Versioning¶
To create a new version of an existing object, specify the property(ies) you want to change and their new values. For example, here we change the indicator type from “anomalous-activity” to “malicious-activity”:
[4]:
from stix2 import Indicator
indicator = Indicator(created="2016-01-01T08:00:00.000Z",
name="File hash for suspicious file",
description="A file indicator",
indicator_types=["anomalous-activity"],
pattern_type="stix",
pattern="[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']")
indicator2 = indicator.new_version(name="File hash for Foobar malware",
labels=["malicious-activity"])
print(indicator2.serialize(pretty=True))
[4]:
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",
"created": "2016-01-01T08:00:00.000Z",
"modified": "2020-06-26T19:27:20.792845Z",
"name": "File hash for Foobar malware",
"description": "A file indicator",
"indicator_types": [
"anomalous-activity"
],
"pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-26T19:27:20.759788Z",
"labels": [
"malicious-activity"
]
}
The modified time will be updated to the current time unless you provide a specific value as a keyword argument. Note that you can’t change the type
, id
, or created
properties.
[5]:
indicator.new_version(id="indicator--cc42e358-8b9b-493c-9646-6ecd73b41c21")
UnmodifiablePropertyError: These properties cannot be changed when making a new version: id.
You can remove optional or custom properties by setting them to None
when you call new_version()
.
[6]:
indicator3 = indicator.new_version(description=None)
print(indicator3.serialize(pretty=True))
[6]:
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",
"created": "2016-01-01T08:00:00.000Z",
"modified": "2020-06-26T19:29:37.055139Z",
"name": "File hash for suspicious file",
"indicator_types": [
"anomalous-activity"
],
"pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-26T19:27:20.759788Z"
}
To revoke an object:
[7]:
indicator4 = indicator3.revoke()
print(indicator4.serialize(pretty=True))
[7]:
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",
"created": "2016-01-01T08:00:00.000Z",
"modified": "2020-06-26T19:29:38.943037Z",
"name": "File hash for suspicious file",
"indicator_types": [
"anomalous-activity"
],
"pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-26T19:27:20.759788Z",
"revoked": true
}