Currently STIX seems to support TLP v1, according to the spec
https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_yd3ar14ekwrs
With TLP white
, green
, amber
and red
as options to assign to objects.
TLP v2 has been around for over a year and a half now (Traffic Light Protocol (TLP)), so I feel it should be supported by STIX and I am looking in the wrong place.
Can anyone here provide some clarity on the matter?
Hey @packet_rat!
It does! We currently use TLPv2 exclusively to mark objects generated by our products.
OASIS have published the STIX 2.1 Extension Definitions you can use for TLP v2 here:
tl;dr, the IDs are:
- Clear:
marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487
- Green:
marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb
- Amber:
marking-definition--55d920b0-5e8b-4f79-9ee9-91f868d9b421
- Amber+Strict:
marking-definition--939a9414-2ddd-4d32-a0cd-375ea402b003
- Red:
marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1
For example, here’s an Indicator marked with TLP Clear…
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"indicator_types": ["malicious-activity"],
"name": "Poison Ivy Malware",
"description": "This file is part of Poison Ivy",
"pattern": "[ file:hashes.'SHA-256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877' ]",
"pattern_type": "stix",
"valid_from": "2016-01-01T00:00:00Z",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
]
}
This is not currently supported in the STIX2 Python module (stix2 · PyPI) (there are only function for TLP v1) but you can just manually add the TLPv2 marking-definition to the object_marking_refs
property of your object easily enough.