Here are some common errors that may be encountered while using the API or SDKs. If you run into an error that is not listed here and you are unable to debug it, contact email@example.com.
You may also find the list of HTTP Responses helpful in troubleshooting.
Signature data did not match expected result¶
This error occurs when something is wrong with the signature used in the Authorization Section. Make sure you are using the
HMAC-SHA256 algorithm and base-64 encoding to create the signature. Refer to the Authorization Section for steps to fix this error.
Timestamp out of acceptable time range¶
Every API call to ThreatConnect requires a
Timestamp header that is within five minutes of the ThreatConnect server’s system time. If you get this error, you are passing in a Timestamp that does not line up with ThreatConnect system time. Refer to the Timestamp Section for steps to fix this error.
There are a few details to keep in mind when creating certain Indicator types.
When creating an ASN Indicator in ThreatConnect, the AS Number must be prefixed with “ASN” and should not include a space between the prefix (“ASN”) and the AS Number. There are some examples of correct and incorrect indicator formats below.
ASN12345 # CORRECT 12345 # INCORRECT AS12345 # INCORRECT AS 12345 # INCORRECT ASN 12345 # INCORRECT
CIDR Range Indicators with IPv6 Addresses¶
When creating a CIDR Range Indicator that is based on an IPv6 Address, the CIDR Range must be formatted very specifically. There can be no leading zeros in any of the sections unless that section contains only a zero. CIDR Ranges based on compressed IPv6 Addresses (e.g.
2001:db8:1234::/48) are not accepted. CIDR Ranges based on expanded/exploded IPv6 Addresses (e.g.
2001:0DB8:1234:0000:0000:0000:0000:0000) are also not accepted. Any section with
0000 must be replaced with a single zero (
0). There are some examples below which demonstrate acceptable and unacceptable forms.
abc:def:10:0:0:0:0:0/48 # CORRECT abc:def:10::/48 # INCORRECT - compressed IPv6 addresses not accepted 0abc:def:10:0:0:0:0:0/48 # INCORRECT - leading zero on first section abc:0def:10:0:0:0:0:0/48 # INCORRECT - leading zero on second section abc:def:0010:0:0:0:0:0/48 # INCORRECT - leading zeros on third section abc:def:10:0000:0000:0000:0000:0000/48 # INCORRECT - expanded/exploded IPv6 addresses not accepted
The Python3 script below will format a CIDR Range (as the
incoming_cidr_range variable) into the desired format:
import ipaddress incoming_cidr_range = "2001:db8:1234::/48" desired_cidr_range = "2001:db8:1234:0:0:0:0:0/48" address_sections =[section.replace("0000", "xxxx").lstrip("0") for section in ipaddress.IPv6Network(incoming_cidr_range).exploded.split(":")] formatted_cidr_range = ":".join(address_sections) formatted_cidr_range = formatted_cidr_range.replace("xxxx", "0") assert formatted_cidr_range == desired_cidr_range print(formatted_cidr_range)
The script above only works with Python3.
xn--sterreich-z7a.icom.museum # CORRECT österreich.icom.museum # INCORRECT
Registry Key Indicators¶
When creating a Registry Key Indicator in ThreatConnect, the Key Name for the Registry Key must start with one of the following values:
If a Registry Key starts with
HKLM\, this must be changed to
HKEY_LOCAL_MACHINE\ before the Key can be created in ThreatConnect.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 # CORRECT HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 # INCORRECT
When creating a URL Indicator in ThreatConnect, the domain name of the URL must be lowercase. There are some examples of correct and incorrect indicator formats below.
http://example.com # CORRECT http://EXAMPLE.com # INCORRECT