- 23 May 2025
- 3 Minutes to read
-
Print
-
DarkLight
CAL Doc Analysis Service
- Updated on 23 May 2025
- 3 Minutes to read
-
Print
-
DarkLight
Overview
The CAL™ Doc Analysis Service is an innovative, automated behind-the-scenes service that powers ThreatConnect® features to extract essential insights from natural-language sources, including reports, blogs, emails, and more. This service efficiently converts and classifies information into machine-readable formats that map to information models like MITRE ATT&CK®, the North American Industry Classification System (NAICS), the National Vulnerability Database (NVD), and more, enhancing capabilities within ThreatConnect and streamlining automation.
Before You Start
User Roles
- To use a feature supported by the CAL Doc Analysis Service, your user account must have the roles required for the feature.
Prerequisites
- To use a feature supported by the CAL Doc Analysis Service, the prerequisites for the feature must be met.
What ThreatConnect Features Leverage the CAL Doc Analysis Service?
The following ThreatConnect features leverage the CAL Doc Analysis Service:
- Doc Analysis Import
- ThreatConnect Intelligence Anywhere browser extension
- ThreatConnect Doc Analysis Playbook App
- CAL Automated Threat Library (ATL) Source
Table 1 describes each functionality provided by the CAL Doc Analysis Service and shows which ThreatConnect features leverage that functionality.
ThreatConnect Feature | |||||
---|---|---|---|---|---|
CAL Doc Analysis Service Feature | Description | Doc Analysis Import | ThreatConnect Intelligence Anywhere Browser Extension | ThreatConnect Doc Analysis Playbook App | CAL Automated Threat Library Source |
Alias Extraction | Extracts explicit MITRE ATT&CK Enterprise techniques, sub-techniques, tactics, malware, tools, intrusion sets, and courses of action, as well as Common Vulnerabilities and Exposures (CVEs), from the provided content. | ✔ | ✔ | ✔ | ✔ |
IOC Extraction | Extracts explicit indicators within the content, including addresses, email addresses, file hashes (MD5, SHA1, and SHA256), Hosts, URLs, ASNs, and CIDRs. | ✔ | ✔ | ✔ | ✔ |
MITRE ATT&CK AI Classification | Classifies CAL ATL Report text identified as MITRE ATT&CK techniques and sub-techniques. | ✔ | ✔ | ✔ | ✔ |
CAL ATL Report AI Summarization | Uses an artificial intelligence (AI) large language model (LLM) to summarize reports into 200-word summaries and three to five bullet points. | ✔ | ✔ | ||
NAICS AI Industry Classification | Uses CAL ATL industry classification to categorize subsector-related industries and their corresponding sectors based on the North American Industry Classification System (NAICS) framework. | ✔ | ✔ | ||
AI Exploited-Vulnerability Analyzer | Examines CAL ATL Reports for specific qualities to determine whether the content is likely about a zero-day or exploited vulnerability and, if so, to add a vulnerability-specific Tag and customize the AI summary for key vulnerability-focused details. | ✔ |
Frequently Asked Questions
Can I use the CAL Doc Analysis Service features if CAL is not enabled on my ThreatConnect instance?
Yes, you can leverage the CAL Doc Analysis Service features even if CAL is not enabled on your ThreatConnect instance. The CAL Doc Analysis Service is a data processing service, which is different from the CAL Indicator enrichment features provided when the CALEnabled system setting is turned on.
What Indicator types does the CAL Doc Analysis Service extract?
The CAL Doc Analysis Service extracts the following Indicator types: Addresses, Email Address, File (MD5, SHA1, and SHA256), Host, URL, ASN, and CIDR.
Why were no Indicators returned when I tried to extract Indicators using one of the features supported by the CAL Doc Analysis Service?
The CAL Doc Analysis Service applies the following rules to extracted Indicators to reduce “noise” from invalid and benign results:
- Only Hosts, URLs, and Email Addresses with valid top-level domains (TLDs) from the Internet Assigned Numbers Authority (IANA) are included.
- Indicators that are on the CAL Safelist (that is, Indicators labeled with the Status.Safelist CAL Classifier) are excluded.
- When processing information from Report Groups in the CAL Automated Threat Library Source, Indicators with a CAL score of less than 150 that do not have the Topic: Zero Day Tag are excluded from the results.
Is there a limit to the number of times I can use the CAL Doc Analysis Service in ThreatConnect features?
The ThreatConnect Doc Analysis Service has an initial limit of 1000 API calls per day per instance for all features. This default limit may be adjusted in the future based on customer feedback and specific use cases. Please reach out to your Customer Success Manager if you need additional API calls.
What information does ThreatConnect store about customer data processed via CAL Doc Analysis Service features?
ThreatConnect employs a “purpose-driven data usage” approach with CAL Doc Analysis Service features:
- Any data processed by CAL Doc Analysis Service features are strictly tied to the task at hand and are not retained for longer than necessary.
- User-submitted content processed by CAL Doc Analysis Service features is not stored outside of your ThreatConnect instance.
- Requests from CAL Doc Analysis Service features are used only to generate the results returned to you by the feature.
ThreatConnect collects only essential data from CAL Doc Analysis Service features:
- The CAL Doc Analysis Service gathers only anonymous data that directly support the functionality and performance of the service and the features that us it, ensuring that nothing extra is taken from you.
- ThreatConnect uses anonymous instance information from CAL Doc Analysis Service features to ensure that the service can scale and meet customer demand.
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
20174-01 v.01.A