# Delete this cell to re-enable tracebacks
"import sys\n",
"ipython = get_ipython()\n",
"def hide_traceback(exc_tuple=None, filename=None, tb_offset=None,\n",
" exception_only=False, running_compiled_code=False):\n",
" etype, value, tb = sys.exc_info()\n",
" value.__cause__ = None # suppress chained exceptions\n",
" return ipython._showtraceback(etype, value, ipython.InteractiveTB.get_exception_only(etype, value))\n",
"ipython.showtraceback = hide_traceback"
"# JSON output syntax highlighting\n",
"from __future__ import print_function\n",
"from pygments import highlight\n",
"from pygments.lexers import JsonLexer, TextLexer\n",
"from pygments.formatters import HtmlFormatter\n",
"from IPython.display import display, HTML\n",
"from IPython.core.interactiveshell import InteractiveShell\n",
"InteractiveShell.ast_node_interactivity = \"all\"\n",
"def json_print(inpt):\n",
" string = str(inpt)\n",
" formatter = HtmlFormatter()\n",
" if string[0] == '{':\n",
" lexer = JsonLexer()\n",
" else:\n",
" lexer = TextLexer()\n",
" return HTML('<style type=\"text/css\">{}</style>{}'.format(\n",
" formatter.get_style_defs('.highlight'),\n",
" highlight(string, lexer, formatter)))\n",
"globals()['print'] = json_print"
## Versioning
To create a new version of an existing object, specify the property(ies) you want to change and their new values. For example, here we change the indicator type from "anomalous-activity" to "malicious-activity":
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",
"created": "2016-01-01T08:00:00.000Z",
"modified": "2020-06-26T19:27:20.792845Z",
"name": "File hash for Foobar malware",
"description": "A file indicator",
"indicator_types": [
"anomalous-activity"
],
"pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-26T19:27:20.759788Z",
"labels": [
"malicious-activity"
]
"<span class=\"p\">}</span>\n",
"source": [
"from stix2 import Indicator\n",
"indicator = Indicator(created=\"2016-01-01T08:00:00.000Z\",\n",
" name=\"File hash for suspicious file\",\n",
" description=\"A file indicator\",\n",
" indicator_types=[\"anomalous-activity\"],\n",
" pattern_type=\"stix\",\n",
" pattern=\"[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']\")\n",
"indicator2 = indicator.new_version(name=\"File hash for Foobar malware\",\n",
" labels=[\"malicious-activity\"])\n",
The modified time will be updated to the current time unless you provide a specific value as a keyword argument. Note that you cant change the `type`, `id`, or `created` properties.
"ename": "UnmodifiablePropertyError",
"evalue": "These properties cannot be changed when making a new version: id.",
"output_type": "error",
"traceback": [
UnmodifiablePropertyError: These properties cannot be changed when making a new version: id.
"source": [
You can remove optional or custom properties by setting them to `None` when you call `new_version()`.
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",
"created": "2016-01-01T08:00:00.000Z",
"modified": "2020-06-26T19:29:37.055139Z",
"name": "File hash for suspicious file",
"indicator_types": [
"anomalous-activity"
],
"pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-26T19:27:20.759788Z"
"<span class=\"p\">}</span>\n",
"source": [
indicator3 = indicator.new_version(description=None)
To revoke an object:
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6a7f1c8a-3c9a-471f-8ef0-e95e51457c3f",
"created": "2016-01-01T08:00:00.000Z",
"modified": "2020-06-26T19:29:38.943037Z",
"name": "File hash for suspicious file",
"indicator_types": [
"anomalous-activity"
],
"pattern": "[file:hashes.md5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-06-26T19:27:20.759788Z",
"revoked": true
"<span class=\"p\">}</span>\n",
indicator4 = indicator3.revoke()
