taxii-delete-object
Uses the id field value of each record passed through the pipeline to revoke a STIX object from a specific collection on a TAXII 2.x server. In the TAXII protocol, object deletion is implemented by setting the revoked flag to true.
Command properties
| Property | Description |
|---|---|
| Command type | Transforming |
| Required permission | User permission |
| License usage | Not counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
profile=profile_name- Name of the TAXII connect profile to use.
apiroot=api_root_name- Name of the TAXII API root from which to delete the object. Required.
id=collection_id- Collection ID (GUID format) from which to delete the object. Required.
Input fields
| Field | Type | Required | Description |
|---|---|---|---|
| id | string | Required | ID of the STIX object to delete |
Output fields
Passes through the input record as-is. If an error occurs, an _error field is appended.
| Field | Type | Description |
|---|---|---|
| _error | string | Error message if an error occurs |
Error codes
Parsing errors
| Error code | Message | Description |
|---|---|---|
| 201800 | No available TAXII profile found. | No available TAXII profile exists |
| 201801 | Specify valid TAXII profile. | The specified TAXII profile name is invalid |
| 201802 | Specify apiroot option | The apiroot option was not specified |
| 201803 | Specify id option | The collection id option was not specified |
| 201804 | check GUID format of TAXII id option | The collection id option is not in GUID format |
Description
For each record passed through the pipeline, the command looks up the STIX object corresponding to the id field in the TAXII collection and updates the object by setting its revoked attribute to true. If the id field is not a string or the target object does not exist, the error message is recorded in the _error field.
In the TAXII protocol, object deletion is a revocation rather than actual removal, so revoked objects remain in the collection with revoked=true.
Examples
-
Revoke STIX objects from a collection
taxii-objects profile="my-taxii" apiroot="taxii" id="12345678-1234-1234-1234-123456789abc" | search type == "indicator" AND revoked == false | taxii-delete-object profile="my-taxii" apiroot="taxii" id="12345678-1234-1234-1234-123456789abc"Revokes all non-revoked indicator-type objects in the collection.