--- title: "Pivoting With CAL in Threat Graph" slug: "pivoting-with-cal-in-threat-graph" description: "This article describes how to pivot on Indicator and Group relationships that exist in CAL with the Pivot with CAL option in Threat Graph." tags: ["Viewing Data", "Connecting Data"] updated: 2024-09-18T15:25:11Z published: 2024-09-18T15:25:11Z canonical: "knowledge.threatconnect.com/pivoting-with-cal-in-threat-graph" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Pivoting With CAL in Threat Graph ## Overview The Threat Graph feature in ThreatConnect® provides a graph-based interface that you can use to discover, visualize, and contextualize associations and relationships between [Indicators](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#indicators), [Groups](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#groups), [Cases](https://knowledge.threatconnect.com/docs/workflow-cases), and [Tags](https://knowledge.threatconnect.com/docs/applying-tags). The **Pivot with CAL**option in Threat Graph, available for Indicators and Groups only, lets you explore Indicator and Group relationships that exist in [CAL](https://knowledge.threatconnect.com/v1/docs/threatassess-and-cal)™. ImportantThe **Pivot with CAL** option is not available for [private Indicators](https://knowledge.threatconnect.com/v1/docs/private-indicators). ## Before You Start ### User Roles - To pivot on CAL relationships for Indicators and Groups in an Organization in Threat Graph, your user account can have any [Organization role](https://knowledge.threatconnect.com/docs/organization-roles). - To pivot on CAL relationships for Indicators and Groups in a Community or Source in Threat Graph, your user account can have any [Community role](https://knowledge.threatconnect.com/docs/community-roles) except Banned for that Community or Source. ### Prerequisites - To use the **Pivot with CAL**option in Threat Graph, turn on CAL for your ThreatConnect instance (must be a System Administrator to perform this action). ## Performing a Pivot 1. [Open Threat Graph](https://knowledge.threatconnect.com/docs/viewing-an-object-in-threat-graph). 2. Select an Indicator or Group node on the graph. If no such node is on the graph, [pivot in ThreatConnect](https://knowledge.threatconnect.com/docs/pivoting-with-cal-in-threat-graph) to add one. 3. Select **Pivot with CAL**in the [node’s menu](https://knowledge.threatconnect.com/docs/viewing-an-object-in-threat-graph#threat-graph-node-menu-options). If data exist in CAL for the Indicator or Group, the **Pivot with CAL**submenu will display a list of available [CAL relationships](/docs/pivoting-with-cal-in-threat-graph#available-cal-relationships)****you can pivot on and the number of related objects included in each relationship (Figure 1). ![Figure 1_Pivoting With CAL_7.7.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_Pivoting%20With%20CAL_7.7.0.png) 4. Select an [available CAL relationship](/docs/pivoting-with-cal-in-threat-graph#available-cal-relationships) to pivot on in the **Pivot with CAL**submenu. After you select a CAL relationship, the following items will be added to the graph: - One or more related nodes, each of which represents a related Indicator (if pivoting from an Indicator) or Group (if pivoting from a Group) in CAL. Each related node will have a node label****that displays the corresponding object’s summary. - One or more gray arrows, each connecting a related node to the node from which you pivoted. Each gray arrow will have a label that displays the CAL relationship connecting the two nodes. Figure 2 shows three pivots on CAL relationships in Threat Graph: - The first pivot is on the **Uses Malware**CAL relationship from the **Fancy Bear**Adversary Group. This pivot returns 17 Malware Groups that are related to **Fancy Bear**and adds them to the graph. - The second pivot is on the **CIDR Ranges**CAL relationship from the **71.6.135.131**Address Indicator. This pivot returns four CIDR Indicators that are related to **71.6.135.131**and adds them to the graph. - The third pivot is on the **Member IPs**CAL relationship from the **71.6.132.0/22**CIDR Indicator that was added to the graph via the second pivot. This pivot returns 45 Address Indicators that are related to **71.6.132.0/22**and adds them to the graph. ![Figure 2_Pivoting With CAL_7.7.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_Pivoting%20With%20CAL_7.7.0.gif) NoteFor more information about the different behaviors that may occur when using the **Pivot With CAL**option in Threat Graph, see the [“Pivoting Behaviors”](/docs/pivoting-with-cal-in-threat-graph#pivoting-behaviors) section. ## Available CAL Relationships NoteIf a CAL relationship listed in Table 1 or Table 2 is not available in the **Pivot with CAL**submenu for an Indicator or Group, then there are no related objects in CAL for that relationship. For example, if you select **Pivot with CAL** for a Host Indicator, you may be able to pivot on the **DNS Resolutions** and **Nameservers** CAL relationships only. In this scenario, there are no related objects in CAL for the **Known Email Addresses**, **Known URLs**, **Nameserver Clients**, **Parent Domain**, **Subdomains**, and **WHOIS Registrants** CAL relationships. ### Indicators See Table 1 for a list of CAL relationships available in Threat Graph for Indicators. | CAL Relationship Type | Starting Indicator Type(s) | Object Type Returned from Pivot | | --- | --- | --- | | Base Host | URL | Host Indicator | | Base URL | URL | URL Indicator | | CIDR Ranges | Address, ASN | CIDR Indicator | | DNS Resolutions | Host | Address | | Email Host | Email Address | Host Indicator | | Known ASNs | CIDR | ASN Indicator | | Known Email Addresses | Host | Email Address Indicator | | Known URL Extensions | URL | URL Indicator | | Known URLs | Host | URL Indicator | | Member IPs | CIDR | Address Indicator | | Mentioned by Report | Address, ASN, CIDR, Email Address, File, Host, URL | Report Group | | Nameserver Clients | Host | Host Indicator | | Nameservers | Host | Host Indicator | | Parent Domain | Host | Host Indicator | | Registered Domains | Email Address | Host Indicator | | Resolved Domains | Address | Host Indicator | | Subdomains | Host | Host Indicator | | WHOIS Registrants | Host | Email Address Indicator | ### Groups See Table 2 for a list of CAL relationships available in Threat Graph for Groups. | CAL Relationship Type | Starting Group Type(s) | Group Type Returned from Pivot | | --- | --- | --- | | Achieved By | Tactic | Attack Pattern | | Achieves Tactic | Attack Pattern | Tactic | | Contains Subtechnique | Attack Pattern | Attack Pattern | | Mentioned by Report | Attack Pattern, Course of Action, Intrusion Set, Malware, Tactic, Tool, Vulnerability | Report | | Mentions Attack Pattern | Report | Attack Pattern | | Mentions Course of Action | Report | Course of Action | | Mentions Intrusion Set | Report | Intrusion Set | | Mentions Malware | Report | Malware | | Mentions Tactic | Report | Tactic | | Mentions Tool | Report | Tool | | Mentions Vulnerability | Report | Vulnerability | | Mitigated By | Attack Pattern | Course of Action | | Mitigates Attack Pattern | Course of Action | Attack Pattern | | Revoked By | Attack Pattern | Attack Pattern | | Intrusion Set | Intrusion Set | | Malware | Malware | | Revokes | Attack Pattern | Attack Pattern | | Intrusion Set | Intrusion Set | | Malware | Malware | | Subtechnique Of | Attack Pattern | Attack Pattern | | Used by Intrusion Set | Attack Pattern | Intrusion Set | | Used by Malware | Attack Pattern | Malware | | Used by Tool | Attack Pattern, Intrusion Set | Tool | | Uses Attack Pattern | Intrusion Set, Malware, Tool | Attack Pattern | | Uses Malware | Intrusion Set | Malware | NoteIf a Group on the graph has the same summary as a Group that exists in CAL but is a different Group type, you can pivot on the CAL relationships available for the Group that exists in CAL. For example, if a node corresponding to a **Fancy Bear** Adversary Group is on the graph and a **Fancy Bear** Intrusion Set exists in CAL, you can pivot on CAL relationships available for Intrusion Sets when you select **Pivot with CAL** for the **Fancy Bear** Adversary Group. ## Pivoting Behaviors When using the **Pivot with CAL**option in Threat Graph, you may observe the following behaviors as you interact with and add nodes to the graph: - If a pivot returns more than 500 related objects, only the first 500 related nodes and their respective connections will be added to the graph. - If no CAL relationships exist for an Indicator or Group, the **Pivot with CAL**submenu will display a message stating so. Similarly, if an Indicator or Group does not exist in CAL, the **Pivot with CAL** submenu will display a message stating so. - If you pivot from one node to a second node and then pivot from the second node back to the first node, the arrow connecting the two nodes will change to a bidirectional arrow, and the arrow’s label will reflect the most recent CAL relationship type on which you pivoted. For example, in Figure 3, the first pivot is on the **Uses Tool**CAL relationship from the **APT28** Intrusion Set Group. This pivot returns nine Tool Groups. The second pivot is on the **Uses by Intrusion Set**CAL relationship from the **KODIAC** Tool Group that was added to the graph via the first pivot. This pivot returns four related objects, one of which is the **APT28**Intrusion Set already on the graph. As a result, the arrow connecting the **APT28** Intrusion Set Group to the **KODIAC**Tool Group changes to a bidirectional arrow to reflect the pivot from **KODIAC** back to the **APT28**, and the connection label****changes from **Uses Tool**to **Used by Intrusion Set**. ![Figure 3_Pivoting With CAL_7.7.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_Pivoting%20With%20CAL_7.7.0.gif) --- *ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.* 20117-13 v.02.A