From efe69128909283953ea52f1ba39f10b8ac1aeaf9 Mon Sep 17 00:00:00 2001 From: Chris Lenk Date: Fri, 15 Sep 2017 09:53:00 -0400 Subject: [PATCH] Add documentation as Jupyter notebooks - Creating STIX Content - Serializing STIX Objects - Parsing STIX Content - Versioning --- docs/creating.ipynb | 482 +++++++++++++++++++++++++++++++++++++++++ docs/parsing.ipynb | 99 +++++++++ docs/serializing.ipynb | 93 ++++++++ docs/versioning.ipynb | 162 ++++++++++++++ 4 files changed, 836 insertions(+) create mode 100644 docs/creating.ipynb create mode 100644 docs/parsing.ipynb create mode 100644 docs/serializing.ipynb create mode 100644 docs/versioning.ipynb diff --git a/docs/creating.ipynb b/docs/creating.ipynb new file mode 100644 index 0000000..8272e8c --- /dev/null +++ b/docs/creating.ipynb @@ -0,0 +1,482 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": 7, + "metadata": { + "collapsed": true + }, + "outputs": [], + "source": [ + "# Delete this cell to re-enable tracebacks\n", + "import sys\n", + "ipython = get_ipython()\n", + "\n", + "def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n", + " exception_only=False, running_compiled_code=False):\n", + " etype, value, tb = sys.exc_info()\n", + " return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n", + "\n", + "ipython.showtraceback = hide_traceback" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Creating STIX Content" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "### Creating STIX Domain Objects\n", + "\n", + "To create a STIX object, provide keyword arguments to the type's constructor:" + ] + }, + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{\n", + " \"type\": \"indicator\",\n", + " \"id\": \"indicator--38feb147-4277-45d7-b16c-5f60e24b88e1\",\n", + " \"created\": \"2017-09-14T18:17:15.709Z\",\n", + " \"modified\": \"2017-09-14T18:17:15.709Z\",\n", + " \"labels\": [\n", + " \"malicious-activity\"\n", + " ],\n", + " \"name\": \"File hash for malware variant\",\n", + " \"pattern\": \"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n", + " \"valid_from\": \"2017-09-14T18:17:15.709845Z\"\n", + "}\n" + ] + } + ], + "source": [ + "from stix2 import Indicator\n", + "\n", + "indicator = Indicator(name=\"File hash for malware variant\",\n", + " labels=[\"malicious-activity\"],\n", + " pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\")\n", + "print(indicator)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "Certain required attributes of all objects will be set automatically if not provided as keyword arguments:\n", + "\n", + "- If not provided, ``type`` will be set automatically to the correct type. You can also provide the type explicitly, but this is not necessary:" + ] + }, + { + "cell_type": "code", + "execution_count": 8, + "metadata": {}, + "outputs": [], + "source": [ + "indicator2 = Indicator(type='indicator',\n", + " labels=[\"malicious-activity\"],\n", + " pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\")" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "Passing a value for ``type`` that does not match the class being constructed will cause an error:" + ] + }, + { + "cell_type": "code", + "execution_count": 9, + "metadata": {}, + "outputs": [ + { + "ename": "InvalidValueError", + "evalue": "Invalid value for Indicator 'type': must equal 'indicator'.", + "output_type": "error", + "traceback": [ + "\u001b[0;31mInvalidValueError\u001b[0m\u001b[0;31m:\u001b[0m Invalid value for Indicator 'type': must equal 'indicator'.\n" + ] + } + ], + "source": [ + "indicator3 = Indicator(type='xxx',\n", + " labels=[\"malicious-activity\"],\n", + " pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\")" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "- If not provided, ``id`` will be generated randomly. If you provide an\n", + " ``id`` argument, it must begin with the correct prefix:" + ] + }, + { + "cell_type": "code", + "execution_count": 11, + "metadata": {}, + "outputs": [ + { + "ename": "InvalidValueError", + "evalue": "Invalid value for Indicator 'id': must start with 'indicator--'.", + "output_type": "error", + "traceback": [ + "\u001b[0;31mInvalidValueError\u001b[0m\u001b[0;31m:\u001b[0m Invalid value for Indicator 'id': must start with 'indicator--'.\n" + ] + } + ], + "source": [ + "indicator4 = Indicator(id=\"campaign--63ce9068-b5ab-47fa-a2cf-a602ea01f21a\",\n", + " labels=[\"malicious-activity\"],\n", + " pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\")" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "For indicators, ``labels`` and ``pattern`` are required and cannot be set automatically. Trying to create an indicator that is missing one of these properties will result in an error:" + ] + }, + { + "cell_type": "code", + "execution_count": 12, + "metadata": {}, + "outputs": [ + { + "ename": "MissingPropertiesError", + "evalue": "No values for required properties for Indicator: (labels, pattern).", + "output_type": "error", + "traceback": [ + "\u001b[0;31mMissingPropertiesError\u001b[0m\u001b[0;31m:\u001b[0m No values for required properties for Indicator: (labels, pattern).\n" + ] + } + ], + "source": [ + "indicator = Indicator()" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "However, the required ``valid_from`` attribute on Indicators will be set to the current time if not provided as a keyword argument.\n", + "\n", + "Once created, the object acts like a frozen dictionary. Properties can be accessed using the standard Python dictionary syntax:" + ] + }, + { + "cell_type": "code", + "execution_count": 15, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "u'File hash for malware variant'" + ] + }, + "execution_count": 15, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "indicator['name']" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "Or access properties using the standard Python attribute syntax:" + ] + }, + { + "cell_type": "code", + "execution_count": 16, + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "u'File hash for malware variant'" + ] + }, + "execution_count": 16, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "indicator.name" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "Attempting to modify any attributes will raise an error:" + ] + }, + { + "cell_type": "code", + "execution_count": 17, + "metadata": {}, + "outputs": [ + { + "ename": "TypeError", + "evalue": "'Indicator' object does not support item assignment", + "output_type": "error", + "traceback": [ + "\u001b[0;31mTypeError\u001b[0m\u001b[0;31m:\u001b[0m 'Indicator' object does not support item assignment\n" + ] + } + ], + "source": [ + "indicator['name'] = \"This is a revised name\"" + ] + }, + { + "cell_type": "code", + "execution_count": 18, + "metadata": {}, + "outputs": [ + { + "ename": "ImmutableError", + "evalue": "Cannot modify 'name' property in 'Indicator' after creation.", + "output_type": "error", + "traceback": [ + "\u001b[0;31mImmutableError\u001b[0m\u001b[0;31m:\u001b[0m Cannot modify 'name' property in 'Indicator' after creation.\n" + ] + } + ], + "source": [ + "indicator.name = \"This is a revised name\"" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "To update the properties of an object, see the **Versioning** section." + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "Creating a Malware object follows the same pattern:" + ] + }, + { + "cell_type": "code", + "execution_count": 21, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{\n", + " \"type\": \"malware\",\n", + " \"id\": \"malware--b2eca08d-705a-4662-9b58-9ffe6a98cecd\",\n", + " \"created\": \"2017-09-14T18:38:09.395Z\",\n", + " \"modified\": \"2017-09-14T18:38:09.395Z\",\n", + " \"name\": \"Poison Ivy\",\n", + " \"labels\": [\n", + " \"remote-access-trojan\"\n", + " ]\n", + "}\n" + ] + } + ], + "source": [ + "from stix2 import Malware\n", + "\n", + "malware = Malware(name=\"Poison Ivy\",\n", + " labels=['remote-access-trojan'])\n", + "print(malware)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "As with indicators, the ``type``, ``id``, ``created``, and ``modified`` properties will be set automatically if not provided. For Malware objects, the ``labels`` and ``name`` properties must be provided." + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "### Creating Relationships\n", + "\n", + "STIX 2 Relationships are separate objects, not properties of the object on either side of the relationship. They are constructed similarly to other STIX objects. The ``type``, ``id``, ``created``, and ``modified`` properties are added automatically if not provided. Callers must provide the ``relationship_type``, ``source_ref``, and ``target_ref`` properties." + ] + }, + { + "cell_type": "code", + "execution_count": 23, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--c42147ec-827a-492d-98d1-33eaaf4678e7\",\n", + " \"created\": \"2017-09-14T18:39:40.965Z\",\n", + " \"modified\": \"2017-09-14T18:39:40.965Z\",\n", + " \"relationship_type\": \"indicates\",\n", + " \"source_ref\": \"indicator--38feb147-4277-45d7-b16c-5f60e24b88e1\",\n", + " \"target_ref\": \"malware--b2eca08d-705a-4662-9b58-9ffe6a98cecd\"\n", + "}\n" + ] + } + ], + "source": [ + "from stix2 import Relationship\n", + "\n", + "relationship = Relationship(relationship_type='indicates',\n", + " source_ref=indicator.id,\n", + " target_ref=malware.id)\n", + "print(relationship)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "The ``source_ref`` and ``target_ref`` properties can be either the ID's of other STIX objects, or the STIX objects themselves. For readability, Relationship objects can also be constructed with the ``source_ref``, ``relationship_type``, and ``target_ref`` as positional (non-keyword) arguments:" + ] + }, + { + "cell_type": "code", + "execution_count": 24, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--0097e73a-6340-4394-a499-74e34dcd52fa\",\n", + " \"created\": \"2017-09-14T18:40:05.097Z\",\n", + " \"modified\": \"2017-09-14T18:40:05.097Z\",\n", + " \"relationship_type\": \"indicates\",\n", + " \"source_ref\": \"indicator--38feb147-4277-45d7-b16c-5f60e24b88e1\",\n", + " \"target_ref\": \"malware--b2eca08d-705a-4662-9b58-9ffe6a98cecd\"\n", + "}\n" + ] + } + ], + "source": [ + "relationship2 = Relationship(indicator, 'indicates', malware)\n", + "print(relationship2)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "### Creating Bundles\n", + "\n", + "STIX Bundles can be created by passing objects as arguments to the Bundle constructor. All required properties (``type``, ``id``, and ``spec_version``) will be set automatically if not provided, or can be provided as keyword arguments:" + ] + }, + { + "cell_type": "code", + "execution_count": 26, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{\n", + " \"type\": \"bundle\",\n", + " \"id\": \"bundle--54d649a4-5ab4-4ab6-b4c4-b52c09fbee9c\",\n", + " \"spec_version\": \"2.0\",\n", + " \"objects\": [\n", + " {\n", + " \"type\": \"indicator\",\n", + " \"id\": \"indicator--38feb147-4277-45d7-b16c-5f60e24b88e1\",\n", + " \"created\": \"2017-09-14T18:17:15.709Z\",\n", + " \"modified\": \"2017-09-14T18:17:15.709Z\",\n", + " \"labels\": [\n", + " \"malicious-activity\"\n", + " ],\n", + " \"name\": \"File hash for malware variant\",\n", + " \"pattern\": \"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n", + " \"valid_from\": \"2017-09-14T18:17:15.709845Z\"\n", + " },\n", + " {\n", + " \"type\": \"malware\",\n", + " \"id\": \"malware--b2eca08d-705a-4662-9b58-9ffe6a98cecd\",\n", + " \"created\": \"2017-09-14T18:38:09.395Z\",\n", + " \"modified\": \"2017-09-14T18:38:09.395Z\",\n", + " \"name\": \"Poison Ivy\",\n", + " \"labels\": [\n", + " \"remote-access-trojan\"\n", + " ]\n", + " },\n", + " {\n", + " \"type\": \"relationship\",\n", + " \"id\": \"relationship--c42147ec-827a-492d-98d1-33eaaf4678e7\",\n", + " \"created\": \"2017-09-14T18:39:40.965Z\",\n", + " \"modified\": \"2017-09-14T18:39:40.965Z\",\n", + " \"relationship_type\": \"indicates\",\n", + " \"source_ref\": \"indicator--38feb147-4277-45d7-b16c-5f60e24b88e1\",\n", + " \"target_ref\": \"malware--b2eca08d-705a-4662-9b58-9ffe6a98cecd\"\n", + " }\n", + " ]\n", + "}\n" + ] + } + ], + "source": [ + "from stix2 import Bundle\n", + "\n", + "bundle = Bundle(indicator, malware, relationship)\n", + "print(bundle)" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 2", + "language": "python", + "name": "python2" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 2 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython2", + "version": "2.7.12" + } + }, + "nbformat": 4, + "nbformat_minor": 2 +} diff --git a/docs/parsing.ipynb b/docs/parsing.ipynb new file mode 100644 index 0000000..9086035 --- /dev/null +++ b/docs/parsing.ipynb @@ -0,0 +1,99 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": 2, + "metadata": { + "collapsed": true + }, + "outputs": [], + "source": [ + "# Delete this cell to re-enable tracebacks\n", + "import sys\n", + "ipython = get_ipython()\n", + "\n", + "def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n", + " exception_only=False, running_compiled_code=False):\n", + " etype, value, tb = sys.exc_info()\n", + " return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n", + "\n", + "ipython.showtraceback = hide_traceback" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Parsing STIX Content" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "Parsing STIX content is as easy as calling the `parse()` function on a JSON string. It will automatically determine the type of the object. The STIX objects within `bundle` objects, and the cyber observables contained within `observed-data` objects will be parsed as well." + ] + }, + { + "cell_type": "code", + "execution_count": 10, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "observed-data\n", + "0969de02ecf8a5f003e3f6d063d848c8a193aada092623f8ce408c15bcb5f038\n" + ] + } + ], + "source": [ + "from stix2 import parse\n", + "\n", + "input_string = \"\"\"{\n", + " \"type\": \"observed-data\",\n", + " \"id\": \"observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf\",\n", + " \"created\": \"2016-04-06T19:58:16.000Z\",\n", + " \"modified\": \"2016-04-06T19:58:16.000Z\",\n", + " \"first_observed\": \"2015-12-21T19:00:00Z\",\n", + " \"last_observed\": \"2015-12-21T19:00:00Z\",\n", + " \"number_observed\": 50,\n", + " \"objects\": {\n", + " \"0\": {\n", + " \"type\": \"file\",\n", + " \"hashes\": {\n", + " \"SHA-256\": \"0969de02ecf8a5f003e3f6d063d848c8a193aada092623f8ce408c15bcb5f038\"\n", + " }\n", + " }\n", + " }\n", + "}\"\"\"\n", + "\n", + "obj = parse(input_string)\n", + "print(obj.type)\n", + "print(obj.objects[\"0\"].hashes['SHA-256'])" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 2", + "language": "python", + "name": "python2" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 2 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython2", + "version": "2.7.12" + } + }, + "nbformat": 4, + "nbformat_minor": 2 +} diff --git a/docs/serializing.ipynb b/docs/serializing.ipynb new file mode 100644 index 0000000..b6d5e05 --- /dev/null +++ b/docs/serializing.ipynb @@ -0,0 +1,93 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": 2, + "metadata": { + "collapsed": true + }, + "outputs": [], + "source": [ + "# Delete this cell to re-enable tracebacks\n", + "import sys\n", + "ipython = get_ipython()\n", + "\n", + "def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n", + " exception_only=False, running_compiled_code=False):\n", + " etype, value, tb = sys.exc_info()\n", + " return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n", + "\n", + "ipython.showtraceback = hide_traceback" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Serializing STIX Objects" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "The string representation of all STIX classes is a valid STIX JSON object." + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{\n", + " \"type\": \"indicator\",\n", + " \"id\": \"indicator--d44ae7d5-01dc-4151-a5de-c9a763c7de3e\",\n", + " \"created\": \"2017-09-14T18:15:08.073Z\",\n", + " \"modified\": \"2017-09-14T18:15:08.073Z\",\n", + " \"labels\": [\n", + " \"malicious-activity\"\n", + " ],\n", + " \"name\": \"File hash for malware variant\",\n", + " \"pattern\": \"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n", + " \"valid_from\": \"2017-09-14T18:15:08.073928Z\"\n", + "}\n" + ] + } + ], + "source": [ + "from stix2 import Indicator\n", + "\n", + "indicator = Indicator(name=\"File hash for malware variant\",\n", + " labels=[\"malicious-activity\"],\n", + " pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\")\n", + "\n", + "print(str(indicator))" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 2", + "language": "python", + "name": "python2" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 2 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython2", + "version": "2.7.12" + } + }, + "nbformat": 4, + "nbformat_minor": 2 +} diff --git a/docs/versioning.ipynb b/docs/versioning.ipynb new file mode 100644 index 0000000..8f107df --- /dev/null +++ b/docs/versioning.ipynb @@ -0,0 +1,162 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": 5, + "metadata": { + "collapsed": true + }, + "outputs": [], + "source": [ + "# Delete this cell to re-enable tracebacks\n", + "import sys\n", + "ipython = get_ipython()\n", + "\n", + "def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n", + " exception_only=False, running_compiled_code=False):\n", + " etype, value, tb = sys.exc_info()\n", + " return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n", + "\n", + "ipython.showtraceback = hide_traceback" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## Versioning" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "To create a new version of an existing object, specify the property(ies) you want to change and their new values:" + ] + }, + { + "cell_type": "code", + "execution_count": 6, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{\n", + " \"type\": \"indicator\",\n", + " \"id\": \"indicator--ec05229c-9f9a-408c-aa91-6996e2e9b4db\",\n", + " \"created\": \"2016-01-01T08:00:00.000Z\",\n", + " \"modified\": \"2017-09-14T16:59:28.100Z\",\n", + " \"labels\": [\n", + " \"malicious-activity\"\n", + " ],\n", + " \"name\": \"File hash for Foobar malware\",\n", + " \"pattern\": \"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n", + " \"valid_from\": \"2017-09-14T16:59:28.098521Z\"\n", + "}\n" + ] + } + ], + "source": [ + "from stix2 import Indicator\n", + "\n", + "indicator = Indicator(created=\"2016-01-01T08:00:00.000Z\",\n", + " name=\"File hash for suspicious file\",\n", + " labels=[\"anomalous-activity\"],\n", + " pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\")\n", + "\n", + "indicator2 = indicator.new_version(name=\"File hash for Foobar malware\",\n", + " labels=[\"malicious-activity\"])\n", + "print(indicator2)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "The modified time will be updated to the current time unless you provide a specific value as a keyword argument. Note that you can’t change the type, id, or created properties." + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": { + "scrolled": true + }, + "outputs": [ + { + "ename": "UnmodifiablePropertyError", + "evalue": "These properties cannot be changed when making a new version: id.", + "output_type": "error", + "traceback": [ + "\u001b[0;31mUnmodifiablePropertyError\u001b[0m\u001b[0;31m:\u001b[0m These properties cannot be changed when making a new version: id.\n" + ] + } + ], + "source": [ + "indicator.new_version(id=\"indicator--cc42e358-8b9b-493c-9646-6ecd73b41c21\")" + ] + }, + { + "cell_type": "markdown", + "metadata": { + "collapsed": true + }, + "source": [ + "To revoke an object:" + ] + }, + { + "cell_type": "code", + "execution_count": 9, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "{\n", + " \"type\": \"indicator\",\n", + " \"id\": \"indicator--ec05229c-9f9a-408c-aa91-6996e2e9b4db\",\n", + " \"created\": \"2016-01-01T08:00:00.000Z\",\n", + " \"modified\": \"2017-09-14T17:03:31.222Z\",\n", + " \"labels\": [\n", + " \"malicious-activity\"\n", + " ],\n", + " \"name\": \"File hash for Foobar malware\",\n", + " \"pattern\": \"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\",\n", + " \"valid_from\": \"2017-09-14T16:59:28.098521Z\",\n", + " \"revoked\": true\n", + "}\n" + ] + } + ], + "source": [ + "indicator2 = indicator2.revoke()\n", + "print(indicator2)" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 2", + "language": "python", + "name": "python2" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 2 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython2", + "version": "2.7.12" + } + }, + "nbformat": 4, + "nbformat_minor": 2 +}