Update to Threat ECS Fieldset (TLP)

[peasead]

Summary

The Traffic Light Protocol (TLP) is a system of markings that communicates information sharing permissions for threat indicators.

In August 2022, FIRST (the governing body for TLP) released TLP v2.0. This has an update to an existing TLP designation (TLP:WHITE -> TLP:CLEAR) and the addition of an additional TLP designation (TLP:AMBER+STRICT).

We should update the TLP fields for the Threat ECS fieldset to include the following:

• add a TLP:CLEAR field
• add a TLP:AMBER+STRICT field
• add a TLP version field

Motivation:

This will keep the ECS fieldset updated with the governing body for TLP. TLP v1.0 was deprecated in August 2022.

Detailed Design:

Provide additional details around the design of the proposed changes.

• Field names:
  • threat.indicator.marking.tlp
  • threat.enrichments.indicator.marking.tlp
  • threat.indicator.marking.tlp.version
  • threat.enrichments.indicator.marking.tlp.version
• Example values for the fields
  • threat.indicator.marking.tlp : CLEAR, WHITE, AMBER, AMBER+STRICT, RED
  • threat.enrichments.indicator.marking.tlp : CLEAR, WHITE, AMBER, AMBER+STRICT, RED
  • threat.indicator.marking.tlp.version : 1.0, 2.0
  • threat.enrichments.indicator.marking.tlp.version : 1.0, 2.0

[kgeller]

Hi @peasead ! The additions of CLEAR and AMBER+STRICT to [threat.indicator.marking.tlp has already been completed via a community PR and will be released in ECS 8.6.

[peasead]

🚀