CAL Doc Analysis Service
  • 23 May 2025
  • 3 Minutes to read
  • Dark
    Light

CAL Doc Analysis Service

  • Dark
    Light

Article summary

Overview

The CAL™ Doc Analysis Service is an innovative, automated behind-the-scenes service that powers ThreatConnect® features to extract essential insights from natural-language sources, including reports, blogs, emails, and more. This service efficiently converts and classifies information into machine-readable formats that map to information models like MITRE ATT&CK®, the North American Industry Classification System (NAICS), the National Vulnerability Database (NVD), and more, enhancing capabilities within ThreatConnect and streamlining automation.

Before You Start

User Roles

  • To use a feature supported by the CAL Doc Analysis Service, your user account must have the roles required for the feature.

Prerequisites

  • To use a feature supported by the CAL Doc Analysis Service, the prerequisites for the feature must be met.

What ThreatConnect Features Leverage the CAL Doc Analysis Service?

The following ThreatConnect features leverage the CAL Doc Analysis Service:

Table 1 describes each functionality provided by the CAL Doc Analysis Service and shows which ThreatConnect features leverage that functionality.


ThreatConnect Feature
CAL Doc Analysis Service FeatureDescriptionDoc Analysis ImportThreatConnect Intelligence Anywhere Browser ExtensionThreatConnect Doc Analysis Playbook AppCAL Automated Threat Library Source
Alias ExtractionExtracts explicit MITRE ATT&CK Enterprise techniques, sub-techniques, tactics, malware, tools, intrusion sets, and courses of action, as well as Common Vulnerabilities and Exposures (CVEs), from the provided content.
IOC ExtractionExtracts explicit indicators within the content, including addresses, email addresses, file hashes (MD5, SHA1, and SHA256), Hosts, URLs, ASNs, and CIDRs.
MITRE ATT&CK AI ClassificationClassifies CAL ATL Report text identified as MITRE ATT&CK techniques and sub-techniques.
CAL ATL Report AI SummarizationUses an artificial intelligence (AI) large language model (LLM) to summarize reports into 200-word summaries and three to five bullet points.  
NAICS AI Industry ClassificationUses CAL ATL industry classification to categorize subsector-related industries and their corresponding sectors based on the North American Industry Classification System (NAICS) framework.  
AI Exploited-Vulnerability AnalyzerExamines CAL ATL Reports for specific qualities to determine whether the content is likely about a zero-day or exploited vulnerability and, if so, to add a vulnerability-specific Tag and customize the AI summary for key vulnerability-focused details.   

Frequently Asked Questions

Can I use the CAL Doc Analysis Service features if CAL is not enabled on my ThreatConnect instance? 

Yes, you can leverage the CAL Doc Analysis Service features even if CAL is not enabled on your ThreatConnect instance. The CAL Doc Analysis Service is a data processing service, which is different from the CAL Indicator enrichment features provided when the CALEnabled system setting is turned on.

What Indicator types does the CAL Doc Analysis Service extract?

The CAL Doc Analysis Service extracts the following Indicator types: Addresses, Email Address, File (MD5, SHA1, and SHA256), Host, URL, ASN, and CIDR.

Why were no Indicators returned when I tried to extract Indicators using one of the features supported by the CAL Doc Analysis Service?

The CAL Doc Analysis Service applies the following rules to extracted Indicators to reduce “noise” from invalid and benign results:

Is there a limit to the number of times I can use the CAL Doc Analysis Service in ThreatConnect features?

The ThreatConnect Doc Analysis Service has an initial limit of 1000 API calls per day per instance for all features. This default limit may be adjusted in the future based on customer feedback and specific use cases. Please reach out to your Customer Success Manager if you need additional API calls.

What information does ThreatConnect store about customer data processed via CAL Doc Analysis Service features?

ThreatConnect employs a “purpose-driven data usage” approach with CAL Doc Analysis Service features:

  • Any data processed by CAL Doc Analysis Service features are strictly tied to the task at hand and are not retained for longer than necessary.
  • User-submitted content processed by CAL Doc Analysis Service features is not stored outside of your ThreatConnect instance. 
  • Requests from CAL Doc Analysis Service features are used only to generate the results returned to you by the feature.

ThreatConnect collects only essential data from CAL Doc Analysis Service features:

  • The CAL Doc Analysis Service gathers only anonymous data that directly support the functionality and performance of the service and the features that us it, ensuring that nothing extra is taken from you.
  • ThreatConnect uses anonymous instance information from CAL Doc Analysis Service features to ensure that the service can scale and meet customer demand.

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

20174-01 v.01.A


Was this article helpful?