CAL 3.9 Release Notes

New Features

Polarity ThreatConnect CAL Integration

Now available for Polarity users at the point of decision and to aid analysts’ investigations with automated intelligence, the Polarity ThreatConnect® CAL™ integration provides access to CAL’s global intelligence engine, with 267+ billion data points and visibility into 2.2+ billion Indicators worldwide!

What’s New?

• The Polarity ThreatConnect CAL integration is now available for both ThreatConnect and Polarity customers to access the same useful CAL data in a brand-new way!
• CAL community analytics are growing to include both the ThreatConnect and Polarity user base, enabling CAL to provide more analytics about actively investigated and seen Indicators than ever before!

Supported Indicator Types

• Address
• Email Address
• File
• Host
• URL

CAL Indicator Analytics

• CAL reputation score with 14 impact factors
• Indicator Status
• 350K+ of the following daily:
  • Community impressions based on engagement
  • Community observations in actual networks
  • Community false-positive reports

CAL Indicator Enrichments

• Indicator visibility in 52 active OSINT feeds and all historical feeds
• Additional OSINT feed enrichment information, including tags, malware families, file information, and more
• SHA1, SHA256, and MD5 file hash information
• 103 CAL Classifiers
• Suspected DGA detection
• Quad9® observed and attempted resolutions
• Information from known good sources or CAL Safelist
• IP owner, region, and service

Updated Features

CAL Safelist

In this release, we’ve expanded the CAL Safelist to include trusted domains such as cybersecuritynews.com, ubuntu.com, redhat.com, and others. These additions help reduce false positives by ensuring that Indicators from these sources are automatically flagged as benign, streamlining workflows across ThreatConnect and Polarity. This update enhances the accuracy of your threat intelligence, allowing you to focus on real threats, while providing contextual insights and minimizing unnecessary noise in document analysis, Indicator queries, and automated workflows.

NAICS Industry Classification in the CAL Automated Threat Library Source

In this release, we’ve updated CAL’s North American Industry Classification System (NAICS) AI model to reduce variability in its outputs, providing more consistent and reliable classifications. This improvement enhances the accuracy of how CAL identifies industries, ensuring that the tagging of content using NAICS codes is more precise. For users, this means a more stable and predictable classification of industry-related data, leading to better filtering and organization of intelligence. With this reduced output variability, you can trust the classifications you rely on for decision making, which ultimately improves the efficiency of your workflows, reduces the need for manual adjustments, and enhances the overall quality of intelligence insights.

ATL Source - Google Threat Analysis Group

What is changing?

In this release, the Google Threat Analysis Group blog content in the CAL Automated Threat Library (ATL) Source is accessed via a link to the original site in the body of the Report object instead of being delivered directly. This format preserves content creators' rights while maintaining access to essential information. All other ATL features, including AI-generated summaries, MITRE ATT&CK® tags, NAICS tags, and other contextual information, remain unchanged.

Why is this changing?

This update ensures compliance with copyright and data ownership requirements while continuing to provide valuable threat intelligence. This change aligns with evolving concerns regarding copyright, data ownership, and the ethical use of AI, ensuring that content creators’ intellectual property is respected while maintaining the integrity of the threat intelligence provided.

Will there be more changes?

This shift in how content is accessed is part of a broader change affecting multiple sources in the CAL ATL. You can expect similar updates for some other sources in future releases, as these changes enable us to respect data ownership without compromising the quality of intelligence. If this change impacts your workflow, please reach out to your Customer Success Manager so that we can assess future changes to this feature.

Improvements

• Tool tips were updated to reflect that CAL community analytics include both the Polarity and ThreatConnect user bases. 
• Service to the open source Haley SSH Bruteforce IPs feed was restored after downtime caused by the owner restricting access and requesting re-verification due to feed abuse.

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
Quad9® is a registered trademark of Quad9 Foundation.