Versioning

To create a new version of an existing object, specify the property(ies) you want to change and their new values. For example, here we change the label from “anomalous-activity” to “malicious-activity”:

[3]:

from stix2 import Indicator

indicator = Indicator(created="2016-01-01T08:00:00.000Z",
                      name="File hash for suspicious file",
                      description="A file indicator",
                      labels=["anomalous-activity"],
                      pattern="[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']")

indicator2 = indicator.new_version(name="File hash for Foobar malware",
                                   labels=["malicious-activity"])
print(indicator2)

[3]:

{
    "type": "indicator",
    "id": "indicator--8ad18fc7-457c-475d-b292-1ec44febe0fd",
    "created": "2016-01-01T08:00:00.000Z",
    "modified": "2019-07-25T17:59:34.815Z",
    "name": "File hash for Foobar malware",
    "description": "A file indicator",
    "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
    "valid_from": "2019-07-25T17:59:34.779826Z",
    "labels": [
        "malicious-activity"
    ]
}

The modified time will be updated to the current time unless you provide a specific value as a keyword argument. Note that you can’t change the type, id, or created properties.

[4]:

indicator.new_version(id="indicator--cc42e358-8b9b-493c-9646-6ecd73b41c21")

UnmodifiablePropertyError: These properties cannot be changed when making a new version: id.

You can remove optional or custom properties by setting them to None when you call new_version().

[5]:

indicator3 = indicator.new_version(description=None)
print(indicator3)

[5]:

{
    "type": "indicator",
    "id": "indicator--8ad18fc7-457c-475d-b292-1ec44febe0fd",
    "created": "2016-01-01T08:00:00.000Z",
    "modified": "2019-07-25T17:59:42.648Z",
    "name": "File hash for suspicious file",
    "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
    "valid_from": "2019-07-25T17:59:34.779826Z",
    "labels": [
        "anomalous-activity"
    ]
}

To revoke an object:

[6]:

indicator4 = indicator3.revoke()
print(indicator4)

[6]:

{
    "type": "indicator",
    "id": "indicator--8ad18fc7-457c-475d-b292-1ec44febe0fd",
    "created": "2016-01-01T08:00:00.000Z",
    "modified": "2019-07-25T17:59:52.198Z",
    "name": "File hash for suspicious file",
    "pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
    "valid_from": "2019-07-25T17:59:34.779826Z",
    "revoked": true,
    "labels": [
        "anomalous-activity"
    ]
}