Pivoting With CAL in Threat Graph
  • 18 Sep 2024
  • 5 Minutes to read
  • Dark
    Light

Pivoting With CAL in Threat Graph

  • Dark
    Light

Article summary

Overview

The Threat Graph feature in ThreatConnect® provides a graph-based interface that you can use to discover, visualize, and contextualize associations and relationships between Indicators, Groups, Cases, and Tags. The Pivot with CAL option in Threat Graph, available for Indicators and Groups only, lets you explore Indicator and Group relationships that exist in CAL™.

Important
The Pivot with CAL option is not available for private Indicators.

Before You Start

User Roles

  • To pivot on CAL relationships for Indicators and Groups in an Organization in Threat Graph, your user account can have any Organization role.
  • To pivot on CAL relationships for Indicators and Groups in a Community or Source in Threat Graph, your user account can have any Community role except Banned for that Community or Source.

Prerequisites

  • To use the Pivot with CAL option in Threat Graph, turn on CAL for your ThreatConnect instance (must be a System Administrator to perform this action).

Performing a Pivot

  1. Open Threat Graph.
  2. Select an Indicator or Group node on the graph. If no such node is on the graph, pivot in ThreatConnect to add one.
  3. Select Pivot with CAL in the node’s menu. If data exist in CAL for the Indicator or Group, the Pivot with CAL submenu will display a list of available CAL relationships you can pivot on and the number of related objects included in each relationship (Figure 1).

    Figure 1_Pivoting With CAL_7.7.0

     

  4. Select an available CAL relationship to pivot on in the Pivot with CAL submenu. After you select a CAL relationship, the following items will be added to the graph:
    • One or more related nodes, each of which represents a related Indicator (if pivoting from an Indicator) or Group (if pivoting from a Group) in CAL. Each related node will have a node label that displays the corresponding object’s summary.
    • One or more gray arrows, each connecting a related node to the node from which you pivoted. Each gray arrow will have a label that displays the CAL relationship connecting the two nodes.

Figure 2 shows three pivots on CAL relationships in Threat Graph:

  • The first pivot is on the Uses Malware CAL relationship from the Fancy Bear Adversary Group. This pivot returns 17 Malware Groups that are related to Fancy Bear and adds them to the graph.
  • The second pivot is on the CIDR Ranges CAL relationship from the 71.6.135.131 Address Indicator. This pivot returns four CIDR Indicators that are related to 71.6.135.131 and adds them to the graph.
  • The third pivot is on the Member IPs CAL relationship from the 71.6.132.0/22 CIDR Indicator that was added to the graph via the second pivot. This pivot returns 45 Address Indicators that are related to 71.6.132.0/22 and adds them to the graph.

Figure 2_Pivoting With CAL_7.7.0

 

Note
For more information about the different behaviors that may occur when using the Pivot With CAL option in Threat Graph, see the “Pivoting Behaviors” section.

Available CAL Relationships

Note
If a CAL relationship listed in Table 1 or Table 2 is not available in the Pivot with CAL submenu for an Indicator or Group, then there are no related objects in CAL for that relationship. For example, if you select Pivot with CAL for a Host Indicator, you may be able to pivot on the DNS Resolutions and Nameservers CAL relationships only. In this scenario, there are no related objects in CAL for the Known Email Addresses, Known URLs, Nameserver Clients, Parent Domain, Subdomains, and WHOIS Registrants CAL relationships.

Indicators

See Table 1 for a list of CAL relationships available in Threat Graph for Indicators.

 

CAL Relationship TypeStarting Indicator Type(s)Object Type Returned from Pivot
Base HostURLHost Indicator
Base URLURLURL Indicator
CIDR RangesAddress, ASNCIDR Indicator
DNS ResolutionsHostAddress
Email HostEmail AddressHost Indicator
Known ASNsCIDRASN Indicator
Known Email AddressesHostEmail Address Indicator
Known URL ExtensionsURLURL Indicator
Known URLsHostURL Indicator
Member IPsCIDRAddress Indicator
Mentioned by ReportAddress, ASN, CIDR, Email Address, File, Host, URL
Report Group
Nameserver ClientsHostHost Indicator
NameserversHostHost Indicator
Parent DomainHostHost Indicator
Registered DomainsEmail AddressHost Indicator
Resolved DomainsAddressHost Indicator
SubdomainsHostHost Indicator
WHOIS RegistrantsHostEmail Address Indicator

Groups

See Table 2 for a list of CAL relationships available in Threat Graph for Groups.

 

CAL Relationship TypeStarting Group Type(s)Group Type Returned from Pivot
Achieved ByTacticAttack Pattern
Achieves TacticAttack PatternTactic
Contains SubtechniqueAttack PatternAttack Pattern
Mentioned by ReportAttack Pattern, Course of Action, Intrusion Set, Malware, Tactic, Tool, Vulnerability
Report
Mentions Attack Pattern
Report
Attack Pattern
Mentions Course of Action
Report
Course of Action
Mentions Intrusion Set
Report
Intrusion Set
Mentions Malware
Report
Malware
Mentions Tactic
Report
Tactic
Mentions Tool
Report
Tool
Mentions VulnerabilityReport
Vulnerability
Mitigated ByAttack PatternCourse of Action
Mitigates Attack PatternCourse of ActionAttack Pattern
Revoked ByAttack PatternAttack Pattern
Intrusion SetIntrusion Set
MalwareMalware
RevokesAttack PatternAttack Pattern
Intrusion SetIntrusion Set
MalwareMalware
Subtechnique OfAttack PatternAttack Pattern
Used by Intrusion SetAttack PatternIntrusion Set
Used by MalwareAttack PatternMalware
Used by ToolAttack Pattern, Intrusion SetTool
Uses Attack PatternIntrusion Set, Malware, ToolAttack Pattern
Uses MalwareIntrusion SetMalware
Note
If a Group on the graph has the same summary as a Group that exists in CAL but is a different Group type, you can pivot on the CAL relationships available for the Group that exists in CAL. For example, if a node corresponding to a Fancy Bear Adversary Group is on the graph and a Fancy Bear Intrusion Set exists in CAL, you can pivot on CAL relationships available for Intrusion Sets when you select Pivot with CAL for the Fancy Bear Adversary Group.

Pivoting Behaviors

When using the Pivot with CAL option in Threat Graph, you may observe the following behaviors as you interact with and add nodes to the graph:

  • If a pivot returns more than 500 related objects, only the first 500 related nodes and their respective connections will be added to the graph.
  • If no CAL relationships exist for an Indicator or Group, the Pivot with CAL submenu will display a message stating so. Similarly, if an Indicator or Group does not exist in CAL, the Pivot with CAL submenu will display a message stating so.
  • If you pivot from one node to a second node and then pivot from the second node back to the first node, the arrow connecting the two nodes will change to a bidirectional arrow, and the arrow’s label will reflect the most recent CAL relationship type on which you pivoted. For example, in Figure 3, the first pivot is on the Uses Tool CAL relationship from the APT28 Intrusion Set Group. This pivot returns nine Tool Groups. The second pivot is on the Uses by Intrusion Set CAL relationship from the KODIAC Tool Group that was added to the graph via the first pivot. This pivot returns four related objects, one of which is the APT28 Intrusion Set already on the graph. As a result, the arrow connecting the APT28 Intrusion Set Group to the KODIAC Tool Group changes to a bidirectional arrow to reflect the pivot from KODIAC back to the APT28, and the connection label changes from Uses Tool to Used by Intrusion Set.
    Figure 3_Pivoting With CAL_7.7.0

     


ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-13 v.02.A


Was this article helpful?