S,\4S,\4S \4S$\4S$\4S<\4S?._S@S\4S$\4S$\4SA._SBS$\4S+\4SC._SDS\4S\4S._r!g)FzHPython APIs for STIX 2 Object-based Semantic Equivalence and Similarity.N) DataSourceDataStoreMixinFilter) STIXdatetimeparse_into_datetimeequivalent_patternsFFc .[XX$XVXx40U D6n X:agg)aThis method returns a true/false value if two objects are semantically equivalent. Internally, it calls the object_similarity function and compares it against the given threshold value. Args: obj1: A stix2 object instance obj2: A stix2 object instance prop_scores: A dictionary that can hold individual property scores, weights, contributing score, matching score and sum of weights. threshold: A numerical value between 0 and 100 to determine the minimum score to result in successfully calling both objects equivalent. This value can be tuned. ds1 (optional): A DataStore object instance from which to pull related objects ds2 (optional): A DataStore object instance from which to pull related objects ignore_spec_version: A boolean indicating whether to test object types that belong to different spec versions (STIX 2.0 and STIX 2.1 for example). If set to True this check will be skipped. versioning_checks: A boolean indicating whether to test multiple revisions of the same object (when present) to maximize similarity against a particular version. If set to True the algorithm will perform this step. max_depth: A positive integer indicating the maximum recursion depth the algorithm can reach when de-referencing objects and performing the object_similarity algorithm. weight_dict: A dictionary that can be used to override what checks are done to objects in the similarity process. Returns: bool: True if the result of the object similarity is greater than or equal to the threshold value. False otherwise. Warning: Object types need to have property weights defined for the similarity process. Otherwise, those objects will not influence the final score. The WEIGHTS dictionary under `stix2.equivalence.object` can give you an idea on how to add new entries and pass them via the `weight_dict` argument. Similarly, the values or methods can be fine tuned for a particular use case. Note: Default weight_dict: .. include:: ../../similarity_weights.rst Note: This implementation follows the Semantic Equivalence Committee Note. see `the Committee Note `__. TF)object_similarity) obj1obj2 prop_scores thresholdds1ds2ignore_spec_versionversioning_checks max_depth weight_dictsimilarity_results [/home/james-whalen/.local/lib/python3.13/site-packages/stix2/equivalence/object/__init__.pyobject_equivalencers0h* Kc(3% c [R5n U(aU RU5 UUUUUS.U S'USUSpX:wa [S5eUSLa1UR SS5UR SS5:wa [S5eX XS n [ R S US US 5 U "XU40XD6up[ R S X5 US::agX- S-nU$![a U "X40XD6upN?f=f![Ga [ R S US US 5 S n S nXGHrn[XU5(dMXUSnXUSn0X/'U[:XaUU"XXXS5-nOU[:Xa#XSnUU"USUSUSUSU5-nOU[:Xd U[:XaUS:aUS- U SS'U SSU SSpC[X45(aUU"XXX440U D6-nOAU[:Xa[nUU"XX5-nO U[:Xa[ nUU"XX5-nUR"X/S'OGM*XySS'OUU"XX5-nUU- nU W- n UX/S'UX/S'[ R SUUU5 GMu XS'XS'[ R S X5 GNf=f![a [ R%SU 5 S=pGNf=f)aThis method returns a measure of similarity depending on how similar the two objects are. Args: obj1: A stix2 object instance obj2: A stix2 object instance prop_scores: A dictionary that can hold individual property scores, weights, contributing score, matching score and sum of weights. ds1 (optional): A DataStore object instance from which to pull related objects ds2 (optional): A DataStore object instance from which to pull related objects ignore_spec_version: A boolean indicating whether to test object types that belong to different spec versions (STIX 2.0 and STIX 2.1 for example). If set to True this check will be skipped. versioning_checks: A boolean indicating whether to test multiple revisions of the same object (when present) to maximize similarity against a particular version. If set to True the algorithm will perform this step. max_depth: A positive integer indicating the maximum recursion depth the algorithm can reach when de-referencing objects and performing the object_similarity algorithm. weight_dict: A dictionary that can be used to override what checks are done to objects in the similarity process. Returns: float: A number between 0.0 and 100.0 as a measurement of similarity. Warning: Object types need to have property weights defined for the similarity process. Otherwise, those objects will not influence the final score. The WEIGHTS dictionary under `stix2.equivalence.object` can give you an idea on how to add new entries and pass them via the `weight_dict` argument. Similarly, the values or methods can be fine tuned for a particular use case. Note: Default weight_dict: .. include:: ../../similarity_weights.rst Note: This implementation follows the Semantic Equivalence Committee Note. see `the Committee Note `__. )rrrrr _internaltypez0The objects to compare must be of the same type!F spec_versionz2.0z8The objects to compare must be of the same spec version!methodz9Starting object similarity process between: '%s' and '%s'idz&Matching Score: %s, Sum of Weights: %srr tdeltarlatitude longituderrr check_typeweightcontributing_scorez0'%s' check -- weight: %s, contributing score: %smatching_score sum_weightszU'%s' type has no 'weights' dict specified & thus no object similarity method to call!Y@)WEIGHTScopyupdate ValueErrorgetloggerdebug TypeErrorKeyErrorcheck_property_presentpartial_timestamp_basedpartial_location_distancereference_checklist_reference_check_datastore_check exact_matchpartial_list_based__name__warning)rrrrrrrrrweightstype1type2r"r+r,propw comp_functr*requivalence_scores rrrKs^llnG{# 3. GK<f5 ~KLLe#(G488TbdiKj(jSTT<` 6 `^H-F^ LLTVZ[_V`bfgkbl m S.4T._PWP^._+ LLA> _a'5>  S.4T.R7>.R+  Sc, ` LLTVZ[_V`bfgkbl m NK)$d;;t,Q/A!(!5a!8J(*K%!%<<-.DJ T[TbckTl1m-m*#'@@$+N;$? -.D-8 56DJPTPZ9[5[ 2!+/C!C-? 56DJPTPZ9[5[ 2>H>Q>QK-l;$PK%&:;LL!SUY[\^pqG'J-;( ))4 & LLA> _Y, ` )npuv'(( n)s>K D2C&&D?DAK  E>K  K #K65K6cj^^US:Xa[UU4SjS55(aggUT;aUT;agg)z>Helper method checks if a property is present on both objects.longitude_latitudec3D># UHoT;=(a UT;v M g7fN).0xrrs r )check_property_present..s!J0I1Dy&Q$Y&0Is )r&r'TF)all)rDrrs ``rr7r7sA ## J0IJ J J K  $$, rc[U[5(d [U5n[U[5(d [U5n[R"UR 55[R"UR 55pS[ [X- 5SU-- S5- n[RSXX#5 U$)aPerforms a timestamp-based matching via checking how close one timestamp is to another. Args: t1: A datetime string or STIXdatetime object. t2: A datetime string or STIXdatetime object. tdelta (float): A given time delta. This number is multiplied by 86400 (1 day) to extend or shrink your time change tolerance. Returns: float: Number between 0.0 and 1.0 depending on match criteria. r iQz?-- partial_timestamp_based '%s' '%s' tdelta: '%s' result: '%s') isinstancerrtimemktime timetupleminabsr3r4)t1t2r%results rr8r8s b, ' '  $ b, ' '  $ [[ ($++blln*E S\UV^4a8 8F LLUWY_en Mrc[U5[U5p2[URU55[[U5[U55- n[R SXU5 U$)aTPerforms a partial list matching via finding the intersection between common values. Repeated values are counted only once. This method can be used for *_refs equality checks when de-reference is not possible. Args: l1: A list of values. l2: A list of values. Returns: float: 1.0 if the value matches exactly, 0.0 otherwise. z--- partial_list_based '%s' '%s' result: '%s')setlen intersectionmaxr3r4)l1l2l1_setl2_setr[s rr>r>sRWc"gF $$V, -CKV0M MF LLCRVT MrcFSnX:XaSn[RSXU5 U$)a7Performs an exact value match based on two values. This method can be used for *_ref equality check when de-reference is not possible. Args: val1: A value suitable for an equality test. val2: A value suitable for an equality test. Returns: float: 1.0 if the value matches exactly, 0.0 otherwise. r$?z&-- exact_match '%s' '%s' result: '%s')r3r4)val1val2r[s rr=r=s)F | LLrc[X5$)zPerforms a matching on Indicator Patterns. Args: pattern1: An Indicator pattern pattern2: An Indicator pattern Returns: float: Number between 0.0 and 1.0 depending on match criteria. r )pattern1pattern2s rcustom_pattern_basedrs+s x 22rct1SknSn[R"[R"X55nUHupVSnSnSn Sn [SXV5(aUSUS:XaUSn Sn[SXV5(aUSUS:XaSn[SXV5(aUSUS:XaSn U(a0U(dU (a"X;aS n [R S XU 5 U s $U(dU(d U (dMX;dMUS - nM U[ [U5[U55- n [R S XU 5 U $) zPerforms a matching on External References. Args: ext_refs1: A list of external references. ext_refs2: A list of external references. Returns: float: Number between 0.0 and 1.0 depending on matches. >cvecapecveris mitre-attackrFN source_nameT external_idurlrfz;-- partial_external_reference_based '%s' '%s' result: '%s'r ) itertoolschainproductr7r3r4r`r^) ext_refs1 ext_refs2allowedmatches ref_pairsext_ref1ext_ref2sn_matchei_match url_matchryr[s r partial_external_reference_basedr9s?8GG)/I(  !- D D &(=*AA&}5  !- D D &(=*AA !% < <(5/1 YK4JF LLPf M II;3M qLG?(Bs3y>3y>: :F LLHf MrcSSKJnJn U"X4X#4URS9nSXt- - n[R SX4X#4XH5 U$)aGiven two coordinates perform a matching based on its distance using the Haversine Formula. Args: lat1: Latitude value for first coordinate point. lat2: Latitude value for second coordinate point. long1: Longitude value for first coordinate point. long2: Longitude value for second coordinate point. threshold (float): A kilometer measurement for the threshold distance between these two points. Returns: float: Number between 0.0 and 1.0 depending on match. r)Unit haversine)unitr zD-- partial_location_distance '%s' '%s' threshold: '%s' result: '%s')rr KILOMETERSr3r4) lat1long1lat2long2rrrdistancer[s rr9r9tsK*$ DOOLH (& 'F LLQ }i Mrc 0n[[UR[SSU5/55[UR[SSU5/55U5nUSSnUSSnUSSn UH6up[ X4X#UUU S.UD6n X;aXS.XP'M#XUS :dM0XS.XP'M8 UR U05R S S 5n [ RS XU 5 U $) zpChecks multiple object versions if present in graph. Maximizes for the similarity score of a particular version.r#=rrrrrrrrrmatchedvaluerr$z,-- _versioned_checks '%s' '%s' result: '%s') _object_pairs_bucket_per_typequeryrrr2r3r4) ref1ref2rrrAresultspairsrrrobject1object2r[s r_versioned_checksrsG F4d$;#<=>F4d$;#<=> E "+./DE ,-@A $[1I!"  "% 3/  $+    (,>GM dmG, ,(,>GM"[[r " & &w 4F LL9 F Mrc URS5SURS5SpeSnXV:XaxXT;asUSSnUSSn USSn U (a[XX#40UD6S- nOCURU5URU5pU (aU (a[X4X#UU U S .UD6S- n[R S XU5 U$) z|For two references, de-reference the object and perform object_similarity. The score influences the result of an edge check.--rr$rrrrr-rz*-- reference_check '%s' '%s' result: '%s')splitrr2rr3r4) rrrrrArBrCr[rrro1o2s rr:r:s::d#A& 4(8(;5 F ~%*%k23HI#K01DEK(5 &t3GwG%OFWWT]CGGDMb* #(;&7' ,3    LL7 F Mrc 0n[[US5[US5U5nUH}upxURS5SURS5SpX:XdM3[XxX#40UD6n Xu;aXS.XW'OXUS:aXS.XW'X;aX{S.XX'MjXUS:dMwX{S.XX'M Sn [ SUR 555n [ U5nUS:aX- n [RSXXU 5 U $) aFor objects that contain multiple references (i.e., object_refs) perform the same de-reference procedure and perform object_similarity. The score influences the objects containing these references. The result is weighted on the amount of unique objects that could 1) be de-referenced 2) id-splitrrrrr$c3*# UH oSv M g7f)rNrL)rMrNs rrO'list_reference_check..s9(81gJ(8szO-- list_reference_check '%s' '%s' total_sum: '%s' max_score: '%s' result: '%s') rrrr:sumvaluesr^r3r4)refs1refs2rrrArrrrrBrCscorer[ total_sum max_scores rr;r;s G  + + E  zz$'*DJJt,#DDGDE",0 A w//,0 A ",0 A w//,0 A F9(899IG I1}& LL^ iF Mrc[UR[[45(d%[UR[[45(agg)NTF) issubclass __class__rr)rrs rr<r<s43==>:">??3==>:">?? rc [R"[5nUS:Xa(UVs/sHo2USRU5PM nU$US:Xa5UVs/sH(o2UR S5SRU5PM* nU$s snfs snf)zGiven a list of objects or references, bucket them by type. Depending on the list type: extract from 'type' property or using the 'id'. r rrr) collections defaultdictlistappendr)graphmodebucketsobjs rrrs %%d+G v~5:;UcV  $ $S )U; N  # UH"n[R"TUTU5v M$ g7frK)r|r~)rM stix_typegraph1graph2s rrO _object_pairs..s2)'I &+VI->??'s*-)r]keysr_r|r} from_iterable)rrrAtypes_in_commontestable_typess`` rrr s` &++-(55fkkmDO$11',,.AN ?? ( ()') rzattack-pattern)nameexternal_referencescampaign<()raliaseszcourse-of-actiongrouping)rcontext object_refsidentity)ridentity_classsectorsincident indicatorP)indicator_typespattern valid_fromr%z intrusion-set)rrrlocation"!g@@)rIregioncountryrmalware) malware_typesrzmarking-definition)r definitiondefinition_type relationship)relationship_type source_ref target_refreport )r publishedrr%sighting) first_seen last_seensighting_of_refobserved_data_refswhere_sighted_refssummaryz threat-actor)rthreat_actor_typesrtool) tool_typesr vulnerability)r )"__doc__rr|loggingrT datastorerrrutilsrrrr getLoggerr?r3rrr7r8r>r=rorsrr9rr:r;r<rrr.rLrrrsyN ;;6)   8 $"$ %q:|DdEP.&&" 38v0D:'T  U )* "$DEU  )**+ U )* "$DEU )*,-01U $)*{+*+%U .)* "$DE/U 6 23,-12 7U B)* "$DE*+CU L!#<={# $ MU X01)*YU `[!;' ,aU j +.?+?+kU t )*1201 uU @12010!#78!#78 $ AU P)*!#56*+QU Z -.)* [U b)* "$DEcU r