Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
pfilipe
Contributor
Jump to solution

Importing Indicator Error "Indicator in row 1 has less fields than expected"

Hello,

 

I am trying to Import a External CSV File to Checkpoint Indicators but getting the error "Indicator in row 1 has less fields than expected".

Already tried with Checkpoint examples as seen on https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut.... But no success.

 

Could somone provide me an CSV that works to see what is the correct syntax and to see if i keep getting the error?

 

Best regards.

0 Kudos
1 Solution

Accepted Solutions
AaronCP
Advisor

I am using this exact template for our IOC feed on R81 management

View solution in original post

(1)
13 Replies
the_rock
Legend
Legend

You may want to have TAC help you with this, as I saw someone post same problem before on here, but there was no solution. Personally, I had never tried this before, so wont even try give you a suggestion, sorry.

Though, if you can provide me with your CSV file and steps you used to import it, Im happy to try it in my lab and report back.

0 Kudos
pfilipe
Contributor

Will Open a TAC case then. If i get any developments will post here.

 

Thanks anyway!

0 Kudos
AaronCP
Advisor

Hey @pfilipe,

 

Have you had a response from TAC? I'm getting this error when importing an IOC CSV file into R80.40 SmartConsole. Interested to see if TAC have given you any advice/example CSVs.

 

Thanks,

 

Aaron.

0 Kudos
pfilipe
Contributor

Hello Aaron,

 

I found the correct Syntax it needs to have all the fields Uniq-Name,value,Type,Confidence,Severity,Product,Comment.

Where Value is the IP/URL/DOMAIN you want to block. Like this!

domain1,google.com,Domain,high,high,AV,Domain

AaronCP
Advisor

That's great! Thanks for that 😊

0 Kudos
kweiwing_neng
Participant

Hi @pfilipe,

 

Possible could share the csv example template?  Many thanks.

0 Kudos
pfilipe
Contributor

Hello,

Yes, this is for hashes for example.
The syntax is Uniq-Name,value,Type,Confidence,Severity,Product,Comment.

Product are AV - Antivirus and AB-AntiBot.

The comment is not Mandatory and can be null. If you want to use an IP for example:

IP1,192.168.1.1,IP,high,high,AB,

Best regards,

PF

0 Kudos
kweiwing_neng
Participant

Hi Pfilipe,

 

Many thanks for the feedback, however was try import the file you gave thru smartconsole still encounter the same error.

Is that any syntax need to add in order to import?

Best Regards,

WScreenshot_1.png

0 Kudos
pfilipe
Contributor

That is weird. Because i have the exact same file implemented on a checkpoint in R81.10. Only if checkpoint changed the syntax somehow...

AaronCP
Advisor

I am using this exact template for our IOC feed on R81 management

(1)
kweiwing_neng
Participant

@AaronCP 

Many thanks the file, is work perfectly.

0 Kudos
G_W_Albrecht
Legend
Legend
0 Kudos
Shiran_Gold
Employee
Employee

Hello,

I am happy to see the issue was resolved.

Loading IOC CSV is based on using Check Point's template.

more information can be found in sk132193 

in R81.10 presents new IOC capabilities that allows IOC configuration using a simple menu which will include custom feeds as well

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events