utils

Utility functions and classes for the stix2 library.

class STIXdatetime
deduplicate(stix_obj_list)

Deduplicate a list of STIX objects to a unique set.

Reduces a set of STIX objects to unique set by looking at ‘id’ and ‘modified’ fields - as a unique object version is determined by the combination of those fields

Note: Be aware, as can be seen in the implementation of deduplicate(),that if the “stix_obj_list” argument has multiple STIX objects of the same version, the last object version found in the list will be the one that is returned.

Parameters:stix_obj_list (list) – list of STIX objects (dicts)
Returns:A list with a unique set of the passed list of STIX objects.
find_property_index(obj, search_key, search_value)

Search (recursively) for the given key and value in the given object. Return an index for the key, relative to whatever object it’s found in.

Parameters:
  • obj – The object to search (list, dict, or stix object)
  • search_key – A search key
  • search_value – A search value
Returns:

An index; -1 if the key and value aren’t found

format_datetime(dttm)

Convert a datetime object into a valid STIX timestamp string.

  1. Convert to timezone-aware
  2. Convert to UTC
  3. Format in ISO format
  4. Ensure correct precision a. Add subsecond value if non-zero and precision not defined
  5. Add “Z”
get_class_hierarchy_names(obj)

Given an object, return the names of the class hierarchy.

get_timestamp()

Return a STIX timestamp of the current date and time.

get_type_from_id(stix_id)
new_version(data, **kwargs)

Create a new version of a STIX object, by modifying properties and updating the modified property.

parse_into_datetime(value, precision=None)

Parse a value into a valid STIX timestamp object.

remove_custom_stix(stix_obj)

Remove any custom STIX objects or properties.

Warning: This function is a best effort utility, in that it will remove custom objects and properties based on the type names; i.e. if “x-” prefixes object types, and “x_” prefixes property types. According to the STIX2 spec, those naming conventions are a SHOULDs not MUSTs, meaning that valid custom STIX content may ignore those conventions and in effect render this utility function invalid when used on that STIX content.

Parameters:stix_obj (dict OR python-stix obj) – a single python-stix object or dict of a STIX object
Returns:A new version of the object with any custom content removed
revoke(data)

Revoke a STIX object.

Returns:A new version of the object with revoked set to True.