Exploring Associations
  • 19 Oct 2022
  • 10 Minutes to read
  • Dark
    Light

Exploring Associations

  • Dark
    Light

When viewing the graph for an Indicator, Group, or Case, you can use the Pivot in ThreatConnect option to explore the following association types that exist in ThreatConnect:

  • Custom, direct Indicator-to-Indicator
  • Indicator-to-Group
  • Indicator-to-Case
  • Group-to-Indicator
  • Group-to-Group
  • Group-to-Case
  • Case-to-Indicator
  • Case-to-Group
  • Case-to-Case

For Indicator and Group nodes, you can use the Pivot with CAL option to explore Indicator and Group relationships that exist in ThreatConnect’s Collective Analytics Layer (CAL™).

The example used throughout this article demonstrates how to pivot on associations in ThreatConnect and relationships in CAL for the verybadguy.com Host Indicator; however, you can use a similar approach to explore associations when viewing a Group’s or Case’s graph.

Pivot in ThreatConnect

Selecting Pivot in ThreatConnect will display a submenu containing the following object types: Groups, Indicators, and Cases. Select the type of object on which to pivot. See the “Groups,” “Indicators,” and “Cases” sections for further instruction on pivoting on Group, Indicator, and Case associations, respectively, in ThreatConnect.

Chart, scatter chart  Description automatically generated

 

Note
If an Indicator or Group belongs to multiple owners, a black border will be applied to its node when you click on it, as in Figure 1.
Note
If you select Pivot in ThreatConnect and an Indicator or Group does not exist in your ThreatConnect instance (e.g., you selected Pivot in ThreatConnect for an Indicator or Group added to the graph via the Pivot with CAL option), a message stating so will be displayed in the menu.

Pivoting on Indicators and Groups in ThreatConnect will return all associated objects of the selected type in all owners to which you have access. For example, pivoting on all Group types from a Host Indicator associated to a Threat Group in your Organization and an Adversary Group in a Community to which you have access will return both Groups. Similarly, pivoting from an object that belongs to multiple owners will return associated Indicators or Groups across all owners to which you have access. For example, pivoting on the Threat Group type from an Indicator that belongs to an Organization and a Source to which you have access will return Threat Groups associated to the Indicator in each owner. To determine the owner(s) of an associated Indicator or Group, click on its node and select View Details.

Groups

Selecting Groups will display a scrollable list of all ThreatConnect Group types (Figure 2).

Graphical user interface, application  Description automatically generated with medium confidence

 

Select a Group type (Threat in this example) on which to pivot, or select All Groups to pivot on all Group types. If Groups of the selected type(s) are associated to the Indicator, Group, or Case, the following objects will be displayed on the graph (Figure 3):

  • One or more associated Group nodes. Each node will include a node label that displays the corresponding Group’s summary.
  • A connection between each associated Group node and the node on which you pivoted. For pivots made in ThreatConnect, this connection is orange and does not include a label.

If no Groups of the selected type are associated to the Indicator, Group, or Case from which you pivoted, a message stating “No results found for last pivot” will be displayed at the lower-left corner of the screen.

A screenshot of a computer  Description automatically generated with medium confidence

 

Important
If a pivot returns more than 500 associated objects, only the first 500 associated nodes and their respective connections will be displayed on the graph.

Repeat this process for associated Group nodes or the origin node as desired. For example, pivoting on all Group types for the Menace Initiative Threat Group associated to the verybadguy.com Host Indicator adds four associated Group nodes to the graph, each of which represents a Group associated to Menace Initiative (Figure 4).

Chart  Description automatically generated

 

If a pivot returns an associated object that belongs to multiple owners, a single node representing the associated object will be displayed on the graph. To view details for the object in each of its owners, click the associated object’s node and select View Details.

Indicators

If pivoting on an Indicator node, selecting Indicators will display a list of all custom Indicator-to-Indicator association types available for the Indicator on your ThreatConnect instance (Figure 5).

Graphical user interface, application  Description automatically generated

 

Select an association type (Domain Registrant Email in this example) on which to pivot, or select All to pivot on all available association types. If an association of the selected type exists, the following objects will be displayed on the graph (Figure 6):

  • One or more associated Indicator nodes. Each node will include a node label that displays the corresponding Indicator’s summary.
  • A connection between each associated Indicator node and the Indicator node on which you pivoted. For pivots made in ThreatConnect, this connection is orange and does not include a label.

If an association of the selected type does not exist for the Indicator from which you pivoted, a message stating “No results found for last pivot” will be displayed at the lower-left corner of the screen.

Chart  Description automatically generated

 

If pivoting on a Group node, selecting Indicators will display a scrollable list of all ThreatConnect Indicator types (Figure 7).

Chart  Description automatically generated

 

Select an Indicator type, or select All Indicators (as in this example) to pivot on all ThreatConnect Indicator types. If Indicators of the selected type(s) are associated to the Group or Case, the following objects will be displayed on the graph (Figure 8):

  • One or more associated Indicator nodes. Each node will include a node label that displays the corresponding Indicator’s summary.
  • A connection between each associated Indicator node and the Group or Case node on which you pivoted. For pivots made in ThreatConnect, this connection is orange and does not include a label.

If no Indicators of the selected type are associated to the Group or Case from which you pivoted, a message stating “No results found for last pivot” will be displayed at the lower-left corner of the screen.

Chart, radar chart  Description automatically generated

 

If you pivot from one node to a second node and then pivot from the second node back to the first node, a bidirectional arrow will be displayed on the graph. In this example, the first pivot was from the verybadguy.com Host Indicator to the Menace Initiative Threat Group (Figure 3). After pivoting from the Menace Initiative Threat Group to all Indicator types (Figure 8), the arrow connecting the verybadguy.com Host Indicator to the Menace Initiative Threat Group changed to a bidirectional arrow to reflect the pivot from the Menace Initiative Threat Group back to the verybadguy.com Host Indicator.

Cases

Select Cases to pivot on Cases in your Organization. After selecting Cases, you will be prompted to select an owner of the object from which you are pivoting. If Cases are associated to the Indicator, Group, or Case from which you pivoted in the selected owner, the following objects will be displayed on the graph (Figure 9):

  • One or more associated Case nodes. Each node will include a node label that displays the corresponding Case’s name. If you do not have viewing access to an associated Case, it will not be displayed on the graph.
  • A connection between each associated Case node and the Indicator, Group, or Case node on which you pivoted. For pivots made in ThreatConnect, this connection is orange and does not include a label.

If no Cases are associated to the Indicator, Group, or Case from which you pivoted in the selected owner, a message stating “No results found for last pivot” will be displayed at the lower-left corner of the screen.

Note
Pivoting on potential Case associations is not supported at this time.

Chart, radar chart  Description automatically generated

 

Like Indicator and Group nodes, you can pivot on Indicator, Group, and Case associations from a Case node. Figure 10 shows two pivots from an associated Case node (Analyze Suspicious Email and Re…) added to the graph via the previous pivot: one on Host Indicators followed by one on Cases in the Documentation Team Organization.

Chart, radar chart  Description automatically generated

 

Pivot with CAL

Continuing from the example started in the “Pivot in ThreatConnect” section, selecting Pivot with CAL from an Indicator or Group node’s contextual menu will display a list of available CAL relationship types on which you can pivot and the number of related Indicators or Groups included in each relationship type. See Tables 1 and 2 for a list of all available CAL relationship types for Indicators and Groups, respectively.

 

CAL Relationship TypeStarting Indicator Type(s)Indicator Type Returned from Pivot
Base HostURLHost
Base URLURLURL
CIDR RangesAddress, ASNCIDR
DNS ResolutionsHostAddress
Email HostEmail AddressHost
Known ASNsCIDRASN
Known Email AddressesHostEmail Address
Known URL ExtensionsURLURL
Known URLsHostURL
Member IPsCIDRAddress
Nameserver ClientsHostHost
NameserversHostHost
Parent DomainHostHost
Registered DomainsEmail AddressHost
Resolved DomainsAddressHost
SubdomainsHostHost
WHOIS RegistrantsHostEmail Address

 

CAL Relationship TypeStarting Group Type(s)Group Type Returned from Pivot
Achieved ByTacticAttack Pattern
Achieves TacticAttack PatternTactic
Contains SubtechniqueAttack PatternAttack Pattern
Mitigated ByAttack PatternCourse of Action
Mitigates Attack PatternCourse of ActionAttack Pattern
Revoked ByAttack PatternAttack Pattern
Intrusion SetIntrusion Set
MalwareMalware
RevokesAttack PatternAttack Pattern
Intrusion SetIntrusion Set
MalwareMalware
Subtechnique OfAttack PatternAttack Pattern
Used by Intrusion SetAttack PatternIntrusion Set
Used by MalwareAttack PatternMalware
Used by ToolAttack Pattern, Intrusion SetTool
Uses Attack PatternIntrusion Set, Malware, ToolAttack Pattern
Uses MalwareIntrusion SetMalware
Note
If a Group on the graph has the same summary as a Group that exists in CAL but is a different Group type, you will be able to pivot on the CAL relationship types available for the Group that exists in CAL. For example, if a node for a Fancy Bear Adversary Group is displayed on the graph and a Fancy Bear Intrusion Set exists in CAL, you will be able to pivot on CAL relationship types available for Intrusion Sets when you select Pivot with CAL for the Fancy Bear Adversary Group.

Figure 11 shows the available CAL relationship types on which you can pivot for the 71.6.135.131 Address Indicator.

Graphical user interface, text, application, chat or text message  Description automatically generated

 

Important
If CAL is not enabled on your ThreatConnect instance or for your Organization, the Pivot with CAL option will not be displayed for Indicators and Groups.
Important
The Pivot with CAL option will not be displayed for File Indicators, as CAL does not have information on Indicator-to-Indicator associations for Files at this time, or private Indicators.

Select an available CAL relationship type (Resolved Domains in this example) on which to pivot. The following objects will be displayed on the graph (Figure 12):

  • One or more related nodes, each of which represents a related Indicator (if pivoting on an Indicator) or Group (if pivoting on a Group). Each node will include a node label that displays the corresponding object’s summary.
  • A connection between each related node and the node on which you pivoted. For pivots made within CAL, the connection is gray and includes a connection label that displays the relationship between the two objects (i.e., the CAL relationship type).

If no CAL relationships exist for the selected Indicator or Group, a message stating so will be displayed after selecting Pivot with CAL. Similarly, if an Indicator or Group does not exist in CAL, a message stating so will be displayed after selecting Pivot with CAL.

Note
If a CAL relationship type listed in Tables 1 or 2 is not displayed after selecting Pivot with CAL, then no related objects exist in CAL for that relationship type. For example, if you select Pivot with CAL for a Host Indicator, you may be able to pivot on the DNS Resolutions and Nameservers CAL relationship types only. In this scenario, there are no related objects in CAL for the Known Email Addresses, Known URLs, Nameserver Clients, Parent Domain, Subdomains, and WHOIS Registrants CAL relationship types.

Chart, scatter chart  Description automatically generated

 

Repeat this process for related nodes or the origin node as desired. For example, pivoting on the Uses Tool CAL relationship for the Fancy Bear Adversary Group associated to the Menace Initiative Threat Group adds nine related Group nodes to the graph, each of which represents a Tool Group related to Fancy Bear (Figure 13).

Chart  Description automatically generated

 

Important
If you pivot on a CAL relationship type that includes more than 500 related objects, only the first 500 related nodes and their respective connections will be displayed on the graph.

When you pivot from one node to a second node and then pivot from the second node back to the first node, a bidirectional arrow will be displayed on the graph, and the connection label will reflect the most recent CAL relationship type on which you pivoted.

In the example in Figure 14, the first pivot is from the APT28 Intrusion Set Group to nine Tool Groups via the Uses Tool CAL relationship. The following pivot is from the KODIAC Tool to three Intrusion Set Groups, including the existing APT28 Intrusion Set, via the Used by Intrusion Set CAL relationship. When making this pivot, the arrow connecting the APT28 Intrusion Set to the KODIAC Tool Group changes to a bidirectional arrow to reflect the pivot from the KODIAC Tool Group back to the APT28 Intrusion Set Group, and the connection label changes from Uses Tool to Used by Intrusion Set.

Diagram  Description automatically generated with medium confidence

 


ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-04 v.06.A


Was this article helpful?