TLP Overview Transcript

1
00:00:10,760 --> 00:00:19,978
Traffic Light Protocol, referred to as TLP, provides a set of designations used to ensure that sensitive information is shared with the appropriate audience. 

2
00:00:20,478 --> 00:00:25,859
ThreatQ provides a method for designating the availability of intelligence information by its source.

3
00:00:26,526 --> 00:00:31,239
From the object details page, you can view the object and attribute source designations.

4
00:00:31,823 --> 00:00:35,160
You can filter Threat Library results by TLP designations.

5
00:00:35,535 --> 00:00:39,581
You can also use TLP designations to filter data when building exports.

6
00:00:41,041 --> 00:00:44,502
By default, TLP designations are not visible to users.

7
00:00:45,003 --> 00:00:51,051
TLP visibility can be enabled from the TLP page which can be found under the Threat Library dropdown menu.

8
00:00:51,885 --> 00:00:56,431
You can enable TLP viewing by clicking on the TLP Visibility toggle switch. 

9
00:00:57,182 --> 00:01:02,645
Setting the toggle switch to enabled will allow users to view TLP designations throughout the platform.

10
00:01:03,438 --> 00:01:09,486
ThreatQ supports TLP 2.0 and offers six different designations that are identified by color.

11
00:01:10,070 --> 00:01:14,449
Red marks information as not for disclosure and restricted to participants only.

12
00:01:14,741 --> 00:01:20,455
Amber Strict marks information as limited disclosure and restricted to the participant’s organization.

13
00:01:21,122 --> 00:01:27,295
Amber marks information as limited disclosure and restricted to the participant’s organization and its clients.

14
00:01:28,421 --> 00:01:32,509
Green marks information as limited disclosure and restricted to the community.

15
00:01:33,009 --> 00:01:36,471
And Clear marks information as disclosure is not limited.  

16
00:01:37,597 --> 00:01:40,767
There are several ways to set a TLP designation for a source.  

17
00:01:41,434 --> 00:01:47,107
On the TLP tab, you can set default designations for a source using the dropdown menus provided.

18
00:01:47,982 --> 00:01:53,696
It’s important to note that this setting will only be applied to objects created after setting this option.

19
00:01:54,322 --> 00:01:59,244
Setting the default TLP will not update the TLP designations for existing objects.

20
00:02:02,038 --> 00:02:09,379
You can manually change the TLP designation for a source of a single object by clicking on the source on the object’s details page.  

21
00:02:18,471 --> 00:02:23,101
You can also set a TLP Designation when using the add new source feature.

22
00:02:23,852 --> 00:02:28,064
Or when selecting an existing source with no set TLP designation.  

23
00:02:33,945 --> 00:02:37,532
The ThreatQ TLP Assignment Hierarchy is as follows.

24
00:02:38,449 --> 00:02:42,203
Starting with the lowest precedence is when a source has no default TLP. 

25
00:02:42,579 --> 00:02:45,874
This is when a TLP designation has not been set for a source.

26
00:02:46,291 --> 00:02:52,005
Next is Source Default.  This is when a source default has been set on the TLP management tab.

27
00:02:52,380 --> 00:02:57,802
Next is source provided data.  This is when TLP information is received from ingested data.

28
00:02:58,303 --> 00:03:01,639
And Manually setting a TLP setting has the highest precedence.

29
00:03:02,056 --> 00:03:13,359
This occurs when a user utilizes the add new source option and selects a TLP designation or manually selects a TLP designation for an existing source with no default TLP.

30
00:03:15,612 --> 00:03:25,079
To update TLP designations for multiple existing objects, you can run an artisan command to update your system to match TLP defaults set on the TLP page.

31
00:03:25,413 --> 00:03:31,586
 Specifically attributes and sources that were added to the threat library prior to your organization using TLP.

32
00:03:32,295 --> 00:03:40,970
Exercise caution when using this command as it will override previously saved TLP configuration settings, including ones set by users.

33
00:03:41,554 --> 00:03:46,768
This command can be found under the Command Line Interface section on the ThreatQ Help Center.

34
00:03:47,393 --> 00:03:55,944
You can also run another artisan command to update all object and attribute sources that have TLP settings stored as an object attribute.

35
00:03:56,569 --> 00:04:03,409
This is commonly used when importing or migrating data which has TLP attributes but no default TLP setting.

36
00:04:04,118 --> 00:04:10,041
This command can also be found under the Command Line Interface section on the ThreatQ Help Center.