--- title: "CAL Safelist and Known Good Indicators | ThreatConnect" slug: "cal-safelist-and-known-good-indicators" description: "This article describes the CAL Safelist & “known good” label for Indicators in ThreatConnect & Polarity. It discusses how to identify CAL Safelist & “known good” Indicators & how being on the CAL Safelist affects Indicators in TC & Polarity." tags: ["Analytical Tools"] updated: 2026-06-06T22:31:19Z published: 2026-06-06T22:31:19Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # CAL Safelist and Known Good Indicators ## Overview As part of its [Indicator enrichment feature](https://knowledge.threatconnect.com/docs/cal-indicator-enrichments), CAL™ leverages aggregated data from public safelists and a manually curated safelist maintained by the ThreatConnect ® CAL Team to identify non-malicious Indicators in ThreatConnect and Polarity. Indicators on the CAL safelist are labeled in ThreatConnect and Polarity, allowing you to quickly determine that they are benign, thereby reducing false positives and improving the efficiency of your threat intelligence operations. In addition, Indicators on the CAL safelist are automatically excluded from collection, enrichment, or analysis in certain ThreatConnect areas and features. ThreatConnect and Polarity also display a “known good” label for Indicators aggregated from a set of public safelists. ## Before You Start ### User Roles - To view CAL Indicator enrichments for Indicators in your Organization, your user account can have any [Organization role](https://knowledge.threatconnect.com/docs/organization-roles). - To view CAL Indicator enrichments for Indicators in a Community or Source, your user account can have any [Community role](https://knowledge.threatconnect.com/docs/community-roles) except Banned for that Community or Source. ### Prerequisites - To view CAL enrichment information for Indicators in your ThreatConnect owners, enable CAL Indicator enrichment for your ThreatConnect instance and in your Organization: - To enable CAL Indicator enrichment for your ThreatConnect instance, select the **CALIndicatorEnrichment** checkbox on the **Feature Flags** tab of the **System Settings** screen (must be a System Administrator to perform this action). - To allow users in your Organization to view CAL Indicator enrichment data in their ThreatConnect owners, edit your Organization on the **Organizations** tab of the **Account Settings** screen and select the **Enable CAL Data** checkbox on the **Permissions** tab of the **Organization Information** window (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action). - Verify that your ThreatConnect instance can receive data from `cal.threatconnect.com`. - To view CAL enrichment information for Indicators in Polarity, install and configure the [ThreatConnect CAL integration with Polarity](https://threatconnect.com/resource/threatconnect-cal-integration-with-polarity/). ## CAL Safelist The CAL safelist is a directory of Indicators identified as “safe” (i.e., not malicious) maintained by the ThreatConnect CAL Team for the ThreatConnect community. Its data are aggregated from public safelists and intelligence manually curated by the ThreatConnect CAL Team, leveraging the collective insights of thousands of analysts worldwide who use ThreatConnect to provide comprehensive and up-to-date validation of non-malicious Indicators. It is updated regularly based on routine monitoring, customer requests, and feature updates. ### How Can I Tell If an Indicator Is on the CAL Safelist? In ThreatConnect (Figure 1) and Polarity (Figure 2), Indicators on the CAL safelist are labeled with the `CAL Safelist` CAL Impact Factor and the `Status.Safelist` [CAL Classifier](https://knowledge.threatconnect.com/docs/cal-classifiers), providing you with immediate awareness that an Indicator is benign and does not warrant further investigation. ![Figure 1_CAL Safelist and Known Good Indicators_8.0.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_CAL%20Safelist%20and%20Known%20Good%20Indicators_8.0.0.png) NoteCAL Impact Factors and CAL Classifiers may be viewed on the [**Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen), the [legacy **Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen-legacy), and the [**Details** drawer](https://knowledge.threatconnect.com/docs/the-details-drawer) for Indicators in ThreatConnect. ![Figure 2_CAL Safelist and Known Good Indicators_7.9.1](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_CAL%20Safelist%20and%20Known%20Good%20Indicators_7.9.1.png) ### How Does Being on the CAL Safelist Affect an Indicator? Indicators on the CAL safelist are affected in the following ways: - Indicators on the CAL safelist have their [CAL Global Threat Score](https://knowledge.threatconnect.com/docs/cal-global-threat-score) locked to 0. - Indicators on the CAL safelist have a [CAL status](https://knowledge.threatconnect.com/docs/indicator-status#cal-status) of inactive. This status determines ThreatConnect [Indicator status](https://knowledge.threatconnect.com/docs/indicator-status) unless a CAL [status lock](https://knowledge.threatconnect.com/docs/indicator-status#status-locks) is turned on [at the system level](https://knowledge.threatconnect.com/docs/indicator-status#systemlevel-status-lock), [for the Indicator’s type in its owner](https://knowledge.threatconnect.com/docs/indicator-status#ownerlevel-status-locks), or [for the individual Indicator](https://knowledge.threatconnect.com/docs/indicator-status#singleindicator-status-lock). Similarly, Indicators on the CAL safelist that are enriched by the [**Get CAL Enrichment** playbook app](https://threatconnect.readme.io/docs/get-cal-enrichment-playbook) and then added to a ThreatConnect owner will have an inactive Indicator status in ThreatConnect, as determined by their CAL status, unless a CAL status lock is turned on. - Indicators on the CAL safelist display a CAL status of inactive in Polarity. - Indicators on the CAL safelist are not added to the [**CAL Automated Threat Library** Source](https://knowledge.threatconnect.com/docs/cal-automated-threat-library-atl)in ThreatConnect.NoteIndicators in the **CAL Automated Threat Library** Source that are subsequently added to the CAL safelist are not removed from the **CAL Automated Threat Library** Source. - Indicators on the CAL safelist are not imported into ThreatConnect when using the following features: - [Document Parsing Import](https://knowledge.threatconnect.com/docs/document-parsing-import) - [**ThreatConnect Doc Analysis** playbook app](https://threatconnect.readme.io/docs/threatconnect-doc-analysis-playbook) - [ThreatConnect Intelligence Anywhere](https://knowledge.threatconnect.com/docs/threatconnect-intelligence-anywhere-overview) ## “Known Good” Indicators The “known good” label for Indicators demonstrates that an Indicator is found on one or more public safelists. It is displayed on the Indicator **Details** screen (Figure 3), **Details** drawer (Figure 4), and legacy **Details** screen (Figure 5) in ThreatConnect, as well as in Polarity (Figure 6). NoteIn the Indicator **Details** drawer, the “known good” label is available only when viewing an Indicator in its owner. It is not currently available in the unified view for the Indicator **Details** drawer. ![Figure 3_CAL Safelist and Known Good Indicators_8.0.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_CAL%20Safelist%20and%20Known%20Good%20Indicators_8.0.0.png) ![Figure 4_CAL Safelist and Known Good Indicators_8.0.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_CAL%20Safelist%20and%20Known%20Good%20Indicators_8.0.0.png) ![Figure 5_CAL Safelist and Known Good Indicators_8.0.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%205_CAL%20Safelist%20and%20Known%20Good%20Indicators_8.0.0.png) Note - **Known Good – Feeds Reporting this Indicator as Benign** information is provided only for File Indicators. The **Known Good – Reported in a Known Good Source** value is displayed for all Indicator types for which CAL provides enrichment services. - File Indicators without a complete hash triplet in the NSRL database may not display “known good” information in the **Feeds** section. ![Figure 6_CAL Safelist and Known Good Indicators_7.9.1](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%206_CAL%20Safelist%20and%20Known%20Good%20Indicators_7.9.1.png) Feeds that provide information about “known good” Indicators in ThreatConnect and Polarity include the following: - Internet Assigned Numbers Authority (IANA) Root Zone Database - Microsoft® Office 365™ Hosts - National Software Reference Library (NSRL) Database - NSRL Database - Android™ Apps - NSRL Database - iOS™ Apps - NSRL Database - Legacy (pre-2015) - NSRL Database - Modern (2015+) - Open Worldwide Application Security Project (OWASP) File Hash Repository - Reserved IP Ranges ## Frequently Asked Questions (FAQ) **If a Host Indicator is on the CAL safelist, are its related objects also “benign”?** Not necessarily. For example, a Host’s inclusion on the CAL safelist does not necessitate that sub-domains, URLs, and email addresses containing the domain are also on the CAL safelist. Similarly, an Indicator on the CAL safelist may have associated Indicators that are not on the CAL safelist. For example, a Host may be on the CAL safelist, but an Address associated to it may not. Make sure to check associated Indicators for their own classifications. --- **Are Indicators reported as false positives automatically added to the CAL safelist?** No, being [reported as a false positive](https://knowledge.threatconnect.com/docs/viewing-and-reporting-false-positives) does not cause an Indicator to be added to the CAL safelist. All CAL safelist entries are reviewed by humans. However, reporting false positives in ThreatConnect is an important way to inform other users that an Indicator is likely not malicious. In addition, reporting an Indicator as a false positive will lower its [CAL Global Threat Score](https://knowledge.threatconnect.com/docs/cal-global-threat-score). Furthermore, Indicators with numerous false-positive reports over certain periods of time will be manually reviewed as part of the CAL Team’s monitoring activities, which may lead to the Indicator’s addition to the CAL safelist. --- **How do I request that an Indicator be added to or removed from the CAL safelist?** Please contact your Customer Success Manager or create a support ticket to request that an Indicator be added to or removed from the CAL safelist. Make sure to list all Indicators that you would like the CAL Team to review and the reason that each Indicator should be added to or removed from the CAL safelist. NoteYou may create a support ticket in the [ThreatConnect Support Portal](https://jira-tc.atlassian.net/servicedesk/customer/portal/2) or by emailing support@threatconnect.com. --- *ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc. iOS™ is a trademark of Cisco Systems, Inc. Android™ is a trademark of Google LLC. Microsoft® is a registered trademark, and Office 365™ is a trademark, of Microsoft Corporation.* 20170-01 v.02.A ## Related - [NAICS AI Industry Classification](/naics-ai-industry-classification.md) - [Document Parsing Import](/document-parsing-import.md) - [CAL Classifiers](/cal-classifiers.md) - [ThreatAssess and CAL](/threatassess-and-cal.md) - [Indicator Status](/indicator-status.md)