--- title: "CAL Doc Analysis Service | ThreatConnect" slug: "cal-doc-analysis-service" description: "This article describes the features of the CAL Doc Analysis Service, where they exist in the ThreatConnect platform, and how they handle data." tags: ["Analytical Tools"] updated: 2026-06-11T16:44:19Z published: 2026-06-11T16:44:19Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # CAL Doc Analysis Service ## Overview The CAL™ Doc Analysis Service is an innovative, automated behind-the-scenes service that powers ThreatConnect® features to extract essential insights from natural-language sources, including reports, blogs, emails, and more. This service efficiently converts and classifies information into machine-readable formats that map to information models like [MITRE ATLAS™](https://atlas.mitre.org/matrices/ATLAS), [MITRE ATT&CK®](https://attack.mitre.org/), the [North American Industry Classification System (NAICS)](https://www.census.gov/naics/), the [National Vulnerability Database (NVD)](https://nvd.nist.gov/), and more, enhancing capabilities within ThreatConnect and streamlining automation. ## Before You Start ### User Roles - To use a feature supported by the CAL Doc Analysis Service, your user account must have the roles required for the feature. ### Prerequisites - To use a functionality powered by the CAL Doc Analysis Service, the **CALServices** system setting must be configured to the required level for the functionality (must be a System Administrator to perform this action). This information is provided in Table 1. - To use a feature supported by the CAL Doc Analysis Service, the prerequisites for the feature must be met. ## What ThreatConnect Features Leverage the CAL Doc Analysis Service? The following ThreatConnect features leverage the CAL Doc Analysis Service: - [Document Parsing Import](https://knowledge.threatconnect.com/docs/document-parsing-import) - [ThreatConnect Intelligence Anywhere browser extension](https://knowledge.threatconnect.com/docs/threatconnect-intelligence-anywhere-overview) - [**ThreatConnect Doc Analysis** playbook app](https://threatconnect.readme.io/docs/threatconnect-doc-analysis-playbook) - [**CAL Automated Threat Library** (ATL) Source](https://knowledge.threatconnect.com/docs/cal-automated-threat-library-atl) Table 1 describes each functionality provided by the CAL Doc Analysis Service, identifies the ThreatConnect features which leverage the functionality, and provides the **CALServices** system setting’s required level for the functionality. | | ThreatConnect Feature | | --- | --- | | CAL Doc Analysis Service Feature | Description | CALServices Level1 | [Document Parsing Import](https://knowledge.threatconnect.com/docs/document-parsing-import) | [ThreatConnect Intelligence Anywhere Browser Extension](https://knowledge.threatconnect.com/docs/threatconnect-intelligence-anywhere-overview) | [ThreatConnect Doc Analysis Playbook App](https://threatconnect.readme.io/docs/threatconnect-doc-analysis-playbook) | [CAL Automated Threat Library Source](https://knowledge.threatconnect.com/docs/cal-automated-threat-library-atl) | | Alias Extraction | Extracts explicit [MITRE ATLAS](https://atlas.mitre.org/matrices/ATLAS) techniques and tactics and [MITRE ATT&CK Enterprise](https://attack.mitre.org/matrices/enterprise/) techniques, sub-techniques, tactics, malware, tools, intrusion sets, and courses of action, as well as Common Vulnerabilities and Exposures (CVEs), from the provided content. | **CAL Data Processing** | ✔ | ✔ | ✔ | ✔ | | IOC Extraction | Extracts explicit indicators within the content, including addresses, email addresses, file hashes (MD5, SHA1, and SHA256), hosts, URLs, ASNs, and CIDRs. | **CAL Data Processing** | ✔ | ✔ | ✔ | ✔ | | [MITRE ATT&CK AI Classification](https://knowledge.threatconnect.com/docs/mitre-attack-ai-classification-in-threatconnect) | Classifies text identified as MITRE ATT&CK Enterprise techniques and sub-techniques. | **CAL AI Processing** | ✔ | ✔ | ✔ | ✔ | | CAL ATL Report AI Summarization | Uses an artificial intelligence (AI) large language model (LLM) to summarize reports into 200-word summaries and three to five bullet points. | Available at all levels, including **Disable CAL CAL Services** | | | ✔ | ✔ | | [NAICS AI Industry Classification](https://knowledge.threatconnect.com/docs/naics-ai-industry-classification) | Categorizes subsector-related industries and their corresponding sectors based on the [North American Industry Classification System (NAICS)](https://www.census.gov/naics/) framework. | **CAL AI Processing** | | | ✔ | ✔ | | [AI Exploited-Vulnerability Analyzer](https://knowledge.threatconnect.com/docs/ai-exploited-vulnerability-analyzer) | Examines CAL ATL Reports for specific qualities to determine whether the content is likely about a zero-day or exploited vulnerability and, if so, to add a vulnerability-specific Tag and customize the AI summary for key vulnerability-focused details. | **CAL AI Processing** | | | | ✔ | | [Automated Detection-Signature Extraction](https://knowledge.threatconnect.com/docs/automated-detection-signature-extraction) | Identifies, extracts, and enriches detection signatures from cybersecurity blogs and reports. | **CAL AI Processing** | | | | ✔ | 1 This setting does not apply to services accessed via playbooks. ## Frequently Asked Questions **Can I use the CAL Doc Analysis Service functionalities without enabling CAL Indicator enrichment on my ThreatConnect instance?** Yes. On instances running [ThreatConnect version 8.0.0](https://knowledge.threatconnect.com/docs/8-0-release-notes#defined-calrelated-feature-flags) or later, the **CALServices** system setting determines the CAL Doc Analysis Service functionalities that are provided to the instance (see the “CALServices Level” column of Table 1), and the **CALIndicatorEnrichment** system setting determines whether [CAL Indicator enrichment](https://knowledge.threatconnect.com/docs/cal-indicator-enrichments) features are enabled. --- **What Indicator types does the CAL Doc Analysis Service extract?** The CAL Doc Analysis Service extracts the following [Indicator types](https://knowledge.threatconnect.com/docs/en/the-threatconnect-data-model#indicator-types): Addresses, Email Address, File (MD5, SHA1, and SHA256), Host, URL, ASN, and CIDR. --- **Why were no Indicators returned when I tried to extract Indicators using one of the features supported by the CAL Doc Analysis Service?** The CAL Doc Analysis Service applies the following rules to extracted Indicators to reduce “noise” from invalid and benign results: - Only Hosts, URLs, and Email Addresses with valid top-level domains (TLDs) from the [Internet Assigned Numbers Authority (IANA)](https://www.iana.org/) are included. - Indicators that are on the [CAL Safelist](https://knowledge.threatconnect.com/docs/cal-safelist-and-known-good-indicators) (that is, Indicators labeled with the **Status.Safelist** [CAL Classifier](https://knowledge.threatconnect.com/docs/cal-classifiers)) are excluded. - When processing information from Report Groups in the [**CAL Automated Threat Library**](https://knowledge.threatconnect.com/docs/cal-automated-threat-library-atl) Source, Indicators with a [CAL Global Threat Score](https://knowledge.threatconnect.com/docs/cal-global-threat-score) of less than 150 that do not have the [**Topic: Zero Day** Tag](https://knowledge.threatconnect.com/docs/ai-exploited-vulnerability-analyzer#zeroday-and-vulnerability-tags-for-cal-atl-reports) are excluded from the results. --- **Is there a limit to the number of times I can use the CAL Doc Analysis Service in ThreatConnect features?** The ThreatConnect Doc Analysis Service has an initial limit of 1000 API calls per day per instance for all features. This default limit may be adjusted in the future based on customer feedback and specific use cases. Please reach out to your Customer Success Manager if you need additional API calls. --- **What information does ThreatConnect store about customer data processed via CAL Doc Analysis Service features?** ThreatConnect employs a **“purpose-driven data usage” approach** with CAL Doc Analysis Service features: - Any data processed by CAL Doc Analysis Service features are strictly tied to the task at hand and are not retained for longer than necessary. - User-submitted content processed by CAL Doc Analysis Service features is not stored outside of your ThreatConnect instance. - Requests from CAL Doc Analysis Service features are used only to generate the results returned to you by the feature. ThreatConnect **collects only essential data** from CAL Doc Analysis Service features: - The CAL Doc Analysis Service gathers only anonymous data that directly support the functionality and performance of the service and the features that use it, ensuring that nothing extra is taken from you. - ThreatConnect uses anonymous instance information from CAL Doc Analysis Service features to ensure that the service can scale and meet customer demand. --- *ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc. CVE®, MITRE ATT&CK®, and ATT&CK® are registered trademarks, and MITRE ATLAS™ is a trademark, of The MITRE Corporation.* 20174-01 v.04.A ## Related - [CAL Automated Threat Library (ATL)](/cal-automated-threat-library-atl.md) - [AI Exploited-Vulnerability Analyzer](/ai-exploited-vulnerability-analyzer.md) - [Document Parsing Import](/document-parsing-import.md) - [NAICS AI Industry Classification](/naics-ai-industry-classification.md) - [MITRE ATT&CK AI Classification in ThreatConnect](/mitre-attack-ai-classification-in-threatconnect.md) - [Automated Detection-Signature Extraction](/automated-detection-signature-extraction.md)