MDE import indicators not working

New Contributor

Hello all, 

 

I have an extensive list of indicators in hash sha256 I would like to bulk add to MDE through the indicators page.

However, every time I try to upload the csv file it gives me an error:

 

"Failed to parse CSV file. Invalid line: 2, Reason: Error in parsing field IndicatorType, value: FileSha256;deadbeafd034a66599407e2fa2ccaf15d11f1079fc0d012bb7b2b8ce66673689;;Audit;Low;File SHA256 custom TI example;Red Team Activity;Recommended actions should be here;;Discovery;T1046;TRUE"

As you can see, even using the sample file as the imported file gives me the error (I get the same error when importing my file, respecting all the requirements).

 

Any solution for this?

 

TIA

2 Replies

Hi @rmiranda98 

I was also always fighting with the csv import functionality of MDE for indicators. For some reason its always messed up... So I stopped using it.

In the past I created a small script using app registration that would iterate a csv file with indicators and post those via the graph api.

Its an old and basic script, but it might give you enough inspiration to make it work. 

#Basic MDE TI poster script created by Louis Mastelinck
# get info from csv
$list = Import-Csv -Path ""

#sanitise url
#$sanitized = $list[1].INDICATOR_VALUE.Replace("[.]" ,"." )

#authenticate to graph
$clientsecret = ""
$tenantID = ""
$clientid = ""

$TokenBody=@{
    client_id=$clientid
    client_secret=$clientsecret
    scope="https://graph.microsoft.com/.default"
    grant_type="client_credentials"
}

$accesstoken = Invoke-WebRequest -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $TokenBody -Method Post -UseBasicParsing
$accessToken=$accessToken.content | ConvertFrom-Json

$authHeader = @{
    'Content-Type'='applicationhttps://techcommunity.microsoft.com/json'
    'Authorization'="Bearer " + $accessToken.access_token
    'ExpiresOn'=$accessToken.expires_in
}


foreach ($domain in $list){
    #$url = $domain.INDICATOR_VALUE.Replace("[.]" ,"." )
    $url = $domain.domain
    Write-Host $domain.domain
    
    $body = @{
          "action"= "alert";
          "activityGroupNames"= "";
          "confidence"= 0;
          "description"= "Covid19 virus indicator";
          "expirationDateTime"= "2020-06-01T21:00:00.5031462+00:00";
          "externalId"= "";
          "domainName"= $url;
          "killChain"= "";
          "malwareFamilyNames"= "";
          "severity"= 0;
          "tags"= "";
          "targetProduct"= "Azure Sentinel"; 
          "threatType"= "WatchList";
          "tlpLevel"= "white"
        }
    $json = ConvertTo-Json $body
    $post = Invoke-WebRequest -Headers $authHeader -Uri "https://graph.microsoft.com/beta/security/tiIndicators"  -Body $json -UseBasicParsing -Method Post -ContentType 'applicationhttps://techcommunity.microsoft.com/json'

}

 

You can also look at the following documentation: Submit or Update Indicator API | Microsoft Docs

Maybe this is an option for you? 

Kind Regards

Louis

 

Hello @LouisMastelinck,

Thank you very much for your reply and for sharing the script. I ended up finding a way to make it work via the import feature:
-download the sample file and fill it with the actual indicators/data (in this step you should convert the data into column-like fashion with the "text-to-columns" option in excel so you can work the data easily).
-make sure the file is in .csv. save it.
-open that csv file with notepad++ and replace all ";" with "," and paste the data from notepad++ into the csv file. this converts the data from columns into the comma separated values again.
-now, the upload/import feature works just fine.