Mar 02 2022 02:52 AM
Hello all,
I have an extensive list of indicators in hash sha256 I would like to bulk add to MDE through the indicators page.
However, every time I try to upload the csv file it gives me an error:
"Failed to parse CSV file. Invalid line: 2, Reason: Error in parsing field IndicatorType, value: FileSha256;deadbeafd034a66599407e2fa2ccaf15d11f1079fc0d012bb7b2b8ce66673689;;Audit;Low;File SHA256 custom TI example;Red Team Activity;Recommended actions should be here;;Discovery;T1046;TRUE"
As you can see, even using the sample file as the imported file gives me the error (I get the same error when importing my file, respecting all the requirements).
Any solution for this?
TIA
Mar 02 2022 03:53 AM
Hi @rmiranda98
I was also always fighting with the csv import functionality of MDE for indicators. For some reason its always messed up... So I stopped using it.
In the past I created a small script using app registration that would iterate a csv file with indicators and post those via the graph api.
Its an old and basic script, but it might give you enough inspiration to make it work.
#Basic MDE TI poster script created by Louis Mastelinck
# get info from csv
$list = Import-Csv -Path ""
#sanitise url
#$sanitized = $list[1].INDICATOR_VALUE.Replace("[.]" ,"." )
#authenticate to graph
$clientsecret = ""
$tenantID = ""
$clientid = ""
$TokenBody=@{
client_id=$clientid
client_secret=$clientsecret
scope="https://graph.microsoft.com/.default"
grant_type="client_credentials"
}
$accesstoken = Invoke-WebRequest -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $TokenBody -Method Post -UseBasicParsing
$accessToken=$accessToken.content | ConvertFrom-Json
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $accessToken.access_token
'ExpiresOn'=$accessToken.expires_in
}
foreach ($domain in $list){
#$url = $domain.INDICATOR_VALUE.Replace("[.]" ,"." )
$url = $domain.domain
Write-Host $domain.domain
$body = @{
"action"= "alert";
"activityGroupNames"= "";
"confidence"= 0;
"description"= "Covid19 virus indicator";
"expirationDateTime"= "2020-06-01T21:00:00.5031462+00:00";
"externalId"= "";
"domainName"= $url;
"killChain"= "";
"malwareFamilyNames"= "";
"severity"= 0;
"tags"= "";
"targetProduct"= "Azure Sentinel";
"threatType"= "WatchList";
"tlpLevel"= "white"
}
$json = ConvertTo-Json $body
$post = Invoke-WebRequest -Headers $authHeader -Uri "https://graph.microsoft.com/beta/security/tiIndicators" -Body $json -UseBasicParsing -Method Post -ContentType 'application/json'
}
You can also look at the following documentation: Submit or Update Indicator API | Microsoft Docs
Maybe this is an option for you?
Kind Regards
Louis
Mar 08 2022 02:03 AM
Mar 12 2024 02:43 AM
Sorry for reviving such an old thread but I tried your solution and it still provides me with errors when trying to import the indicators from .csv , is there possibly another solution?
Apr 16 2024 01:13 PM
@Cornel07
I was able to get it working by opening the sample CSV and adding the data like this:
IndicatorType | IndicatorValue | ExpirationTime | Action | Severity | Title | Description | RecommendedActions | RbacGroups | Category | MitreTechniques | GenerateAlert |
IpAddress | x.x.x.x | Block | Informational | Threat Intel | N/A | Malware | TRUE |
Then export/save as .csv (I didn't select UTF-8) and import into Defender.
***Note: I chose IP Address for indicator type and duplicated that entire row for each malicious/suspect IP entry. I also had to leave some of the 'Category' selections blank because, apparently, "Initial access" doesn't play well with how it parses upon uploading. I may try again by typing it in camel-case like "InitialAccess" to see if that works.