Does STIX support TLP v2 yet?

Currently STIX seems to support TLP v1

With TLP white, green, amber and red as options to assign to objects.

TLP v2 has been around for over a year and a half now (Traffic Light Protocol (TLP)), so I feel it should be supported by STIX and I am looking in the wrong place.

Can anyone here provide some clarity on the matter?

Hey @packet_rat!

It does! We currently use TLPv2 exclusively to mark objects generated by our products.

OASIS have published the STIX 2.1 Extension Definitions you can use for TLP v2 here:

(slightly off-topic, there is a section on the CTI Documentation page that lists extensions that have reached a certain level of maturity: Resources)

tl;dr, the IDs are:

  • Clear: marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487
  • Green: marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb
  • Amber: marking-definition--55d920b0-5e8b-4f79-9ee9-91f868d9b421
  • Amber+Strict: marking-definition--939a9414-2ddd-4d32-a0cd-375ea402b003
  • Red: marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1

For example, here’s an Indicator marked with TLP Clear…

    "type": "indicator",
    "spec_version": "2.1",
    "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "indicator_types": ["malicious-activity"],
    "name": "Poison Ivy Malware",
    "description": "This file is part of Poison Ivy",
    "pattern": "[ file:hashes.'SHA-256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877' ]",
    "pattern_type": "stix",
    "valid_from": "2016-01-01T00:00:00Z",
    "object_marking_refs": [

This is not currently supported in the STIX2 Python module (stix2 · PyPI) (there are only function for TLP v1) but you can just manually add the TLPv2 marking-definition to the object_marking_refs property of your object easily enough.