Solved: Re: Importing Indicator Error "Indicator in row 1 ...

pfilipe · ‎2022-03-03

Hello,

I am trying to Import a External CSV File to Checkpoint Indicators but getting the error "Indicator in row 1 has less fields than expected".

Already tried with Checkpoint examples as seen on https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut.... But no success.

Could somone provide me an CSV that works to see what is the correct syntax and to see if i keep getting the error?

Best regards.

AaronCP · ‎2022-09-05

I am using this exact template for our IOC feed on R81 management

View solution in original post

the_rock · ‎2022-03-03

You may want to have TAC help you with this, as I saw someone post same problem before on here, but there was no solution. Personally, I had never tried this before, so wont even try give you a suggestion, sorry.

Though, if you can provide me with your CSV file and steps you used to import it, Im happy to try it in my lab and report back.

pfilipe · ‎2022-03-03

Will Open a TAC case then. If i get any developments will post here.

Thanks anyway!

AaronCP · ‎2022-03-08

Hey @pfilipe,

Have you had a response from TAC? I'm getting this error when importing an IOC CSV file into R80.40 SmartConsole. Interested to see if TAC have given you any advice/example CSVs.

Thanks,

Aaron.

pfilipe · ‎2022-03-08

Hello Aaron,

I found the correct Syntax it needs to have all the fields Uniq-Name,value,Type,Confidence,Severity,Product,Comment.

Where Value is the IP/URL/DOMAIN you want to block. Like this!

domain1,google.com,Domain,high,high,AV,Domain

AaronCP · ‎2022-03-08

That's great! Thanks for that 😊

kweiwing_neng · ‎2022-09-01

Hi @pfilipe,

Possible could share the csv example template? Many thanks.

pfilipe · ‎2022-09-01

Hello,

Yes, this is for hashes for example.
The syntax is Uniq-Name,value,Type,Confidence,Severity,Product,Comment.

Product are AV - Antivirus and AB-AntiBot.

The comment is not Mandatory and can be null. If you want to use an IP for example:

IP1,192.168.1.1,IP,high,high,AB,

Best regards,

PF

kweiwing_neng · ‎2022-09-01

Hi Pfilipe,

Many thanks for the feedback, however was try import the file you gave thru smartconsole still encounter the same error.

Is that any syntax need to add in order to import?

Best Regards,

W

pfilipe · ‎2022-09-01

That is weird. Because i have the exact same file implemented on a checkpoint in R81.10. Only if checkpoint changed the syntax somehow...

AaronCP · ‎2022-09-05

I am using this exact template for our IOC feed on R81 management

kweiwing_neng · ‎2022-09-05

@AaronCP

Many thanks the file, is work perfectly.

G_W_Albrecht · ‎2022-03-03

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Shiran_Gold · ‎2022-09-08

Hello,

I am happy to see the issue was resolved.

Loading IOC CSV is based on using Check Point's template.

more information can be found in sk132193

in R81.10 presents new IOC capabilities that allows IOC configuration using a simple menu which will include custom feeds as well

Are you a member of CheckMates?

Importing Indicator Error "Indicator in row 1 has less fields than expected"