CAL Classifiers Glossary
  • 22 Feb 2024
  • 7 Minutes to read
  • Dark
    Light

CAL Classifiers Glossary

  • Dark
    Light

Article summary

Overview

CAL™ provides anonymized, crowdsourced intelligence derived from global data for Indicators across all participating instances of ThreatConnect®. One of the ways in which this intelligence is displayed is CAL Classifiers, which are a series of labels representing pre-defined categorizations derived from CAL’s classification analytics. CAL Classifiers are similar to Tags in ThreatConnect, except that they are applied by CAL using the totality of its data set and statistical models. They provide ThreatConnect users with a clear, concise vocabulary to understand some of the salient data points about an Indicator.

Minimum Role(s)Organization role of Read Only User
Prerequisites
  • An Indicator created in one of your ThreatConnect owners
  • CAL enabled on your ThreatConnect instance and for your Organization

Viewing CAL Classifiers

CAL Classifiers are displayed in the following areas of ThreatConnect for Address, Email Address, File, Host, URL, CIDR, and ASN Indicator types:

  • the Classification subsection of the CAL Insights section on the Details drawer (Figure 1)

    Figure 1_CAL Classifiers Glossary_7.1.0

     

  • the CAL™ Classifiers section in the Details card on the Overview tab of the Details screen (Figure 2)
    Figure 2_CAL Classifiers Glossary_7.1.0

     

  • the Classification subsection of the CAL Insights section in the Indicator Analytics card on the Overview tab of the legacy Details screen (Figure 3)

    Figure 3_CAL Classifiers Glossary_7.1.0

     

Classifiers Glossary

ClassifierValid Indicator Type(s)Comments
Active HostHostIndicator has a sufficient number of reported observations from ThreatConnect users within the allotted timeframe.
ASN.InvalidASNThis ASN does not exist, according to the master list of ASN:CIDR mappings.
CloudHostedURLIndicator hosted on a common cloud-hosting domain (e.g., amazonaws.com).
DNSHosts.Excessive.CurrentAddressThe IP address has an excessive number (3+) of hosts concurrently resolving to it.
DNSHosts.HistoricalResolutionsAddressThe IP address has had hosts historically resolve to it, but currently no tracked hosts do.
DNSHosts.Malicious.CurrentAddressThe IP address has a sufficiently evil host that currently resolves to it.
DNSHosts.Malicious.HistoricalAddressThe IP address has had a sufficiently evil host resolve to it in the last 30 days, but not currently.
DNSHosts.MultipleResolutionsAddressThe IP address has 2+ hosts currently resolving to it.
DNSRes.Excessive.CurrentHostThe host currently resolves to an excessive number (5+) of concurrent IP addresses.
DNSRes.Excessive.HistoricalHostThe host has resolved to an excessive number (5+) of concurrent IP addresses in the last 7 days, but does not currently resolve to an excessive number of concurrent IP addresses.
DNSRes.Malicious.CurrentHostThe host resolves to an IP address that, as of the current day, is sufficiently evil.
DNSRes.Malicious.HistoricalHostThe host resolved in the last 30 days to an IP address that, as of the current day, is sufficiently evil, but does not currently resolve to this IP address.
DNSRes.MultipleResolutionsHostThe host currently resolves to 2+ IP addresses.
DNSRes.NoResolutionHostThe host does not currently resolve to any IP address.
DNSRes.ParkedHostThe host resolves to a currently known good IP address.
DNSRes.RecentlyUnparkedHostThe host resolved to a known good IP address in the last 7 days, but no longer does.
Email.CommonDomainEmailAddressIndicator comes from a list of very common/popular email hosting services (e.g., @google.com).
Email.DisposableEmailAddressIndicator uses an email provider known to be disposable (e.g., badguy@mailinator.com).
Executable.AndroidFileThe file hash is known to represent an Android executable.
Executable.iOSFileThe file hash is known to represent an iOS executable.
Executable.LegacyFileThe file hash is known to represent a legacy (pre-2000) executable.
Executable.ModernFileThe file hash is known to represent a modern architecture (later than the year 2000) executable.
Host.DGA.Suspected
HostThe host may have been generated by a domain generation algorithm (DGA), a tactic frequently employed by malicious actors to create multiple domains to leverage during cyber attacks.
Host.DynamicDNSHost, URLIndicator (or its domain) includes a known dynamic DNS provider (e.g., no-ip.com).
Host.ExcessiveLengthHostHost has at least 50 characters, which we think is ridiculous.
Host.LoginFraudHostHost includes text similar to common websites (e.g., paypal), along with keywords of interest (e.g., auth, login, secure).
Host.RecentlyRegistered.30DHostThe host was registered within the last 30 days.
Host.RecentlyRegistered.7DHostThe host was registered within the last 7 days.
Host.SpoofingURLIndicator contains strings indicative of a spoof attempt (e.g., .com-).
Host.UnicodeHost, URLIndicator contains Unicode characters in the domain name, signified by xn--.
HostedInfrastructure.AWSAddressAddress belongs to a known AWS CIDR block.
HostedInfrastructure.CloudflareAddressAddress belongs to a known Cloudflare CIDR block.
HostedInfrastructure.GoogleAddressAddress belongs to a known Google CIDR block.
HostedInfrastructure.MaxCDNAddressThe IP address belongs to a known MaxCDN CIDR block.
HostedInfrastructure.MicrosoftAddressAddress belongs to a known Microsoft CIDR block.
IntrusionPhase.<value>.CurrentAddress, EmailAddress, File, Host, URLIndicator has documented Intrusion Phase (e.g., C2) Attribute from ThreatConnect Intel Source within allotted timeframe (by Indicator type).
IntrusionPhase.<value>.HistoricalAddress, EmailAddress, File, Host, URLIndicator has documented Intrusion Phase (e.g., C2) Attribute from ThreatConnect Intel Source outside allotted timeframe (by Indicator type).
LikelyPythonScriptHostIndicator appears to be a mislabeled Python file rather than a legitimate Host.
MultipleSuspiciousURLsHostIndicator has 2 or more suspicious URLs associated with it.
Observations.HighAddress, Email, File, Host, URLThe Indicator has a high number of observations for its type.
Observations.LowAddress, Email, File, Host, URLThe Indicator has a relatively low number of observations for its type.
Observations.MedAddress, Email, File, Host, URLThe Indicator has a moderate number of observations for its type.
PrivateNetworkAddressIndicator belongs to a netblock known as a private address space (e.g., 192.168.0.0/16).
ProxyRegistrationEmailAddressIndicator uses an email provider that provides proxy registration (e.g., badguy@domainsbyproxy.com).
Rank Quantcast.Top1MHostThe host is in Quantcast’s Top 1 Million domain list, in the 100,001–1,000,000 spot.
Rank.Quantcast.Top100KHostThe host is in Quantcast’s Top 1 Million domain list, in the 10,001–100,000 spot.
Rank.Quantcast.Top10KHostThe host is in Quantcast’s Top 1 Million domain list, in the 1,001–10,000 spot.
Rank.Quantcast.Top1KHostThe host is in Quantcast’s Top 1 Million domain list, in the 101–1,000 spot.
Rank.Quantcast.Top100HostThe host is in Quantcast’s Top 1 Million domain list, in the 1–100 spot.
Rank.Alexa.Top1MHostThe host is in Alexa’s Top 1 Million domain list, in the 100,001–1,000,000 spot.
Rank.Alexa.Top100KHostThe host is in Alexa’s Top 1 Million domain list, in the 10,001–100,000 spot.
Rank.Alexa.Top10KHostThe host is in Alexa’s Top 1 Million domain list, in the 1,001–10,000 spot.
Rank.Alexa.Top1KHostThe host is in Alexa’s Top 1 Million domain list, in the 101–1,000 spot.
Rank.Alexa.Top100HostThe host is in Alexa’s Top 1 Million domain list, in the 1–100 spot.
Rank.CiscoUmbrella.Top1MHostThe host is in Cisco Umbrella’s Top 1 Million domain list, in the 100,001–1,000,000 spot.
Rank.CiscoUmbrella.Top100KHostThe host is in Cisco Umbrella’s Top 1 Million domain list, in the 10,001–100,000 spot.
Rank.CiscoUmbrella.Top10KHostThe host is in Cisco Umbrella’s Top 1 Million domain list, in the 1,001–10,000 spot.
Rank.CiscoUmbrella.Top1KHostThe host is in Cisco Umbrella’s Top 1 Million domain list, in the 101–1,000 spot.
Rank.CiscoUmbrella.Top100HostThe host is in Cisco Umbrella’s Top 1 Million domain list, in the 1–100 spot.
Rank.Majestic.Top1MHostThe host is in Majestic’s Top 1 Million domain list, in the 100,001–1,000,000 spot.
Rank.Majestic.Top100KHostThe host is in Majestic’s Top 1 Million domain list, in the 10,001–100,000 spot.
Rank.Majestic.Top10KHostThe host is in Majestic’s Top 1 Million domain list, in the 1,001–10,000 spot.
Rank.Majestic.Top1KHostThe host is in Majestic’s Top 1 Million domain list, in the 101–1,000 spot.
Rank.Majestic.Top100HostThe host is in Majestic’s Top 1 Million domain list, in the 1–100 spot.
Rank.Tranco.Top1MHostThe host is in Tranco’s Top 1 Million domain list, in the 100,001–1,000,000 spot.
Rank.Tranco.Top100KHostThe host is in Tranco’s Top 1 Million domain list, in the 10,001–100,000 spot.
Rank.Tranco.Top10KHostThe host is in Tranco’s Top 1 Million domain list, in the 1,001–10,000 spot.
Rank.Tranco.Top1KHostThe host is in Tranco’s Top 1 Million domain list, in the 101–1,000 spot.
Rank.Tranco.Top100HostThe host is in Tranco’s Top 1 Million domain list, in the 1–100 spot.
Rel.Addresses.MaliciousCIDR, ASNThere is a high number of malicious IP addresses that exist in this CIDR range.
Rel.EmailAddresses.SuspiciousHostIndicator has a sufficient number of related email addresses that are sufficiently evil.
Rel.Host.KnownGoodURLIndicator (URL) related to a known good host.
Rel.Host.SuspiciousEmailIndicator has an email provider host that is known to be sufficiently evil.
Rel.Hosts.MaliciousCIDRThere is a high number of malicious hosts whose current resolutions exist in this CIDR range.
Rel.NSClients.MaliciousHostThis host is currently being used as a nameserver by a high proportion of malicious hosts.
Rel.NSClients.SuspiciousHostThis host is currently being used as a nameserver by a substantial number of suspicious hosts.
Rel.Subdomains.SuspiciousHostIndicator has a sufficient number of subdomains that are sufficiently evil.
Rel.URL.SuspiciousHostIndicator has at least 1 suspicious URL associated with it.
Rel.URLs.MaliciousCIDRThere is a high number of malicious URLs whose current resolutions exist in this CIDR range.
Rel.URLs.MultipleQueriesAddressThis IP address has recently been observed hosting a large number of URLs that have multiple queries.
Status.SinkholedHostThis host is currently believed to be sinkholed, based on its nameserver.
Subdomains.HighCountHostIndicator has at least 4 subdomains (regex implementation with known flaw—e.g., .co.uk).
Suspicious.ExcessiveSubdomainsHostHost has at least 4 subdomains (excluding multilevel TLDs such as .co.uk).
TLD.AlternativeDNSHostIndicator has a TLD from a list of alternative DNS providers.
TLD.DarkWebHost, URLIndicator (or its domain) ends in .onion.
TLD.InvalidHostThe host does not have a valid TLD from the public suffix list.
TLD.RiskyHost, URLIndicator uses a top-level domain that is considered risky (e.g., bad.ru).
TLD.UncommonHostIndicator does not contain the “common” tld flags, such as .com, .net, etc.
TorExitNodeAddressIndicator comes from the Tor Exit Nodes feed.
Trending.ImpressionsAddress, EmailAddress, File, Host, URL, ASN, CIDRIndicator has a sufficient number of impressions in the last day or week.
Trending.ObservationsAddress, EmailAddress, File, Host, URL, ASN, CIDRIndicator has a sufficient number of observations in the last week.
URLShortenerURLIndicator uses a domain associated with URL shortening services.
Usage.<value>.CurrentAddress, Host, URLIndicator has documented Usage (e.g., VulnerabilityScan) Attribute from ThreatConnect Intel Source within allotted timeframe (by Indicator type).
Usage.<value>.HistoricalAddress, Host, URLIndicator has documented Usage (e.g., VulnerabilityScan) Attribute from ThreatConnect Intel Source outside allotted timeframe (by Indicator type).
Usage.CDNAddressThe IP address has been reported by an external feed as serving CDN functions.
Usage.DedicatedServer.SuspectedAddress, Host, URLBased on ThreatConnect’s observations, this IP address is known to host only 1 domain (or the IP address of this host/URL).
Usage.DNSAddressAddress has been reported by an external feed as serving DNS functions.
Usage.Nameserver.BoutiqueHostThis host is currently being observed as a nameserver by only a small number of host clients.
Usage.Nameserver.CommonHostThis host is currently being used as a nameserver by a high number of other hosts and is likely to be benign.
Usage.Nameserver.CurrentHostThis host is currently being used as a nameserver by other hosts.
Usage.Nameserver.SelfRefHostThis host is currently using itself as a nameserver.
Usage.SinkholeHostThis host is suspected to be operating as a sinkhole by its owner.
WebExtension.ExecutableURLIndicator ends in a suffix implying an executable file.

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20094-01 v.03.A


Was this article helpful?