STIX 2.1 Data Markings

This page provides details on how the STIX 2.1 Data Markings is handled by EclecticIQ Intelligence Center.

Overview

Data markings are a way to provide metadata to STIX Objects. A §7.2.1 Marking Definition object represents a specific data marking.

A marking-defnition object can look like this:

{
    "type": "marking-definition",
    "spec_version": "2.1",
    "id": "marking-definition--4a0042fe-8b88-40fe-9600-dfa128ce6fbd",
    "created": "2016-08-01T00:00:00.000Z",
    "definition_type": "statement",
    "definition": {
        "statement": "Copyright 2019, Example Corp"
    }
}

To apply that marking definition to an Indicator SDO, include it in its object_marking_refs attribute:

{
    "type": "indicator",
    "spec_version": "2.1",
    "id": "indicator--b346b4b3-f4b7-4235-b659-f985f65f0009",
    // ...
    "object_marking_refs": ["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],
    // ...
}

Supported Object Markings

The STIX 2.1 specification supports two types of §7.2.2 Object Markings:

• statement, or the §7.2.1.3 Statement Marking Object Type.

• tlp, or the §7.2.1.4 TLP Marking Object Type.

EclecticIQ Intelligence Center supports both these marking definitions, and maps them as follows:

Statements

STIX 2.1 Statement Marking Objects are ingested to produce “marking structures” embedded in resulting entities. It does not produce a corresponding entity or “object” on EclecticIQ Intelligence Center.

Ingest Statements

EclecticIQ Intelligence Center has two types of “statement” marking structures in EclecticIQ entities:

• Terms of use (terms-of-use)

• Simple (simple)

Only terms-of-use marking structures are supported when translating EclecticIQ entities into STIX 2.1 Objects and vice-versa.

A STIX 2.1 Statement Marking Object looks like this:

{
    "type": "marking-definition",
    "spec_version": "2.1",
    "id": "marking-definition--4a0042fe-8b88-40fe-9600-dfa128ce6fbd",
    "created": "2016-08-01T00:00:00.000Z",
    "definition_type": "statement",
    "definition": {
        "statement": "Copyright 2019, Example Corp"
    }
}

and is ingested to produce a terms-of-use marking structure embedded in resulting entities:

Tip

To view the marking structures of an EclecticIQ Entity, open the entity on EclecticIQ Intelligence Center and select the JSON tab.

{
    "content-type": "urn:eclecticiq.com:json:1.0",
    "enrichments": [],
    "entities": [
        {
        "data": {
            "description": "Sample with statement marking structure",
            "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
            "original_stix21_objects": [
                // ...
            ],
            // ...
            "id": "8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
            "handling": [
                {
                    "marking_structures": [
                        {
                            "marking_structure_type": "terms-of-use",
                            "terms_of_use": "Copyright 2019, Example Corp",
                            "type": "marking-structure"
                        }
                    ],
                    "type": "marking-specification"
                }
            ],
            // ...
            },
        // ...
        }
    ],
    //...
}

Export Statements

All terms-of-use marking structures in EclecticIQ entities produce Statement Marking Objects when that entity is exported as a STIX 2.1 bundle.

simple marking structures in entities are ignored.

TLP

This section describes how STIX 2.1 TLP Marking Objects are handled by EclecticIQ Intelligence Center.

For more information on how TLP works on EclecticIQ Intelligence Center, see About TLP.

Ingest TLP

When ingesting STIX Objects with TLP markings, you must include the corresponding full TLP Marking Objects in your STIX 2.1 bundle for the correct TLP marking to be applied to the resulting entity. EclecticIQ Intelligence Center does not resolve object_marking_refs that are not included in the STIX 2.1 bundle.

§7.2.1.4 provides specific marking-definition objects for TLP colors that you can use.

These marking-definition objects are ingested by EclecticIQ Intelligence Center to set the meta.tlp_color field in the resulting entity.

Tip

Ingesting a TLP marking-definition object does not produce a corresponding entity or “object” on EclecticIQ Intelligence Center. TLP colors are only stored in the meta.tlp_color field of an entity. The original marking-definition object is preserved in the original_stix21_objects field of the resulting entity.

For example, for the following Indicator SDO:

{
    "type": "indicator",
    "name": "Bad IP1",
    "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "description": "STIX 2.1 Interoperability Part 1, 2.5.3.1 TLP Green + Indicator with IPv4 Address",
    "created_by_ref": "identity--f6e43aa5-76cc-45ca-9b06-be2d65f26bfb",
    "created": "2018-01-17T11:11:13.000Z",
    "modified": "2018-01-17T11:11:13.000Z",
    "valid_from": "2018-01-01T00:00:00Z",
    "labels": [
        "malicious-activity"
    ],
    "object_marking_refs": [
        "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
    ],
    "pattern": "[ipv4-addr:value = '198.51.100.1']",
    "pattern_type": "stix"
}

we can see that its object_marking_refs contains a reference to the “TLP:GREEN” TLP Marking Object: marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da.

When that Indicator SDO is ingested by EclecticIQ Intelligence Center, it produces an Indicator entity with its .entities[].data.meta.tlp_color field set to the “color” of the referenced TLP Marking Object, and looks like this:

{
"content-type": "urn:eclecticiq.com:json:1.0",
"enrichments": [],
"entities": [
    {
    "data": {
        "description": "STIX 2.1 Interoperability Part 1, 2.5.3.1 TLP Green + Indicator with IPv4 Address",
        "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
        "original_stix21_objects": [
            // ...
        ],
        // ...
        "id": "8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
        "meta": {
            "estimated_observed_time": "2018-01-17T11:11:13+00:00",
            "estimated_threat_start_time": "2018-01-01T00:00:00+00:00",
            "first_ingest_time": "2021-07-27T14:04:41.078941+00:00",
            "half_life": 30,
            "ingest_time": "2021-07-27T14:04:41.078941+00:00",
            "source_reliability": null,
            "tags": [
            "malicious-activity"
            ],
            "title": "Bad IP1",
            "tlp_color": "GREEN"
        },
    // ...
    }
],
//...
}

Export TLP

When exporting a Intelligence Center entity to STIX 2.1, the TLP marking-definition object is reconstructed from that entity’s meta.tlp_color field.

If a TLP override is applied during export, or by the configured outgoing feed, the marking-definition object is derived from that TLP override for all the entities it applies to.

Multiple TLP markings

§7.2 Data Markings does not specify how to resolve the TLP color applied to a given object when multiple TLP marking definitions are applied.

EclecticIQ Intelligence Center defers to the STIX 1.2 specification and applies only the most restrictive TLP color referenced by the object:

“Nodes may be marked by multiple TLP Marking statements. When this occurs, the node should be considered marked at the most restrictive TLP Marking of all TLP Markings that were applied to it. For example, if a node is marked both GREEN and AMBER, the node should be considered AMBER.”

Granular markings

§7.2.3 Granular Markings are not supported by EclecticIQ Intelligence Center, and are ignored on ingestion.

If granular markings are defined in the STIX 2.1 Object, those markings are preserved in the original_stix21_objects field of the resulting entity.