cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MDE import indicators not working

rmiranda98
Copper Contributor

‎Mar 02 2022 02:52 AM

‎Mar 02 2022 02:52 AM

MDE import indicators not working

Hello all, 

 

I have an extensive list of indicators in hash sha256 I would like to bulk add to MDE through the indicators page.

However, every time I try to upload the csv file it gives me an error:

 

"Failed to parse CSV file. Invalid line: 2, Reason: Error in parsing field IndicatorType, value: FileSha256;deadbeafd034a66599407e2fa2ccaf15d11f1079fc0d012bb7b2b8ce66673689;;Audit;Low;File SHA256 custom TI example;Red Team Activity;Recommended actions should be here;;Discovery;T1046;TRUE"

As you can see, even using the sample file as the imported file gives me the error (I get the same error when importing my file, respecting all the requirements).

 

Any solution for this?

 

TIA

4,054 Views
0 Likes
4 Replies
Reply
4 Replies
LouisMastelinck

‎Mar 02 2022 03:53 AM

‎Mar 02 2022 03:53 AM

Re: MDE import indicators not working

Hi @rmiranda98 

I was also always fighting with the csv import functionality of MDE for indicators. For some reason its always messed up... So I stopped using it.

In the past I created a small script using app registration that would iterate a csv file with indicators and post those via the graph api.

Its an old and basic script, but it might give you enough inspiration to make it work. 

#Basic MDE TI poster script created by Louis Mastelinck
# get info from csv
$list = Import-Csv -Path ""

#sanitise url
#$sanitized = $list[1].INDICATOR_VALUE.Replace("[.]" ,"." )

#authenticate to graph
$clientsecret = ""
$tenantID = ""
$clientid = ""

$TokenBody=@{
    client_id=$clientid
    client_secret=$clientsecret
    scope="https://graph.microsoft.com/.default"
    grant_type="client_credentials"
}

$accesstoken = Invoke-WebRequest -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $TokenBody -Method Post -UseBasicParsing
$accessToken=$accessToken.content | ConvertFrom-Json

$authHeader = @{
    'Content-Type'='application/json'
    'Authorization'="Bearer " + $accessToken.access_token
    'ExpiresOn'=$accessToken.expires_in
}


foreach ($domain in $list){
    #$url = $domain.INDICATOR_VALUE.Replace("[.]" ,"." )
    $url = $domain.domain
    Write-Host $domain.domain
    
    $body = @{
          "action"= "alert";
          "activityGroupNames"= "";
          "confidence"= 0;
          "description"= "Covid19 virus indicator";
          "expirationDateTime"= "2020-06-01T21:00:00.5031462+00:00";
          "externalId"= "";
          "domainName"= $url;
          "killChain"= "";
          "malwareFamilyNames"= "";
          "severity"= 0;
          "tags"= "";
          "targetProduct"= "Azure Sentinel"; 
          "threatType"= "WatchList";
          "tlpLevel"= "white"
        }
    $json = ConvertTo-Json $body
    $post = Invoke-WebRequest -Headers $authHeader -Uri "https://graph.microsoft.com/beta/security/tiIndicators"  -Body $json -UseBasicParsing -Method Post -ContentType 'application/json'

}

 

You can also look at the following documentation: Submit or Update Indicator API | Microsoft Docs

Maybe this is an option for you? 

Kind Regards

Louis

 

0 Likes
Reply
rmiranda98

‎Mar 08 2022 02:03 AM

‎Mar 08 2022 02:03 AM

Re: MDE import indicators not working

Hello @LouisMastelinck,

Thank you very much for your reply and for sharing the script. I ended up finding a way to make it work via the import feature:
-download the sample file and fill it with the actual indicators/data (in this step you should convert the data into column-like fashion with the "text-to-columns" option in excel so you can work the data easily).
-make sure the file is in .csv. save it.
-open that csv file with notepad++ and replace all ";" with "," and paste the data from notepad++ into the csv file. this converts the data from columns into the comma separated values again.
-now, the upload/import feature works just fine.
0 Likes
Reply
Cornel07

‎Mar 12 2024 02:43 AM

‎Mar 12 2024 02:43 AM

Re: MDE import indicators not working

Sorry for reviving such an old thread but I tried your solution and it still provides me with errors when trying to import the indicators from .csv , is there possibly another solution? 

 

@rmiranda98 

0 Likes
Reply
d_m4ck

‎Apr 16 2024 01:13 PM

‎Apr 16 2024 01:13 PM

Re: MDE import indicators not working

@Cornel07 

I was able to get it working by opening the sample CSV and adding the data like this:

IndicatorTypeIndicatorValueExpirationTimeActionSeverityTitleDescriptionRecommendedActionsRbacGroupsCategoryMitreTechniquesGenerateAlert
IpAddressx.x.x.x BlockInformationalThreat IntelN/A  Malware TRUE

 

Then export/save as .csv (I didn't select UTF-8) and import into Defender.

***Note: I chose IP Address for indicator type and duplicated that entire row for each malicious/suspect IP entry. I also had to leave some of the 'Category' selections blank because, apparently, "Initial access" doesn't play well with how it parses upon uploading. I may try again by typing it in camel-case like "InitialAccess" to see if that works.

0 Likes
Reply