Does STIX Support TLP v2?

Currently STIX seems to support TLP v1

With TLP white, green, amber and red as options to assign to objects.

TLP v2 has been around for over a year and a half now (Traffic Light Protocol (TLP)), so I feel it should be supported by STIX and I am looking in the wrong place.

Can anyone here provide some clarity on the matter?

Hey @packet_rat!

It does. Sort of.

Let me explain…

OASIS have published some STIX 2.1 Extension Definitions you can use for TLP v2 here:

tl;dr, the IDs are:

  • Clear: marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487
  • Green: marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb
  • Amber: marking-definition--55d920b0-5e8b-4f79-9ee9-91f868d9b421
  • Amber+Strict: marking-definition--939a9414-2ddd-4d32-a0cd-375ea402b003
  • Red: marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1

For example, here’s an Indicator marked with TLP Clear…

    "type": "indicator",
    "spec_version": "2.1",
    "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
    "created": "2016-04-06T20:03:48.000Z",
    "modified": "2016-04-06T20:03:48.000Z",
    "indicator_types": ["malicious-activity"],
    "name": "Poison Ivy Malware",
    "description": "This file is part of Poison Ivy",
    "pattern": "[ file:hashes.'SHA-256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877' ]",
    "pattern_type": "stix",
    "valid_from": "2016-01-01T00:00:00Z",
    "object_marking_refs": [

The problem is, this isn’t yet supported by many generation tools. For example, the STIX2 Python module (stix2 · PyPI) only supports TLP v1.

There is a section on the CTI Documentation page that lists extensions that have reached a certain level of maturity:

Though IMO TLP v1 should be replaced in STIX with v2 as the default (but keeping v1 support for compatibility issues with up/downstream software).