Pivoting with CAL
- 12 Apr 2023
- 4 Minutes to read
-
Print
-
DarkLight
Pivoting with CAL
- Updated on 12 Apr 2023
- 4 Minutes to read
-
Print
-
DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
Overview
You can use the Pivot with CAL option to explore Indicator and Group relationships that exist in CAL™. This option is displayed in the contextual menu for Indicator and Group nodes only.
Important
To use the Pivot with CAL feature, CAL must be enabled on your ThreatConnect instance and for your Organization.
Important
The Pivot with CAL option will not be displayed for File Indicators, as CAL does not have information on Indicator-to-Indicator associations for Files at this time, or private Indicators.
Performing a Pivot
- Click on an Indicator or Group node displayed on an object’s graph.
- Select Pivot with CAL from the node’s contextual menu. If data exist in CAL for the Indicator or Group, a list of available CAL relationship types on which you can pivot and the number of related objects included in each relationship type will be displayed (Figure 1). See the “CAL Relationship Types” section for a list of CAL relationship types available for Indicators and Groups.
- Select an available CAL relationship type (Resolved Domains in this example) on which to pivot. The following items will be displayed on the graph (Figure 2):
- One or more related nodes, each of which represents a related Indicator (if pivoting on an Indicator) or Group (if pivoting on a Group). Each node will include a node label that displays the corresponding object’s summary.
- A connection between each related node and the node from which you pivoted. For pivots made within CAL, the connection is gray and includes a connection label that displays the relationship between the two objects (i.e., the CAL relationship type).
Important
If you pivot on a relationship that includes more than 500 related objects, only the first 500 related nodes and their respective connections will be displayed on the graph.
Note
If no CAL relationships exist for the selected Indicator or Group, a message stating so will be displayed after selecting Pivot with CAL. Similarly, if an Indicator or Group does not exist in CAL, a message stating so will be displayed after selecting Pivot with CAL.
Repeat this process for related nodes or the origin node as desired. For example, pivoting on the Uses Tool CAL relationship for the Fancy Bear Adversary Group associated to the Menace Initiative Threat Group adds nine related Group nodes to the graph, each of which represents a Tool Group related to Fancy Bear (Figure 3).
Important
If you pivot on a CAL relationship type that includes more than 500 related objects, only the first 500 related nodes and their respective connections will be displayed on the graph.
When you pivot from one node to a second node and then pivot from the second node back to the first node, a bidirectional arrow will be displayed on the graph, and the connection label will reflect the most recent CAL relationship type on which you pivoted. In the example in Figure 4, the first pivot is from the APT28 Intrusion Set Group to nine Tool Groups via the Uses Tool CAL relationship. The following pivot is from the KODIAC Tool to three Intrusion Set Groups, including the existing APT28 Intrusion Set, via the Used by Intrusion Set CAL relationship. When making this pivot, the arrow connecting the APT28 Intrusion Set to the KODIAC Tool Group changes to a bidirectional arrow to reflect the pivot from the KODIAC Tool Group back to the APT28 Intrusion Set Group, and the connection label changes from Uses Tool to Used by Intrusion Set.
CAL Relationship Types
See Tables 1 and 2 for a list of CAL relationship types available for Indicators and Groups, respectively.
| CAL Relationship Type | Starting Indicator Type(s) | Indicator Type Returned from Pivot |
|---|---|---|
| Base Host | URL | Host |
| Base URL | URL | URL |
| CIDR Ranges | Address, ASN | CIDR |
| DNS Resolutions | Host | Address |
| Email Host | Email Address | Host |
| Known ASNs | CIDR | ASN |
| Known Email Addresses | Host | Email Address |
| Known URL Extensions | URL | URL |
| Known URLs | Host | URL |
| Member IPs | CIDR | Address |
| Nameserver Clients | Host | Host |
| Nameservers | Host | Host |
| Parent Domain | Host | Host |
| Registered Domains | Email Address | Host |
| Resolved Domains | Address | Host |
| Subdomains | Host | Host |
| WHOIS Registrants | Host | Email Address |
| CAL Relationship Type | Starting Group Type(s) | Group Type Returned from Pivot |
|---|---|---|
| Achieved By | Tactic | Attack Pattern |
| Achieves Tactic | Attack Pattern | Tactic |
| Contains Subtechnique | Attack Pattern | Attack Pattern |
| Mitigated By | Attack Pattern | Course of Action |
| Mitigates Attack Pattern | Course of Action | Attack Pattern |
| Revoked By | Attack Pattern | Attack Pattern |
| Intrusion Set | Intrusion Set | |
| Malware | Malware | |
| Revokes | Attack Pattern | Attack Pattern |
| Intrusion Set | Intrusion Set | |
| Malware | Malware | |
| Subtechnique Of | Attack Pattern | Attack Pattern |
| Used by Intrusion Set | Attack Pattern | Intrusion Set |
| Used by Malware | Attack Pattern | Malware |
| Used by Tool | Attack Pattern, Intrusion Set | Tool |
| Uses Attack Pattern | Intrusion Set, Malware, Tool | Attack Pattern |
| Uses Malware | Intrusion Set | Malware |
Note
If a Group on the graph has the same summary as a Group that exists in CAL but is a different Group type, you will be able to pivot on the CAL relationship types available for the Group that exists in CAL. For example, if a node for a Fancy Bear Adversary Group is displayed on the graph and a Fancy Bear Intrusion Set exists in CAL, you will be able to pivot on CAL relationship types available for Intrusion Sets when you select Pivot with CAL for the Fancy Bear Adversary Group.
Note
If a CAL relationship type listed in Tables 1 or 2 is not displayed after selecting Pivot with CAL, then no related objects exist in CAL for that relationship type. For example, if you select Pivot with CAL for a Host Indicator, you may be able to pivot on the DNS Resolutions and Nameservers CAL relationship types only. In this scenario, there are no related objects in CAL for the Known Email Addresses, Known URLs, Nameserver Clients, Parent Domain, Subdomains, and WHOIS Registrants CAL relationship types.
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
20117-13 v.01.A
Was this article helpful?
