Currently STIX seems to support TLP v1
https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_yd3ar14ekwrs
With TLP white, green, amber and red as options to assign to objects.
TLP v2 has been around for over a year and a half now (Traffic Light Protocol (TLP)), so I feel it should be supported by STIX and I am looking in the wrong place.
Can anyone here provide some clarity on the matter?
Hey @packet_rat!
It does. Sort of.
Let me explain…
OASIS have published some STIX 2.1 Extension Definitions you can use for TLP v2 here:
tl;dr, the IDs are:
marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bbmarking-definition--55d920b0-5e8b-4f79-9ee9-91f868d9b421marking-definition--939a9414-2ddd-4d32-a0cd-375ea402b003marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1For example, here’s an Indicator marked with TLP Clear…
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"indicator_types": ["malicious-activity"],
"name": "Poison Ivy Malware",
"description": "This file is part of Poison Ivy",
"pattern": "[ file:hashes.'SHA-256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877' ]",
"pattern_type": "stix",
"valid_from": "2016-01-01T00:00:00Z",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
]
}
The problem is, this isn’t yet supported by many generation tools. For example, the STIX2 Python module (stix2 · PyPI) only supports TLP v1.
There is a section on the CTI Documentation page that lists extensions that have reached a certain level of maturity:
Though IMO TLP v1 should be replaced in STIX with v2 as the default (but keeping v1 support for compatibility issues with up/downstream software).