STIX 2.1 Data Markings#
This page provides details on how the STIX 2.1 Data Markings is handled by EclecticIQ Intelligence Center.
Overview#
Data markings are a way to provide metadata to STIX Objects. A §7.2.1 Marking Definition object represents a specific data marking.
A marking-defnition
object can look like this:
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--4a0042fe-8b88-40fe-9600-dfa128ce6fbd",
"created": "2016-08-01T00:00:00.000Z",
"definition_type": "statement",
"definition": {
"statement": "Copyright 2019, Example Corp"
}
}
To apply that marking definition to an Indicator SDO,
include it in its object_marking_refs
attribute:
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b346b4b3-f4b7-4235-b659-f985f65f0009",
// ...
"object_marking_refs": ["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],
// ...
}
Supported Object Markings#
The STIX 2.1 specification supports two types of §7.2.2 Object Markings:
statement
, or the §7.2.1.3 Statement Marking Object Type.tlp
, or the §7.2.1.4 TLP Marking Object Type.
EclecticIQ Intelligence Center supports both these marking definitions, and maps them as follows:
Statements#
STIX 2.1 Statement Marking Objects are ingested to produce “marking structures” embedded in resulting entities. It does not produce a corresponding entity or “object” on EclecticIQ Intelligence Center.
Ingest Statements#
EclecticIQ Intelligence Center has two types of “statement” marking structures in EclecticIQ entities:
Terms of use (
terms-of-use
)Simple (
simple
)
Only terms-of-use
marking structures
are supported when translating
EclecticIQ entities into STIX 2.1 Objects
and vice-versa.
A STIX 2.1 Statement Marking Object looks like this:
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--4a0042fe-8b88-40fe-9600-dfa128ce6fbd",
"created": "2016-08-01T00:00:00.000Z",
"definition_type": "statement",
"definition": {
"statement": "Copyright 2019, Example Corp"
}
}
and is ingested to produce a terms-of-use
marking structure
embedded in resulting entities:
Tip
To view the marking structures of an EclecticIQ Entity, open the entity on EclecticIQ Intelligence Center and select the JSON tab.
{
"content-type": "urn:eclecticiq.com:json:1.0",
"enrichments": [],
"entities": [
{
"data": {
"description": "Sample with statement marking structure",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"original_stix21_objects": [
// ...
],
// ...
"id": "8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"handling": [
{
"marking_structures": [
{
"marking_structure_type": "terms-of-use",
"terms_of_use": "Copyright 2019, Example Corp",
"type": "marking-structure"
}
],
"type": "marking-specification"
}
],
// ...
},
// ...
}
],
//...
}
Export Statements#
All terms-of-use
marking structures in EclecticIQ entities
produce Statement Marking Objects when that entity is
exported as a STIX 2.1 bundle.
simple
marking structures in entities are ignored.
TLP#
This section describes how STIX 2.1 TLP Marking Objects are handled by EclecticIQ Intelligence Center.
For more information on how TLP works on EclecticIQ Intelligence Center, see About TLP.
Ingest TLP#
When ingesting STIX Objects with TLP markings,
you must include the corresponding full TLP Marking Objects
in your STIX 2.1 bundle for the correct TLP marking
to be applied to the resulting entity.
EclecticIQ Intelligence Center does not resolve object_marking_refs
that are not included in the STIX 2.1 bundle.
§7.2.1.4
provides specific
marking-definition
objects for TLP colors
that you can use.
These marking-definition
objects are
ingested by EclecticIQ Intelligence Center to
set the meta.tlp_color
field in
the resulting entity.
Tip
Ingesting a TLP marking-definition
object
does not produce a corresponding entity or
“object” on EclecticIQ Intelligence Center. TLP colors
are only stored in the meta.tlp_color
field
of an entity. The original marking-definition
object is preserved in the original_stix21_objects
field of the resulting entity.
For example, for the following Indicator SDO:
{
"type": "indicator",
"name": "Bad IP1",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"description": "STIX 2.1 Interoperability Part 1, 2.5.3.1 TLP Green + Indicator with IPv4 Address",
"created_by_ref": "identity--f6e43aa5-76cc-45ca-9b06-be2d65f26bfb",
"created": "2018-01-17T11:11:13.000Z",
"modified": "2018-01-17T11:11:13.000Z",
"valid_from": "2018-01-01T00:00:00Z",
"labels": [
"malicious-activity"
],
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
],
"pattern": "[ipv4-addr:value = '198.51.100.1']",
"pattern_type": "stix"
}
we can see that its object_marking_refs
contains a reference to the “TLP:GREEN”
TLP Marking Object:
marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da
.
When that Indicator SDO is ingested by EclecticIQ Intelligence Center,
it produces an Indicator entity with its
.entities[].data.meta.tlp_color
field
set to the “color” of the
referenced TLP Marking Object,
and looks like this:
{
"content-type": "urn:eclecticiq.com:json:1.0",
"enrichments": [],
"entities": [
{
"data": {
"description": "STIX 2.1 Interoperability Part 1, 2.5.3.1 TLP Green + Indicator with IPv4 Address",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"original_stix21_objects": [
// ...
],
// ...
"id": "8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"meta": {
"estimated_observed_time": "2018-01-17T11:11:13+00:00",
"estimated_threat_start_time": "2018-01-01T00:00:00+00:00",
"first_ingest_time": "2021-07-27T14:04:41.078941+00:00",
"half_life": 30,
"ingest_time": "2021-07-27T14:04:41.078941+00:00",
"source_reliability": null,
"tags": [
"malicious-activity"
],
"title": "Bad IP1",
"tlp_color": "GREEN"
},
// ...
}
],
//...
}
Export TLP#
When exporting a Intelligence Center entity to STIX 2.1,
the TLP marking-definition
object is
reconstructed from that entity’s
meta.tlp_color
field.
If a TLP override is applied
during export, or by the configured outgoing feed,
the marking-definition
object
is derived from that TLP override
for all the entities it applies to.
Multiple TLP markings#
§7.2 Data Markings does not specify how to resolve the TLP color applied to a given object when multiple TLP marking definitions are applied.
EclecticIQ Intelligence Center defers to the STIX 1.2 specification and applies only the most restrictive TLP color referenced by the object:
“Nodes may be marked by multiple TLP Marking statements. When this occurs, the node should be considered marked at the most restrictive TLP Marking of all TLP Markings that were applied to it. For example, if a node is marked both GREEN and AMBER, the node should be considered AMBER.”
Granular markings#
§7.2.3 Granular Markings are not supported by EclecticIQ Intelligence Center, and are ignored on ingestion.
If granular markings are defined in the STIX 2.1 Object,
those markings are preserved in the
original_stix21_objects
field
of the resulting entity.