STIX 2.1 Data Markings

This page provides details on how the STIX 2.1 Data Markings is handled by the Intelligence Center.

Overview

Data markings are a way to provide metadata to STIX Objects. A §7.2.1 Marking Definition object represents a specific data marking.

A marking-defnition object can look like this:

{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--4a0042fe-8b88-40fe-9600-dfa128ce6fbd",
"created": "2016-08-01T00:00:00.000Z",
"definition_type": "statement",
"definition": {
"statement": "Copyright 2019, Example Corp"
}
}

To apply that marking definition to an Indicator SDO, include it in its object_marking_refs attribute:

{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b346b4b3-f4b7-4235-b659-f985f65f0009",
// ...
"object_marking_refs": ["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],
// ...
}

Supported Object Markings

The STIX 2.1 specification supports two types of §7.2.2 Object Markings:

The Intelligence Center supports both these marking definitions, and maps them as follows:

Statements

STIX 2.1 Statement Marking Objects are ingested to produce “marking structures” embedded in resulting entities. It does not produce a corresponding entity or “object” on the Intelligence Center.

Ingest statements

The Intelligence Center supports two types of “statement” marking structures in EclecticIQ entities:

  • Terms of use (terms-of-use)

  • Simple (simple)

Only terms-of-use marking structures can be used when translating EclecticIQ entities into STIX 2.1 Objects and vice-versa.

A STIX 2.1 Statement Marking Object looks like this:

{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--4a0042fe-8b88-40fe-9600-dfa128ce6fbd",
"created": "2016-08-01T00:00:00.000Z",
"definition_type": "statement",
"definition": {
"statement": "Copyright 2019, Example Corp"
}
}

and is ingested to produce a terms-of-use marking structure embedded in resulting entities:

To view the marking structures of an EclecticIQ Entity, open the entity on the Intelligence Center and select the JSON tab.

{
"content-type": "urn:eclecticiq.com:json:1.0",
"enrichments": [],
"entities": [
{
"data": {
"description": "Sample with statement marking structure",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"original_stix21_objects": [
// ...
],
// ...
"id": "8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"handling": [
{
"marking_structures": [
{
"marking_structure_type": "terms-of-use",
"terms_of_use": "Copyright 2019, Example Corp",
"type": "marking-structure"
}
],
"type": "marking-specification"
}
],
// ...
},
// ...
}
],
//...
}

Export Statements

All terms-of-use marking structures in EclecticIQ entities produce Statement Marking Objects when that entity is exported as a STIX 2.1 bundle.

simple marking structures in entities are ignored.

TLP

This section describes how STIX 2.1 TLP Marking Objects are handled by the Intelligence Center.

For more information on how TLP works on the Intelligence Center, see About TLP.

Ingest TLP

You must include full TLP Marking Objects in your STIX 2.1 bundle for the correct TLP marking to be applied to the STIX Objects that reference it in their object_marking_refs fields. The Intelligence Center does not resolve object_marking_refs that are not included in the STIX 2.1 bundle.

§7.2.1.4 provides specific marking-definition objects for TLP colors that you can use.

These marking-definition objects are ingested by the Intelligence Center to set the meta.tlp_color field in the resulting entity.

Ingesting a TLP marking-definition object does not produce a corresponding entity or “object” on the Intelligence Center – TLP colors are only stored in the meta.tlp_color field of an entity. The original marking-definition object is preserved in the original_stix21_objects field of the resulting entity.

For example, for the following Indicator SDO:

{
"type": "indicator",
"name": "Bad IP1",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"description": "STIX 2.1 Interoperability Part 1, 2.5.3.1 TLP Green + Indicator with IPv4 Address",
"created_by_ref": "identity--f6e43aa5-76cc-45ca-9b06-be2d65f26bfb",
"created": "2018-01-17T11:11:13.000Z",
"modified": "2018-01-17T11:11:13.000Z",
"valid_from": "2018-01-01T00:00:00Z",
"labels": [
"malicious-activity"
],
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
"pattern": "[ipv4-addr:value = '198.51.100.1']",
"pattern_type": "stix"
}

we can see that its object_marking_refs contains a reference to the “TLP:GREEN” TLP Marking Object: 34098fce-860f-48ae-8e50-ebd3cc5e41da.

When that Indicator SDO is ingested by the Intelligence Center, it produces an Indicator entity with its .entities[].data.meta.tlp_color field set to the “color” of the referenced TLP Marking Object, and looks like this:

{
"content-type": "urn:eclecticiq.com:json:1.0",
"enrichments": [],
"entities": [
{
"data": {
"description": "STIX 2.1 Interoperability Part 1, 2.5.3.1 TLP Green + Indicator with IPv4 Address",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"original_stix21_objects": [
// ...
],
// ...
"id": "8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"meta": {
"estimated_observed_time": "2018-01-17T11:11:13+00:00",
"estimated_threat_start_time": "2018-01-01T00:00:00+00:00",
"first_ingest_time": "2021-07-27T14:04:41.078941+00:00",
"half_life": 30,
"ingest_time": "2021-07-27T14:04:41.078941+00:00",
"source_reliability": null,
"tags": [
"malicious-activity"
],
"title": "Bad IP1",
"tlp_color": "GREEN"
},
// ...
}
],
//...
}

Export TLP

When exporting a Intelligence Center entity to STIX 2.1, the TLP marking-definition object is reconstructed from that entity’s meta.tlp_color field.

If a TLP override is applied during export, or by the configured outgoing feed, the marking-definition object is derived from that TLP override for all entities it applies to.

Multiple TLP markings

The STIX 2.1 specification avoids defining how to resolve the TLP color applied to a given object when multiple TLP marking definitions are applied.

The Intelligence Center uses the STIX 1.2 specification and applies the most restrictive TLP color referenced by the object:

Nodes may be marked by multiple TLP Marking statements. When this occurs, the node should be considered marked at the most restrictive TLP Marking of all TLP Markings that were applied to it. For example, if a node is marked both GREEN and AMBER, the node should be considered AMBER.

Granular markings

§7.2.3 Granular Markings are not supported by the Intelligence Center, and are ignored on ingestion.

If granular markings are defined in the STIX 2.1 Object, those markings are preserved in the original_stix21_objects field of the resulting entity.