If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly (usually, the interactive graphs). Please view the post on dogesec.com for the full interactive viewing experience.
tl;dr
A short post with code examples that show how to use TLPv2 with STIX 2.1.
Overview
TLP version 2.0 is the current version of TLP standardized by FIRST. It is authoritative from August 2022 onwards
Source: FIRST
Despite superseding TLPv1 over one year ago, as mentioned in my post, A Quick Start Guide to Generate Threat Intelligence Using the STIX2 Python Library; the STIX2 Python library does not yet support TLPv2.
However, v2 objects do exist.
Here is a quick example of how to user them;
Preparation
You need to install the Python STIX2 library. This post describes how.
TLPv2 Marking Definition STIX IDs
For reference;
TLP:CLEAR
:marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487
TLP:GREEN
:marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb
TLP:AMBER
:marking-definition--55d920b0-5e8b-4f79-9ee9-91f868d9b421
TLP:AMBER+STRICT
:marking-definition--939a9414-2ddd-4d32-a0cd-375ea402b003
TLP:RED
:marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1
Now all that’s needed is to add the TLPv2 STIX ID to the object_marking_refs
property.
A TLP:CLEAR
example
For example, to mark an object as TLP:CLEAR
:
# python3 generate_sdo_tlpv2_clear.py
## Start by importing all the things you will need
### https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.sdo.html#stix2.v21.sdo.AttackPattern
### https://stix2.readthedocs.io/en/latest/api/stix2.v21.html?highlight=tlp#stix2.v21.TLPMarking
from stix2 import AttackPattern, TLP_GREEN
## Create AttackPattern SDO using the files
AttackPatternDemo = AttackPattern(
created_by_ref="identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
name="Spear Phishing",
description="Used for tutorial content",
created="2020-01-01T00:00:00.000000Z",
modified="2020-01-01T00:00:00.000000Z",
object_marking_refs=[
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
)
## Print all the objects to the command line
print(AttackPatternDemo.serialize(pretty=True))
Running the script prints;
{
"type": "attack-pattern",
"spec_version": "2.1",
"id": "attack-pattern--6b6a61df-44dd-4c3a-81aa-ac57a786ff47",
"created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
"created": "2020-01-01T00:00:00.000000Z",
"modified": "2020-01-01T00:00:00.000000Z",
"name": "Spear Phishing",
"description": "Used for tutorial content",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
}
Obstracts
The RSS reader for threat intelligence teams. Turn any blog into machine readable STIX 2.1 data ready for use with your security stack.
Stixify
Your automated threat intelligence analyst. Extract machine readable STIX 2.1 data ready for use with your security stack.
Discuss this post
Head on over to the dogesec community to discuss this post.
Never miss an update
Sign up to receive new articles in your inbox as they published.