Does STIX support TLP v2 yet?

0101001001001 · 29 May 2025 23:00

Currently STIX seems to support TLP v1, according to the spec

https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_yd3ar14ekwrs

With TLP white, green, amber and red as options to assign to objects.

TLP v2 has been around for over a year and a half now (Traffic Light Protocol (TLP)), so I feel it should be supported by STIX and I am looking in the wrong place.

Can anyone here provide some clarity on the matter?

dgreenwood-dogesec · 29 May 2025 23:00

Hey @packet_rat!

It does! We currently use TLPv2 exclusively to mark objects generated by our products.

OASIS have published the STIX 2.1 Extension Definitions you can use for TLP v2 here:

tl;dr, the IDs are:

Clear: marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487
Green: marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb
Amber: marking-definition--55d920b0-5e8b-4f79-9ee9-91f868d9b421
Amber+Strict: marking-definition--939a9414-2ddd-4d32-a0cd-375ea402b003
Red: marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1

For example, here’s an Indicator marked with TLP Clear…

  {
    "type": "indicator",
    "spec_version": "2.1",
    "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "indicator_types": ["malicious-activity"],
    "name": "Poison Ivy Malware",
    "description": "This file is part of Poison Ivy",
    "pattern": "[ file:hashes.'SHA-256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877' ]",
    "pattern_type": "stix",
    "valid_from": "2016-01-01T00:00:00Z",
    "object_marking_refs": [
        "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
    ]
  }

This is not currently supported in the STIX2 Python module (stix2 · PyPI) (there are only function for TLP v1) but you can just manually add the TLPv2 marking-definition to the object_marking_refs property of your object easily enough.

For example, to mark an object as TLP:CLEAR:

# python3 generate_sdo_tlpv2_clear.py
## Start by importing all the things you will need
### https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.sdo.html#stix2.v21.sdo.AttackPattern
### https://stix2.readthedocs.io/en/latest/api/stix2.v21.html?highlight=tlp#stix2.v21.TLPMarking

from stix2 import AttackPattern, TLP_GREEN

## Create AttackPattern SDO using the files 

AttackPatternDemo = AttackPattern(
    created_by_ref="identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
    name="Spear Phishing",
    description="Used for tutorial content",
    created="2020-01-01T00:00:00.000000Z",
    modified="2020-01-01T00:00:00.000000Z",
    object_marking_refs=[
        "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
    ]
)

## Print all the objects to the command line

print(AttackPatternDemo.serialize(pretty=True))

Running the script prints;

{
    "type": "attack-pattern",
    "spec_version": "2.1",
    "id": "attack-pattern--6b6a61df-44dd-4c3a-81aa-ac57a786ff47",
    "created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
    "created": "2020-01-01T00:00:00.000000Z",
    "modified": "2020-01-01T00:00:00.000000Z",
    "name": "Spear Phishing",
    "description": "Used for tutorial content",
    "object_marking_refs": [
        "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
    ]
}