Versioning

To create a new version of an existing object, specify the property(ies) you want to change and their new values. For example, here we change the indicator type from “anomalous-activity” to “malicious-activity”:

[4]:
from stix2 import Indicator

indicator = Indicator(created="2016-01-01T08:00:00.000Z",
                      name="File hash for suspicious file",
                      description="A file indicator",
                      indicator_types=["anomalous-activity"],
                      pattern_type="stix",
                      pattern="[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']")

indicator2 = indicator.new_version(name="File hash for Foobar malware",
                                   labels=["malicious-activity"])
print(indicator2.serialize(pretty=True))
[4]:
{
    "type": "indicator",
    "spec_version": "2.1",
    "id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",
    "created": "2016-01-01T08:00:00.000Z",
    "modified": "2020-06-26T19:27:20.792845Z",
    "name": "File hash for Foobar malware",
    "description": "A file indicator",
    "indicator_types": [
        "anomalous-activity"
    ],
    "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
    "pattern_type": "stix",
    "pattern_version": "2.1",
    "valid_from": "2020-06-26T19:27:20.759788Z",
    "labels": [
        "malicious-activity"
    ]
}

The modified time will be updated to the current time unless you provide a specific value as a keyword argument. Note that you can’t change the type, id, or created properties.

[5]:
indicator.new_version(id="indicator--cc42e358-8b9b-493c-9646-6ecd73b41c21")
UnmodifiablePropertyError: These properties cannot be changed when making a new version: id.

You can remove optional or custom properties by setting them to None when you call new_version().

[6]:
indicator3 = indicator.new_version(description=None)
print(indicator3.serialize(pretty=True))
[6]:
{
    "type": "indicator",
    "spec_version": "2.1",
    "id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",
    "created": "2016-01-01T08:00:00.000Z",
    "modified": "2020-06-26T19:29:37.055139Z",
    "name": "File hash for suspicious file",
    "indicator_types": [
        "anomalous-activity"
    ],
    "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
    "pattern_type": "stix",
    "pattern_version": "2.1",
    "valid_from": "2020-06-26T19:27:20.759788Z"
}

To revoke an object:

[7]:
indicator4 = indicator3.revoke()
print(indicator4.serialize(pretty=True))
[7]:
{
    "type": "indicator",
    "spec_version": "2.1",
    "id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",
    "created": "2016-01-01T08:00:00.000Z",
    "modified": "2020-06-26T19:29:38.943037Z",
    "name": "File hash for suspicious file",
    "indicator_types": [
        "anomalous-activity"
    ],
    "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
    "pattern_type": "stix",
    "pattern_version": "2.1",
    "valid_from": "2020-06-26T19:27:20.759788Z",
    "revoked": true
}