended up finding a way to make it work via the import feature:
-download the sample file and fill it with the actual indicators/data (in this step you should convert the data into column-like fashion with the "text-to-columns" option in excel so you can work the data easily).
-make sure the file is in .csv. save it.
-open that csv file with notepad++ and replace all ";" with "," and paste the data from notepad++ into the csv file. this converts the data from columns into the comma separated values again.
-now, the upload/import feature works just fine.
Thank you very much for your reply and for sharing the script. I ended up finding a way to make it work via the import feature:
-download the sample file and fill it with the actual indicators/data (in this step you should convert the data into column-like fashion with the "text-to-columns" option in excel so you can work the data easily).
-make sure the file is in .csv. save it.
-open that csv file with notepad++ and replace all ";" with "," and paste the data from notepad++ into the csv file. this converts the data from columns into the comma separated values again.
-now, the upload/import feature works just fine.
Sorry for reviving such an old thread but I tried your solution and it still provides me with errors when trying to import the indicators from .csv , is there possibly another solution?
Cornel07
I was able to get it working by opening the sample CSV and adding the data like this:IndicatorType IndicatorValue ExpirationTime Action Severity Title Description RecommendedActions RbacGroups Category MitreTechniques GenerateAlert IpAddress x.x.x.x Block Informational Threat Intel N/A Malware TRUE Then export/save as .csv (I didn't select UTF-8) and import into Defender.
***Note: I chose IP Address for indicator type and duplicated that entire row for each malicious/suspect IP entry. I also had to leave some of the 'Category' selections blank because, apparently, "Initial access" doesn't play well with how it parses upon uploading. I may try again by typing it in camel-case like "InitialAccess" to see if that works.
