CAL Safelist and Known Good Indicators
- 21 May 2025
- 4 Minutes to read
-
Print
-
DarkLight
CAL Safelist and Known Good Indicators
- Updated on 21 May 2025
- 4 Minutes to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Overview
CAL™ leverages aggregated data from public safelists and a manually curated safelist maintained by the ThreatConnect CAL Team to identify non-malicious Indicators in ThreatConnect® and Polarity. Indicators on the CAL Safelist are labeled in ThreatConnect and Polarity, allowing you to quickly determine that they are benign, thereby reducing false positives and improving the efficiency of your threat intelligence operations. In addition, Indicators on the CAL Safelist are automatically excluded from collection, enrichment, or analysis in certain ThreatConnect areas and features. ThreatConnect and Polarity also display a “known good” label for Indicators aggregated from a set of public safelists.
Before You Start
User Roles
- To view CAL enrichment information for Indicators in your Organization, your user account can have any Organization role.
- To view CAL enrichment information for Indicators in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
Prerequisites
- To view CAL enrichment information for Indicators in your ThreatConnect owners, enable CAL for your ThreatConnect instance and in your Organization:
- To enable CAL for your ThreatConnect instance, select the CALEnabled checkbox on the Settings tab of the System Settings screen (must be a System Administrator to perform this action).
- To enable CAL in your Organization, edit your Organization on the Organizations tab of the Account Settings screen and select the Enable CAL Data checkbox on the Permissions tab of the Organization Information window (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).
- Verify that your ThreatConnect instance can receive data from cal.threatconnect.com (if using an On Premises instance).
- To view CAL enrichment information for Indicators in Polarity, install and configure the ThreatConnect CAL integration with Polarity.
CAL Safelist
The CAL Safelist is a directory of Indicators identified as “safe” (i.e., not malicious) maintained by the ThreatConnect CAL Team for the ThreatConnect community. Its data are aggregated from public safelists and intelligence manually curated by the ThreatConnect CAL Team, leveraging the collective insights of thousands of analysts worldwide who use ThreatConnect to provide comprehensive and up-to-date validation of non-malicious Indicators. It is updated regularly based on routine monitoring, customer requests, and feature updates.
How Can I Tell If an Indicator Is on the CAL Safelist?
In ThreatConnect (Figure 1) and Polarity (Figure 2), Indicators on the CAL Safelist are labeled with the CAL Safelist CAL Impact Factor and the Status.Safelist CAL Classifier, providing you with immediate awareness that an Indicator is benign and does not warrant further investigation.
Note
CAL Impact Factors and CAL Classifiers may be viewed on the Details screen, the legacy Details screen, and the Details drawer for Indicators in ThreatConnect.
How Does Being on the CAL Safelist Affect an Indicator?
Indicators on the CAL Safelist are affected in the following ways:
- Indicators on the CAL Safelist have their CAL reputation score locked to 0.
- Indicators on the CAL Safelist have their Indicator Status set to inactive in ThreatConnect, unless their CAL Status Lock is turned on.
- Indicators on the CAL Safelist are excluded from the CAL Automated Threat Library Source in ThreatConnect.
- Indicators on the CAL Safelist are not imported into ThreatConnect when using the following features:
- Indicators that are enriched by the Get CAL Enrichment Playbook App and then saved into ThreatConnect will have their Indicator Status set to inactive in ThreatConnect, unless CAL Status Lock is turned on for the Indicator type in the owner(s) into which they are imported.
- Indicators on the CAL Safelist display a CAL status of inactive in Polarity.
“Known Good” Indicators
The “known good” label for Indicators in ThreatConnect (Figure 3) and Polarity (Figure 4) demonstrates that an Indicator is found on one or more public safelists.
Note
The “known good” label for Indicators in ThreatConnect is currently available only on the legacy Details screen.
Feeds that provide information about “known good” Indicators in ThreatConnect and Polarity include the following:
- Internet Assigned Numbers Authority (IANA) Root Zone Database
- Microsoft® Office 365™ Hosts
- National Software Reference Library (NSRL) Database
- NSRL Database - Android™ Apps
- NSRL Database - iOS™ Apps
- NSRL Database - Legacy (up to 1999)
- NSRL Database - Modern (2000+)
- Open Worldwide Application Security Project (OWASP) File Hash Repository
- Reserved IP Ranges
Frequently Asked Questions (FAQ)
If a Host Indicator is on the CAL Safelist, are its related objects also “benign”?
Not necessarily. For example, a Host’s inclusion on the CAL Safelist does not necessitate that sub-domains, URLs, and email addresses containing the domain are on the CAL Safelist as well. Similarly, an Indicator on the CAL Safelist may have associated Indicators that are not on the CAL Safelist. For example, a Host may be on the CAL Safelist, but an Address associated to it may not. Make sure to check associated Indicators for their own classifications.
Are Indicators reported as false positives automatically added to the CAL Safelist?
No, being reported as a false positive does not cause an Indicator to be added to the CAL Safelist. All CAL Safelist entries are reviewed by humans. However, reporting false positives in ThreatConnect is an important way to inform other users that an Indicator is likely not malicious. In addition, reporting an Indicator as a false positive will lower its CAL reputation score. Furthermore, Indicators with numerous false-positive reports over certain periods of time will be manually reviewed as part of the CAL Team’s monitoring activities, which may lead to the Indicator’s addition to the CAL Safelist.
How do I request that an Indicator be added to or removed from the CAL Safelist?
Please contact your Customer Success Manager or create a support ticket to request that an Indicator be added to or removed from the CAL Safelist. Make sure to list all Indicators that you would like the CAL Team to review and the reason that each Indicator should be added to or removed from the CAL Safelist.
Note
You may create a support ticket in the ThreatConnect Support Portal or by emailing support@threatconnect.com.
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
iOS™ is a trademark of Cisco Systems, Inc.
Android™ is a trademark of Google LLC.
Microsoft® is a registered trademark, and Office 365™ is a trademark, of Microsoft Corporation.
20170-01 v.01.A
Was this article helpful?
