About TLP#

TLP stands for Traffic Light Protocol. TLP color codes flag information to provide handling and sharing guidelines.

TLP indicates if the information:

  • Is sensitive/reserved, or if you can share it with other parties.

  • Holds high risk, if it is useful to promote awareness of the content it describes, or if it holds no foreseeable risk of misuse.

  • Requires immediate action (deter/prevail), or if it can be part of a longer term strategy (prevent).

You can assign a TLP color value to restrict access to the following Intelligence Center items:

  • Entities.

  • Data you receive via incoming and send out via outgoing feeds.

  • Data created by users belonging to the groups associated with allowed data sources.

Observables do not have a TLP property.

TLP version support#

EclecticIQ Intelligence Center supports both TLP v1.0 and v2.0 values.

  • The Intelligence Center UI displays TLP v2.0 values.

  • You can ingest feeds with either TLP v1.0 or TLP v2.0 values.

  • Outgoing feeds or manual exports using the content types below will contain TLP v2.0 values:

    • EclecticIQ JSON

    • Advanced Entities CSV

    • EclecticIQ Entities CSV

    • EclecticIQ HTML Report

    • EclecticIQ HTML Report Digest

    • EclecticIQ HTML PDF

  • API calls made to the IC public API v2 will return TLP v1.0 values.

About TLP as access control#

When TLP works as an access control mechanism, a TLP color selection includes other color values in a decreasing range.

For example, if you set a TLP color to assign the level of confidentiality a group can access, the group can access data sources and entities having the selected TLP color code, as well as data sources and entities whose TLP color indicates that they are progressively lower risk, less sensitive, and suitable for disclosure to broader audiences.

In this context, a group that can access one or more Allowed sources with a TLP access level set to amber, the group and its members are allowed to access content from the specified data sources up to TLP amber: this includes amber, green, and white.

About TLP as search and filter#

Using TLP as a search or filter mechanism returns only exact TLP color matches.
For example:

  • Setting a TLP filter or quick filter to GREEN returns only entities whose TLP value is “green”.

  • A search for meta.tlp_color:AMBER returns only entities whose TLP value is “amber”.

Entities with no TLP color value do not show up in search or in filtered results.

For more information, see Filter entities by TLP

About TLP overrides#

You can override the original or the current TLP color code of an (uploaded) entity, an incoming feed, or an outgoing feed.

TLP overrides have precedence over the original entity TLP value. TLP overrides always supersede the original TLP value assigned to an entity, regardless of the TLP override being more or less restrictive than the original TLP value.

TLP reference#

The table below sums up TLP behavior when TLP is used to control access to data, and when TLP is used to search and filter data.

Color

Disclosure

Access level

Filter and search

When should it be used?

How may it be shared?

Not set

Disclosure is not limited.

Not set

Not set

Some sources do not have a set TLP color code.

In that case, the sharing capabilities are treated as if they had the color White.

You can assign any color code to any entity, an incoming feed, or an outgoing feed without a TLP color code.

Subject to standard copyright rules.

v1.0 White
v2.0 Clear

Disclosure is not limited.

  • v1.0 White
    v2.0 Clear

v1.0 White
v2.0 Clear

Sources may use TLP:WHITE/TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.

Subject to standard copyright rules.

TLP:WHITE/TLP:CLEAR information may be distributed without restriction.

Green

Limited disclosure, restricted to the community.

  • Green

  • White/Clear

Green

Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.

Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.

Information in this category can be circulated widely within a particular community.

TLP:GREEN information may not released outside of the community.

Amber

Limited disclosure, restricted to participants’ organizations and their clients.

  • Amber

  • Green

  • White/Clear

Amber

Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved and their clients.

Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm.

Sources are at liberty to specify additional intended limits of the sharing.

These must be adhered to.

Amber + Strict

Limited disclosure, restricted to participants’ organizations.

  • Amber + Strict

  • Amber

  • Green

  • White/Clear

Amber+Strict

Sources may use TLP:AMBER+STRICT when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.

Recipients may only share TLP:AMBER+STRICT information with members of their own organization, but NOT with their clients.

Sources are at liberty to specify additional intended limits of the sharing.

These must be adhered to.

Red

Not for disclosure, restricted to participants only.

  • Red

  • Amber + Strict

  • Amber

  • Green

  • White/Clear

Red

Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s privacy, reputation, or operations if misused.

Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed.

For example, in the context of a meeting, TLP:RED information is limited only to the meeting attendees.

In most circumstances, TLP:RED should be exchanged verbally or in person.