diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 61529c4fbf..88cfc5d6f5 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -19,6 +19,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 #### Improvements
+* Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
 
 #### Deprecated
 
diff --git a/docs/fields/usage/threat.asciidoc b/docs/fields/usage/threat.asciidoc
index d57d812c5d..7693250d30 100644
--- a/docs/fields/usage/threat.asciidoc
+++ b/docs/fields/usage/threat.asciidoc
@@ -43,11 +43,13 @@ indicators from a known malware site.
             "reference": "https://urlhaus.abuse.ch/url/abcdefg/",
             "confidence": "High",
             "ip": 1.2.3.4,
-            "domain": "malicious.evil",
             "port": 443,
             "email.address": "phish@malicious.evil",
-            "marking: {
-                "tlp": "WHITE"
+            "marking": {
+                "tlp": "CLEAR"
+            },
+            "url": {
+                "domain": "malicious.evil",
             },
             "scanner_stats": 4
         }
@@ -102,7 +104,7 @@ The following example maps a file-based indicator.
                 "name": "invoice.doc"
                 },
             "marking": {
-                "tlp": "WHITE"
+                "tlp": "CLEAR"
             },
             "scanner_stats": 4
         }
@@ -148,7 +150,7 @@ Event enrichment searches for known threats using an event's values and, if foun
       {
         "indicator": {
           "marking": {
-            "tlp": "WHITE"
+            "tlp": "CLEAR"
           },
           "first_seen": "2020-11-17T19:07:46.0956672Z",
           "file": {