About TLP#
TLP stands for Traffic Light Protocol. TLP color codes flag information to provide handling and sharing guidelines.
TLP indicates if the information:
Is sensitive/reserved, or if you can share it with other parties.
Holds high risk, if it is useful to promote awareness of the content it describes, or if it holds no foreseeable risk of misuse.
Requires immediate action (deter/prevail), or if it can be part of a longer term strategy (prevent).
You can assign a TLP color value to restrict access to the following Intelligence Center items:
Entities.
Data you receive via incoming and send out via outgoing feeds.
Data created by users belonging to the groups associated with allowed data sources.
Observables do not have a TLP property.
TLP version support#
EclecticIQ Intelligence Center supports both TLP v1.0 and v2.0 values.
The Intelligence Center UI displays TLP v2.0 values.
You can ingest feeds with either TLP v1.0 or TLP v2.0 values.
Outgoing feeds or manual exports using the content types below will contain TLP v2.0 values:
EclecticIQ JSON
Advanced Entities CSV
EclecticIQ Entities CSV
EclecticIQ HTML Report
EclecticIQ HTML Report Digest
EclecticIQ HTML PDF
API calls made to the IC public API v2 will return TLP v1.0 values.
About TLP as access control#
When TLP works as an access control mechanism, a TLP color selection includes other color values in a decreasing range.
For example, if you set a TLP color to assign the level of confidentiality a group can access, the group can access data sources and entities having the selected TLP color code, as well as data sources and entities whose TLP color indicates that they are progressively lower risk, less sensitive, and suitable for disclosure to broader audiences.
In this context, a group that can access one or more Allowed sources with a TLP access level set to amber, the group and its members are allowed to access content from the specified data sources up to TLP amber: this includes amber, green, and white.
About TLP as search and filter#
Using TLP as a search or filter mechanism
returns only exact TLP color matches.
For example:
Setting a TLP filter or quick filter to
GREEN
returns only entities whose TLP value is “green”.A search for
meta.tlp_color:AMBER
returns only entities whose TLP value is “amber”.
Entities with no TLP color value do not show up in search or in filtered results.
For more information, see Filter entities by TLP
About TLP overrides#
You can override the original or the current TLP color code of an (uploaded) entity, an incoming feed, or an outgoing feed.
TLP overrides have precedence over the original entity TLP value. TLP overrides always supersede the original TLP value assigned to an entity, regardless of the TLP override being more or less restrictive than the original TLP value.
TLP reference#
The table below sums up TLP behavior when TLP is used to control access to data, and when TLP is used to search and filter data.
Color |
Disclosure |
Access level |
Filter and search |
When should it be used? |
How may it be shared? |
---|---|---|---|---|---|
Not set |
Disclosure is not limited. |
Not set |
Not set |
Some sources do not have a set TLP color code. In that case, the sharing capabilities are treated as if they had the color White. You can assign any color code to any entity, an incoming feed, or an outgoing feed without a TLP color code. |
Subject to standard copyright rules. |
|
Disclosure is not limited. |
|
|
Sources may use TLP:WHITE/TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. |
Subject to standard copyright rules. TLP:WHITE/TLP:CLEAR information may be distributed without restriction. |
Green |
Limited disclosure, restricted to the community. |
|
Green |
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. |
Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not released outside of the community. |
Amber |
Limited disclosure, restricted to participants’ organizations and their clients. |
|
Amber |
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved and their clients. |
Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing. These must be adhered to. |
Amber + Strict |
Limited disclosure, restricted to participants’ organizations. |
|
Amber+Strict |
Sources may use TLP:AMBER+STRICT when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. |
Recipients may only share TLP:AMBER+STRICT information with members of their own organization, but NOT with their clients. Sources are at liberty to specify additional intended limits of the sharing. These must be adhered to. |
Red |
Not for disclosure, restricted to participants only. |
|
Red |
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s privacy, reputation, or operations if misused. |
Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. For example, in the context of a meeting, TLP:RED information is limited only to the meeting attendees. In most circumstances, TLP:RED should be exchanged verbally or in person. |