CAL Classifiers Glossary
- 22 Feb 2024
- 7 Minutes to read
-
Print
-
DarkLight
CAL Classifiers Glossary
- Updated on 22 Feb 2024
- 7 Minutes to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Overview
CAL™ provides anonymized, crowdsourced intelligence derived from global data for Indicators across all participating instances of ThreatConnect®. One of the ways in which this intelligence is displayed is CAL Classifiers, which are a series of labels representing pre-defined categorizations derived from CAL’s classification analytics. CAL Classifiers are similar to Tags in ThreatConnect, except that they are applied by CAL using the totality of its data set and statistical models. They provide ThreatConnect users with a clear, concise vocabulary to understand some of the salient data points about an Indicator.
| Minimum Role(s) | Organization role of Read Only User |
|---|---|
| Prerequisites |
|
Viewing CAL Classifiers
CAL Classifiers are displayed in the following areas of ThreatConnect for Address, Email Address, File, Host, URL, CIDR, and ASN Indicator types:
- the Classification subsection of the CAL Insights section on the Details drawer (Figure 1)
- the CAL™ Classifiers section in the Details card on the Overview tab of the Details screen (Figure 2)
- the Classification subsection of the CAL Insights section in the Indicator Analytics card on the Overview tab of the legacy Details screen (Figure 3)
Classifiers Glossary
| Classifier | Valid Indicator Type(s) | Comments |
|---|---|---|
| Active Host | Host | Indicator has a sufficient number of reported observations from ThreatConnect users within the allotted timeframe. |
| ASN.Invalid | ASN | This ASN does not exist, according to the master list of ASN:CIDR mappings. |
| CloudHosted | URL | Indicator hosted on a common cloud-hosting domain (e.g., amazonaws.com). |
| DNSHosts.Excessive.Current | Address | The IP address has an excessive number (3+) of hosts concurrently resolving to it. |
| DNSHosts.HistoricalResolutions | Address | The IP address has had hosts historically resolve to it, but currently no tracked hosts do. |
| DNSHosts.Malicious.Current | Address | The IP address has a sufficiently evil host that currently resolves to it. |
| DNSHosts.Malicious.Historical | Address | The IP address has had a sufficiently evil host resolve to it in the last 30 days, but not currently. |
| DNSHosts.MultipleResolutions | Address | The IP address has 2+ hosts currently resolving to it. |
| DNSRes.Excessive.Current | Host | The host currently resolves to an excessive number (5+) of concurrent IP addresses. |
| DNSRes.Excessive.Historical | Host | The host has resolved to an excessive number (5+) of concurrent IP addresses in the last 7 days, but does not currently resolve to an excessive number of concurrent IP addresses. |
| DNSRes.Malicious.Current | Host | The host resolves to an IP address that, as of the current day, is sufficiently evil. |
| DNSRes.Malicious.Historical | Host | The host resolved in the last 30 days to an IP address that, as of the current day, is sufficiently evil, but does not currently resolve to this IP address. |
| DNSRes.MultipleResolutions | Host | The host currently resolves to 2+ IP addresses. |
| DNSRes.NoResolution | Host | The host does not currently resolve to any IP address. |
| DNSRes.Parked | Host | The host resolves to a currently known good IP address. |
| DNSRes.RecentlyUnparked | Host | The host resolved to a known good IP address in the last 7 days, but no longer does. |
| Email.CommonDomain | EmailAddress | Indicator comes from a list of very common/popular email hosting services (e.g., @google.com). |
| Email.Disposable | EmailAddress | Indicator uses an email provider known to be disposable (e.g., badguy@mailinator.com). |
| Executable.Android | File | The file hash is known to represent an Android executable. |
| Executable.iOS | File | The file hash is known to represent an iOS executable. |
| Executable.Legacy | File | The file hash is known to represent a legacy (pre-2000) executable. |
| Executable.Modern | File | The file hash is known to represent a modern architecture (later than the year 2000) executable. |
| Host.DGA.Suspected | Host | The host may have been generated by a domain generation algorithm (DGA), a tactic frequently employed by malicious actors to create multiple domains to leverage during cyber attacks. |
| Host.DynamicDNS | Host, URL | Indicator (or its domain) includes a known dynamic DNS provider (e.g., no-ip.com). |
| Host.ExcessiveLength | Host | Host has at least 50 characters, which we think is ridiculous. |
| Host.LoginFraud | Host | Host includes text similar to common websites (e.g., paypal), along with keywords of interest (e.g., auth, login, secure). |
| Host.RecentlyRegistered.30D | Host | The host was registered within the last 30 days. |
| Host.RecentlyRegistered.7D | Host | The host was registered within the last 7 days. |
| Host.Spoofing | URL | Indicator contains strings indicative of a spoof attempt (e.g., .com-). |
| Host.Unicode | Host, URL | Indicator contains Unicode characters in the domain name, signified by xn--. |
| HostedInfrastructure.AWS | Address | Address belongs to a known AWS CIDR block. |
| HostedInfrastructure.Cloudflare | Address | Address belongs to a known Cloudflare CIDR block. |
| HostedInfrastructure.Google | Address | Address belongs to a known Google CIDR block. |
| HostedInfrastructure.MaxCDN | Address | The IP address belongs to a known MaxCDN CIDR block. |
| HostedInfrastructure.Microsoft | Address | Address belongs to a known Microsoft CIDR block. |
| IntrusionPhase.<value>.Current | Address, EmailAddress, File, Host, URL | Indicator has documented Intrusion Phase (e.g., C2) Attribute from ThreatConnect Intel Source within allotted timeframe (by Indicator type). |
| IntrusionPhase.<value>.Historical | Address, EmailAddress, File, Host, URL | Indicator has documented Intrusion Phase (e.g., C2) Attribute from ThreatConnect Intel Source outside allotted timeframe (by Indicator type). |
| LikelyPythonScript | Host | Indicator appears to be a mislabeled Python file rather than a legitimate Host. |
| MultipleSuspiciousURLs | Host | Indicator has 2 or more suspicious URLs associated with it. |
| Observations.High | Address, Email, File, Host, URL | The Indicator has a high number of observations for its type. |
| Observations.Low | Address, Email, File, Host, URL | The Indicator has a relatively low number of observations for its type. |
| Observations.Med | Address, Email, File, Host, URL | The Indicator has a moderate number of observations for its type. |
| PrivateNetwork | Address | Indicator belongs to a netblock known as a private address space (e.g., 192.168.0.0/16). |
| ProxyRegistration | EmailAddress | Indicator uses an email provider that provides proxy registration (e.g., badguy@domainsbyproxy.com). |
| Rank Quantcast.Top1M | Host | The host is in Quantcast’s Top 1 Million domain list, in the 100,001–1,000,000 spot. |
| Rank.Quantcast.Top100K | Host | The host is in Quantcast’s Top 1 Million domain list, in the 10,001–100,000 spot. |
| Rank.Quantcast.Top10K | Host | The host is in Quantcast’s Top 1 Million domain list, in the 1,001–10,000 spot. |
| Rank.Quantcast.Top1K | Host | The host is in Quantcast’s Top 1 Million domain list, in the 101–1,000 spot. |
| Rank.Quantcast.Top100 | Host | The host is in Quantcast’s Top 1 Million domain list, in the 1–100 spot. |
| Rank.Alexa.Top1M | Host | The host is in Alexa’s Top 1 Million domain list, in the 100,001–1,000,000 spot. |
| Rank.Alexa.Top100K | Host | The host is in Alexa’s Top 1 Million domain list, in the 10,001–100,000 spot. |
| Rank.Alexa.Top10K | Host | The host is in Alexa’s Top 1 Million domain list, in the 1,001–10,000 spot. |
| Rank.Alexa.Top1K | Host | The host is in Alexa’s Top 1 Million domain list, in the 101–1,000 spot. |
| Rank.Alexa.Top100 | Host | The host is in Alexa’s Top 1 Million domain list, in the 1–100 spot. |
| Rank.CiscoUmbrella.Top1M | Host | The host is in Cisco Umbrella’s Top 1 Million domain list, in the 100,001–1,000,000 spot. |
| Rank.CiscoUmbrella.Top100K | Host | The host is in Cisco Umbrella’s Top 1 Million domain list, in the 10,001–100,000 spot. |
| Rank.CiscoUmbrella.Top10K | Host | The host is in Cisco Umbrella’s Top 1 Million domain list, in the 1,001–10,000 spot. |
| Rank.CiscoUmbrella.Top1K | Host | The host is in Cisco Umbrella’s Top 1 Million domain list, in the 101–1,000 spot. |
| Rank.CiscoUmbrella.Top100 | Host | The host is in Cisco Umbrella’s Top 1 Million domain list, in the 1–100 spot. |
| Rank.Majestic.Top1M | Host | The host is in Majestic’s Top 1 Million domain list, in the 100,001–1,000,000 spot. |
| Rank.Majestic.Top100K | Host | The host is in Majestic’s Top 1 Million domain list, in the 10,001–100,000 spot. |
| Rank.Majestic.Top10K | Host | The host is in Majestic’s Top 1 Million domain list, in the 1,001–10,000 spot. |
| Rank.Majestic.Top1K | Host | The host is in Majestic’s Top 1 Million domain list, in the 101–1,000 spot. |
| Rank.Majestic.Top100 | Host | The host is in Majestic’s Top 1 Million domain list, in the 1–100 spot. |
| Rank.Tranco.Top1M | Host | The host is in Tranco’s Top 1 Million domain list, in the 100,001–1,000,000 spot. |
| Rank.Tranco.Top100K | Host | The host is in Tranco’s Top 1 Million domain list, in the 10,001–100,000 spot. |
| Rank.Tranco.Top10K | Host | The host is in Tranco’s Top 1 Million domain list, in the 1,001–10,000 spot. |
| Rank.Tranco.Top1K | Host | The host is in Tranco’s Top 1 Million domain list, in the 101–1,000 spot. |
| Rank.Tranco.Top100 | Host | The host is in Tranco’s Top 1 Million domain list, in the 1–100 spot. |
| Rel.Addresses.Malicious | CIDR, ASN | There is a high number of malicious IP addresses that exist in this CIDR range. |
| Rel.EmailAddresses.Suspicious | Host | Indicator has a sufficient number of related email addresses that are sufficiently evil. |
| Rel.Host.KnownGood | URL | Indicator (URL) related to a known good host. |
| Rel.Host.Suspicious | Indicator has an email provider host that is known to be sufficiently evil. | |
| Rel.Hosts.Malicious | CIDR | There is a high number of malicious hosts whose current resolutions exist in this CIDR range. |
| Rel.NSClients.Malicious | Host | This host is currently being used as a nameserver by a high proportion of malicious hosts. |
| Rel.NSClients.Suspicious | Host | This host is currently being used as a nameserver by a substantial number of suspicious hosts. |
| Rel.Subdomains.Suspicious | Host | Indicator has a sufficient number of subdomains that are sufficiently evil. |
| Rel.URL.Suspicious | Host | Indicator has at least 1 suspicious URL associated with it. |
| Rel.URLs.Malicious | CIDR | There is a high number of malicious URLs whose current resolutions exist in this CIDR range. |
| Rel.URLs.MultipleQueries | Address | This IP address has recently been observed hosting a large number of URLs that have multiple queries. |
| Status.Sinkholed | Host | This host is currently believed to be sinkholed, based on its nameserver. |
| Subdomains.HighCount | Host | Indicator has at least 4 subdomains (regex implementation with known flaw—e.g., .co.uk). |
| Suspicious.ExcessiveSubdomains | Host | Host has at least 4 subdomains (excluding multilevel TLDs such as .co.uk). |
| TLD.AlternativeDNS | Host | Indicator has a TLD from a list of alternative DNS providers. |
| TLD.DarkWeb | Host, URL | Indicator (or its domain) ends in .onion. |
| TLD.Invalid | Host | The host does not have a valid TLD from the public suffix list. |
| TLD.Risky | Host, URL | Indicator uses a top-level domain that is considered risky (e.g., bad.ru). |
| TLD.Uncommon | Host | Indicator does not contain the “common” tld flags, such as .com, .net, etc. |
| TorExitNode | Address | Indicator comes from the Tor Exit Nodes feed. |
| Trending.Impressions | Address, EmailAddress, File, Host, URL, ASN, CIDR | Indicator has a sufficient number of impressions in the last day or week. |
| Trending.Observations | Address, EmailAddress, File, Host, URL, ASN, CIDR | Indicator has a sufficient number of observations in the last week. |
| URLShortener | URL | Indicator uses a domain associated with URL shortening services. |
| Usage.<value>.Current | Address, Host, URL | Indicator has documented Usage (e.g., VulnerabilityScan) Attribute from ThreatConnect Intel Source within allotted timeframe (by Indicator type). |
| Usage.<value>.Historical | Address, Host, URL | Indicator has documented Usage (e.g., VulnerabilityScan) Attribute from ThreatConnect Intel Source outside allotted timeframe (by Indicator type). |
| Usage.CDN | Address | The IP address has been reported by an external feed as serving CDN functions. |
| Usage.DedicatedServer.Suspected | Address, Host, URL | Based on ThreatConnect’s observations, this IP address is known to host only 1 domain (or the IP address of this host/URL). |
| Usage.DNS | Address | Address has been reported by an external feed as serving DNS functions. |
| Usage.Nameserver.Boutique | Host | This host is currently being observed as a nameserver by only a small number of host clients. |
| Usage.Nameserver.Common | Host | This host is currently being used as a nameserver by a high number of other hosts and is likely to be benign. |
| Usage.Nameserver.Current | Host | This host is currently being used as a nameserver by other hosts. |
| Usage.Nameserver.SelfRef | Host | This host is currently using itself as a nameserver. |
| Usage.Sinkhole | Host | This host is suspected to be operating as a sinkhole by its owner. |
| WebExtension.Executable | URL | Indicator ends in a suffix implying an executable file. |
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
20094-01 v.03.A
Was this article helpful?
