How to run workflow from .csv file as trigger parameter?

baksoy · March 11, 2024, 8:37am

Hey,

I currently have a workflow called “Enrich File Hash with Microsoft Teams” which I further expanded to add looping so I can add more hashes instead of just 1.

What this workflow does is: It scans the given hash on VirusTotal using the API and generates a summary based on the output.

So I would write" !enrich-hash xyz zyx" on MS-Teams and it would try to scan “xyz” and “zyx” on virustotal.

Now my question is I have a .csv file on excel that has around 200 hashes and I want to be able to somehow append this .csv file as the trigger parameter like this “!enrich-hash hashes.csv”. What would I need to add to my workflow to make this work? I have been searching for a while but unfortunately no succes.

I would really appreciate some guidance.

Sean · May 20, 2025, 8:07pm

I know this has been over a year since posted, I was wondering if you found anything. I am literally writing something to do the same thing.

The trigger will list the URL for the CSV, so now i am just working on the next step of actually getting the CSV file.

Darrick_Hall · May 20, 2025, 8:32pm

I don’t know how you can use the URL to fetch the CSV natively from the teams plugin.
You could script it to grab the URL using python. So your trigger sends the message and the URL.. The URL is pathed to a python step which fetches your CSV, then you can do whatever you like once you have it in ICON.

You can manually drag a CSV into ICON to kick it off if it isn’t something you do often. I have a few snippets that I do this with for internal data processing.

Sean · May 20, 2025, 8:47pm

Teams has a property that lists the URL of the attached file:

{{[“trigger-teams”].[message].[attachments].[0].[contentUrl]}}

Darrick_Hall · May 20, 2025, 8:55pm

What will you do with the URL though?

Darrick_Hall · May 20, 2025, 9:00pm

I just did a quick search of the plugins on the extension library.

We have this plugin: Rapid7 Extensions

It says it leverages a URL to download a file. You can try this rather than scripting it.

It returns the payload as base64 encoded string.

You can use the CSV to JSON to make use of the encoded string.

Sean · May 27, 2025, 2:21pm

The CSV file would be a list of hashes that we have been provided or have obtained by other means. We would then add the hashes to Defender’s block list, search to see if the hash has been seen, etc.

Sean · May 27, 2025, 2:28pm

I tried using that plugin but it seems to only grab part of the file. The rest looks like it is SharePoint scripting garbage. Having used the plugin to grab other items successfully and digging through the code that is returned, I am seeing issues with authentication mentioned so at this point, SharePoint is preventing me from being able to do this.

Time to figure out another solution. I will look into what you mentioned in another reply, the only problem is that I do not have enough licenses for everyone in my team to log in. That is a me problem though.

Darrick_Hall · May 27, 2025, 2:32pm

If it is hosted in Sharepoint you can just use the Sharepoint API to return it. It would need to be scripted of course.

Sean · May 27, 2025, 5:14pm

The PnP module could be used, but I have not figured out how to get modules other than the default Powershell modules to load for workflows. I have not found any information on Discuss or help in the documentation. I figure it can be done, just not sure how.