Class: AttackMarkingDefinition
ATT&CK Marking Definition objects apply data handling constraints to ATT&CK content. ATT&CK uses two categories of marking definitions:
1. TLP (Traffic Light Protocol) markings — four canonical instances with fixed IDs:
_ TLP:WHITE → marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9_
_ TLP:GREEN → marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da_
_ TLP:AMBER → marking-definition--f88d31f6-486f-44da-b317-01333bde0b82_
_ TLP:RED → marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed_
__
2. Statement markings — copyright and terms-of-use text applied to ATT&CK content.
_ Example: "Copyright 2023, The MITRE Corporation. ATT&CK® is a registered trademark."_
__
Marking Definition objects are STIX Meta Objects (SMOs). They do NOT have a 'modified' property and do NOT carry ATT&CK versioning fields (x_mitre_attack_spec_version, x_mitre_version, x_mitre_deprecated).
The canonical TLP marking definition instances MUST NOT be recreated; only the four fixed instances listed above are valid TLP markings for ATT&CK content.
URI: attack:AttackMarkingDefinition
classDiagram
class AttackMarkingDefinition
click AttackMarkingDefinition href "../AttackMarkingDefinition/"
MarkingDefinition <|-- AttackMarkingDefinition
click MarkingDefinition href "../MarkingDefinition/"
AttackMarkingDefinition : created
AttackMarkingDefinition : created_by_ref
AttackMarkingDefinition : definition
AttackMarkingDefinition : definition_type
AttackMarkingDefinition --> "1" MarkingDefinitionTypeEnum : definition_type
click MarkingDefinitionTypeEnum href "../MarkingDefinitionTypeEnum/"
AttackMarkingDefinition : description
AttackMarkingDefinition : extensions
AttackMarkingDefinition : external_references
AttackMarkingDefinition --> "*" ExternalReference : external_references
click ExternalReference href "../ExternalReference/"
AttackMarkingDefinition : granular_markings
AttackMarkingDefinition --> "*" GranularMarking : granular_markings
click GranularMarking href "../GranularMarking/"
AttackMarkingDefinition : id
AttackMarkingDefinition : name
AttackMarkingDefinition : object_marking_refs
AttackMarkingDefinition : spec_version
AttackMarkingDefinition --> "1" SpecVersionEnum : spec_version
click SpecVersionEnum href "../SpecVersionEnum/"
AttackMarkingDefinition : statement
AttackMarkingDefinition : type
Inheritance
- StixEntity
- CommonSchemaComponent
- MarkingDefinition
- AttackMarkingDefinition
- MarkingDefinition
- CommonSchemaComponent
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| type | 1 StixTypeName |
STIX object type | MarkingDefinition, StixEntity |
| spec_version | 1 SpecVersionEnum |
STIX specification version | MarkingDefinition |
| id | 1 StixIdentifier |
STIX object identifier | MarkingDefinition, StixEntity |
| name | 0..1 String |
Human-readable name for TLP marking definitions (e | MarkingDefinition, StixEntity |
| created_by_ref | 1 StixIdentifier |
The STIX ID of the identity that created this marking definition | MarkingDefinition |
| created | 1 Datetime |
Creation timestamp | MarkingDefinition |
| external_references | * ExternalReference |
External references to non-STIX information | MarkingDefinition |
| object_marking_refs | * StixIdentifier |
Marking definition references applied to this object | MarkingDefinition |
| granular_markings | * GranularMarking |
Granular markings that apply to selected content | MarkingDefinition |
| extensions | * String |
Open-ended extension payloads | MarkingDefinition |
| definition_type | 1 MarkingDefinitionTypeEnum |
The type of marking definition payload: 'tlp' for Traffic Light Protocol mark... | MarkingDefinition |
| definition | 1 String |
The marking definition payload object | MarkingDefinition |
| statement | 0..1 String |
A statement (e | MarkingDefinition |
| description | 0..1 String |
Human-readable description | StixEntity |
In Subsets
Comments
- validator_hint: enforce-marking-definition-tlp-statement-branches note: TLP marking definition IDs are fixed constants; do not create new TLP instances.
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| stix_type | marking-definition |
Schema Source
- from schema: https://w3id.org/lmodel/attack
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | attack:AttackMarkingDefinition |
| native | attack:AttackMarkingDefinition |
LinkML Source
Direct
name: AttackMarkingDefinition
annotations:
stix_type:
tag: stix_type
value: marking-definition
description: "ATT&CK Marking Definition objects apply data handling constraints to\
\ ATT&CK content. ATT&CK uses two categories of marking definitions:\n1. TLP (Traffic\
\ Light Protocol) markings — four canonical instances with fixed IDs:\n TLP:WHITE\
\ → marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9\n TLP:GREEN →\
\ marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\n TLP:AMBER → marking-definition--f88d31f6-486f-44da-b317-01333bde0b82\n\
\ TLP:RED → marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed\n\n\
2. Statement markings — copyright and terms-of-use text applied to ATT&CK content.\n\
\ Example: \"Copyright 2023, The MITRE Corporation. ATT&CK® is a registered\
\ trademark.\"\n\nMarking Definition objects are STIX Meta Objects (SMOs). They\
\ do NOT have a 'modified' property and do NOT carry ATT&CK versioning fields (x_mitre_attack_spec_version,\
\ x_mitre_version, x_mitre_deprecated).\nThe canonical TLP marking definition instances\
\ MUST NOT be recreated; only the four fixed instances listed above are valid TLP\
\ markings for ATT&CK content."
comments:
- 'validator_hint: enforce-marking-definition-tlp-statement-branches note: TLP marking
definition IDs are fixed constants; do not create new TLP instances.'
in_subset:
- attack_smos
from_schema: https://w3id.org/lmodel/attack
is_a: MarkingDefinition
slot_usage:
type:
name: type
required: true
pattern: ^marking-definition$
id:
name: id
required: true
pattern: ^marking-definition--
spec_version:
name: spec_version
required: true
created:
name: created
required: true
created_by_ref:
name: created_by_ref
description: The STIX ID of the identity that created this marking definition.
ATT&CK marking definitions reference MITRE's identity.
required: true
definition_type:
name: definition_type
description: 'The type of marking definition payload: ''tlp'' for Traffic Light
Protocol markings, or ''statement'' for copyright/terms-of-use text.'
range: MarkingDefinitionTypeEnum
required: true
definition:
name: definition
description: The marking definition payload object. For TLP markings this is a
TlpMarkingObject containing the tlp level. For statement markings this is a
StatementMarkingObject containing the statement text.
required: true
name:
name: name
description: Human-readable name for TLP marking definitions (e.g., 'TLP:WHITE',
'TLP:GREEN'). Listed in the STIX 2.1 specification; optional in ATT&CK practice.
x_mitre_attack_spec_version:
name: x_mitre_attack_spec_version
description: Not present on ATT&CK Marking Definition objects (SMOs are unversioned).
required: false
x_mitre_version:
name: x_mitre_version
description: Not present on ATT&CK Marking Definition objects.
required: false
x_mitre_deprecated:
name: x_mitre_deprecated
description: Not present on ATT&CK Marking Definition objects.
required: false
Induced
name: AttackMarkingDefinition
annotations:
stix_type:
tag: stix_type
value: marking-definition
description: "ATT&CK Marking Definition objects apply data handling constraints to\
\ ATT&CK content. ATT&CK uses two categories of marking definitions:\n1. TLP (Traffic\
\ Light Protocol) markings — four canonical instances with fixed IDs:\n TLP:WHITE\
\ → marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9\n TLP:GREEN →\
\ marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\n TLP:AMBER → marking-definition--f88d31f6-486f-44da-b317-01333bde0b82\n\
\ TLP:RED → marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed\n\n\
2. Statement markings — copyright and terms-of-use text applied to ATT&CK content.\n\
\ Example: \"Copyright 2023, The MITRE Corporation. ATT&CK® is a registered\
\ trademark.\"\n\nMarking Definition objects are STIX Meta Objects (SMOs). They\
\ do NOT have a 'modified' property and do NOT carry ATT&CK versioning fields (x_mitre_attack_spec_version,\
\ x_mitre_version, x_mitre_deprecated).\nThe canonical TLP marking definition instances\
\ MUST NOT be recreated; only the four fixed instances listed above are valid TLP\
\ markings for ATT&CK content."
comments:
- 'validator_hint: enforce-marking-definition-tlp-statement-branches note: TLP marking
definition IDs are fixed constants; do not create new TLP instances.'
in_subset:
- attack_smos
from_schema: https://w3id.org/lmodel/attack
is_a: MarkingDefinition
slot_usage:
type:
name: type
required: true
pattern: ^marking-definition$
id:
name: id
required: true
pattern: ^marking-definition--
spec_version:
name: spec_version
required: true
created:
name: created
required: true
created_by_ref:
name: created_by_ref
description: The STIX ID of the identity that created this marking definition.
ATT&CK marking definitions reference MITRE's identity.
required: true
definition_type:
name: definition_type
description: 'The type of marking definition payload: ''tlp'' for Traffic Light
Protocol markings, or ''statement'' for copyright/terms-of-use text.'
range: MarkingDefinitionTypeEnum
required: true
definition:
name: definition
description: The marking definition payload object. For TLP markings this is a
TlpMarkingObject containing the tlp level. For statement markings this is a
StatementMarkingObject containing the statement text.
required: true
name:
name: name
description: Human-readable name for TLP marking definitions (e.g., 'TLP:WHITE',
'TLP:GREEN'). Listed in the STIX 2.1 specification; optional in ATT&CK practice.
x_mitre_attack_spec_version:
name: x_mitre_attack_spec_version
description: Not present on ATT&CK Marking Definition objects (SMOs are unversioned).
required: false
x_mitre_version:
name: x_mitre_version
description: Not present on ATT&CK Marking Definition objects.
required: false
x_mitre_deprecated:
name: x_mitre_deprecated
description: Not present on ATT&CK Marking Definition objects.
required: false
attributes:
type:
name: type
description: STIX object type.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:state
rank: 1000
alias: type
owner: AttackMarkingDefinition
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_type_name
required: true
pattern: ^marking-definition$
spec_version:
name: spec_version
description: STIX specification version.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:specVersion
rank: 1000
alias: spec_version
owner: AttackMarkingDefinition
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: SpecVersionEnum
required: true
id:
name: id
description: STIX object identifier.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: id
owner: AttackMarkingDefinition
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_identifier
required: true
pattern: ^marking-definition--
name:
name: name
description: Human-readable name for TLP marking definitions (e.g., 'TLP:WHITE',
'TLP:GREEN'). Listed in the STIX 2.1 specification; optional in ATT&CK practice.
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:name
rank: 1000
alias: name
owner: AttackMarkingDefinition
domain_of:
- RelatedAsset
- StixEntity
- ExtensionDefinition
- MarkingDefinition
- AutonomousSystem
- File
range: string
created_by_ref:
name: created_by_ref
description: The STIX ID of the identity that created this marking definition.
ATT&CK marking definitions reference MITRE's identity.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:createdBy
rank: 1000
alias: created_by_ref
owner: AttackMarkingDefinition
domain_of:
- Core
- MarkingDefinition
range: stix_identifier
required: true
created:
name: created
description: Creation timestamp.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectCreatedTime
rank: 1000
alias: created
owner: AttackMarkingDefinition
domain_of:
- Core
- MarkingDefinition
range: datetime
required: true
external_references:
name: external_references
description: External references to non-STIX information.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: external_references
owner: AttackMarkingDefinition
domain_of:
- Core
- MarkingDefinition
range: ExternalReference
multivalued: true
object_marking_refs:
name: object_marking_refs
description: Marking definition references applied to this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: object_marking_refs
owner: AttackMarkingDefinition
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: stix_identifier
multivalued: true
pattern: ^marking-definition--
granular_markings:
name: granular_markings
description: Granular markings that apply to selected content.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
narrow_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: granular_markings
owner: AttackMarkingDefinition
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: GranularMarking
multivalued: true
extensions:
name: extensions
description: Open-ended extension payloads.
notes:
- JSON Schema uses patternProperties for extension keys; exact key validation
is delegated to validator tooling.
comments:
- 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:hasFacet
rank: 1000
alias: extensions
owner: AttackMarkingDefinition
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
- File
range: string
multivalued: true
definition_type:
name: definition_type
description: 'The type of marking definition payload: ''tlp'' for Traffic Light
Protocol markings, or ''statement'' for copyright/terms-of-use text.'
comments:
- 'jsonschema_conditional_required: "required unless extensions present"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: definition_type
owner: AttackMarkingDefinition
domain_of:
- MarkingDefinition
range: MarkingDefinitionTypeEnum
required: true
definition:
name: definition
description: The marking definition payload object. For TLP markings this is a
TlpMarkingObject containing the tlp level. For statement markings this is a
StatementMarkingObject containing the statement text.
comments:
- 'jsonschema_conditional_required: "required unless extensions present"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: definition
owner: AttackMarkingDefinition
domain_of:
- MarkingDefinition
range: string
required: true
statement:
name: statement
description: A statement (e.g., copyright, terms of use) applied to the content
marked by this marking definition.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: statement
owner: AttackMarkingDefinition
domain_of:
- StatementMarkingObject
- MarkingDefinition
range: string
description:
name: description
description: Human-readable description.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:description
rank: 1000
alias: description
owner: AttackMarkingDefinition
domain_of:
- RelatedAsset
- MutableElement
- StixEntity
- ExtensionDefinition
- ExternalReference
range: string