Overview
The CAL™ Doc Analysis Service is an innovative, automated behind-the-scenes service that powers ThreatConnect® features to extract essential insights from natural-language sources, including reports, blogs, emails, and more. This service efficiently converts and classifies information into machine-readable formats that map to information models like MITRE ATLAS™, MITRE ATT&CK®, the North American Industry Classification System (NAICS), the National Vulnerability Database (NVD), and more, enhancing capabilities within ThreatConnect and streamlining automation.
Before You Start
User Roles
- To use a feature supported by the CAL Doc Analysis Service, your user account must have the roles required for the feature.
Prerequisites
- To use a functionality powered by the CAL Doc Analysis Service, the CALServices system setting must be configured to the required level for the functionality (must be a System Administrator to perform this action). This information is provided in Table 1.
- To use a feature supported by the CAL Doc Analysis Service, the prerequisites for the feature must be met.
What ThreatConnect Features Leverage the CAL Doc Analysis Service?
The following ThreatConnect features leverage the CAL Doc Analysis Service:
- Document Parsing Import
- ThreatConnect Intelligence Anywhere browser extension
- ThreatConnect Doc Analysis playbook app
- CAL Automated Threat Library (ATL) Source
Table 1 describes each functionality provided by the CAL Doc Analysis Service, identifies the ThreatConnect features which leverage the functionality, and provides the CALServices system setting’s required level for the functionality.
ThreatConnect Feature | ||||||
|---|---|---|---|---|---|---|
| CAL Doc Analysis Service Feature | Description | CALServices Level1 | Document Parsing Import | ThreatConnect Intelligence Anywhere Browser Extension | ThreatConnect Doc Analysis Playbook App | CAL Automated Threat Library Source |
| Alias Extraction | Extracts explicit MITRE ATLAS techniques and tactics and MITRE ATT&CK Enterprise techniques, sub-techniques, tactics, malware, tools, intrusion sets, and courses of action, as well as Common Vulnerabilities and Exposures (CVEs), from the provided content. | CAL Data Processing | ✔ | ✔ | ✔ | ✔ |
| IOC Extraction | Extracts explicit indicators within the content, including addresses, email addresses, file hashes (MD5, SHA1, and SHA256), hosts, URLs, ASNs, and CIDRs. | CAL Data Processing | ✔ | ✔ | ✔ | ✔ |
| MITRE ATT&CK AI Classification | Classifies text identified as MITRE ATT&CK Enterprise techniques and sub-techniques. | CAL AI Processing | ✔ | ✔ | ✔ | ✔ |
| CAL ATL Report AI Summarization | Uses an artificial intelligence (AI) large language model (LLM) to summarize reports into 200-word summaries and three to five bullet points. | Available at all levels, including Disable CAL CAL Services | ✔ | ✔ | ||
| NAICS AI Industry Classification | Categorizes subsector-related industries and their corresponding sectors based on the North American Industry Classification System (NAICS) framework. | CAL AI Processing | ✔ | ✔ | ||
| AI Exploited-Vulnerability Analyzer | Examines CAL ATL Reports for specific qualities to determine whether the content is likely about a zero-day or exploited vulnerability and, if so, to add a vulnerability-specific Tag and customize the AI summary for key vulnerability-focused details. | CAL AI Processing | ✔ | |||
| Automated Detection-Signature Extraction | Identifies, extracts, and enriches detection signatures from cybersecurity blogs and reports. | CAL AI Processing | ✔ | |||
1 This setting does not apply to services accessed via playbooks.
Frequently Asked Questions
Can I use the CAL Doc Analysis Service functionalities without enabling CAL Indicator enrichment on my ThreatConnect instance?
Yes. On instances running ThreatConnect version 8.0.0 or later, the CALServices system setting determines the CAL Doc Analysis Service functionalities that are provided to the instance (see the “CALServices Level” column of Table 1), and the CALIndicatorEnrichment system setting determines whether CAL Indicator enrichment features are enabled.
What Indicator types does the CAL Doc Analysis Service extract?
The CAL Doc Analysis Service extracts the following Indicator types: Addresses, Email Address, File (MD5, SHA1, and SHA256), Host, URL, ASN, and CIDR.
Why were no Indicators returned when I tried to extract Indicators using one of the features supported by the CAL Doc Analysis Service?
The CAL Doc Analysis Service applies the following rules to extracted Indicators to reduce “noise” from invalid and benign results:
- Only Hosts, URLs, and Email Addresses with valid top-level domains (TLDs) from the Internet Assigned Numbers Authority (IANA) are included.
- Indicators that are on the CAL Safelist (that is, Indicators labeled with the Status.Safelist CAL Classifier) are excluded.
- When processing information from Report Groups in the CAL Automated Threat Library Source, Indicators with a CAL Global Threat Score of less than 150 that do not have the Topic: Zero Day Tag are excluded from the results.
Is there a limit to the number of times I can use the CAL Doc Analysis Service in ThreatConnect features?
The ThreatConnect Doc Analysis Service has an initial limit of 1000 API calls per day per instance for all features. This default limit may be adjusted in the future based on customer feedback and specific use cases. Please reach out to your Customer Success Manager if you need additional API calls.
What information does ThreatConnect store about customer data processed via CAL Doc Analysis Service features?
ThreatConnect employs a “purpose-driven data usage” approach with CAL Doc Analysis Service features:
- Any data processed by CAL Doc Analysis Service features are strictly tied to the task at hand and are not retained for longer than necessary.
- User-submitted content processed by CAL Doc Analysis Service features is not stored outside of your ThreatConnect instance.
- Requests from CAL Doc Analysis Service features are used only to generate the results returned to you by the feature.
ThreatConnect collects only essential data from CAL Doc Analysis Service features:
- The CAL Doc Analysis Service gathers only anonymous data that directly support the functionality and performance of the service and the features that use it, ensuring that nothing extra is taken from you.
- ThreatConnect uses anonymous instance information from CAL Doc Analysis Service features to ensure that the service can scale and meet customer demand.
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
CVE®, MITRE ATT&CK®, and ATT&CK® are registered trademarks, and MITRE ATLAS™ is a trademark, of The MITRE Corporation.
20174-01 v.04.A