--- title: "Document Parsing Import | ThreatConnect" slug: "document-parsing-import" description: "This article describes how to use the Document Parsing Import feature in ThreatConnect to import Groups and Indicators from an unstructured file or a text block." tags: ["Importing Data"] updated: 2026-03-26T21:23:13Z published: 2026-03-26T21:23:13Z canonical: "knowledge.threatconnect.com/document-parsing-import" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Document Parsing Import ## Overview Document Parsing Import leverages the [CAL™ Doc Analysis Service](https://knowledge.threatconnect.com/docs/cal-doc-analysis-service) to parse an unstructured file or a text block to identify Groups with known aliases in CAL and Indicators and import them into ThreatConnect®. When parsing Groups, this import engine also extracts and imports explicit [MITRE ATLAS™](https://atlas.mitre.org/matrices/ATLAS) techniques and tactics and [MITRE ATT&CK® Enterprise](https://attack.mitre.org/matrices/enterprise/) techniques, sub-techniques, tactics, malware, tools, intrusion sets, and courses of action, as well as Common Vulnerabilities and Exposures (CVE®s), from the provided content. In addition, if AI-powered features for Document Parsing Import are enabled on your ThreatConnect instance, it leverages [MITRE ATT&CK AI Classification](https://knowledge.threatconnect.com/docs/mitre-attack-ai-classification-in-threatconnect) to extract and import implicit MITRE ATT&CK Enterprise techniques and sub-techniques from the content. Document Parsing Import provides flexible customization options for your ingested data. For example, you can determine whether to create associations between imported objects, create associations between imported objects and existing objects that match imported objects, update existing objects with data ingested for imported objects, and add security Labels and Tags to imported and existing objects. In addition, when importing from a file, you can create a Document Group for the file and associate it to imported and existing objects so you can track the connection between the objects and their source. NoteThe following file types are supported for Document Parsing Import: txt, PDF, doc, docx, ppt, pptx, xls, and xlx.ImportantDocument Parsing Import is powered by the [CAL Doc Analysis Service](https://knowledge.threatconnect.com/docs/cal-doc-analysis-service), which collects only essential, anonymized data that directly support the functionality and performance of the feature. These data are used only to generate the results the feature returns to you and are retained only for the time required to provide these results. You do not need to have CAL enabled on your ThreatConnect instance to use Document Parsing Import. This feature will not send any information to CAL from your ThreatConnect instance if CAL is not enabled. ## Before You Start ### User Roles - To access Document Parsing Import, your user account must have an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Standard User, Sharing User, Organization Administrator, or App Developer. - To use Document Parsing Import to import Groups and Indicators into an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer. - To use Document Parsing Import to import Groups and Indicators into a Community or Source, your user account must have a [Community role](https://knowledge.threatconnect.com/docs/community-roles) of Contributor, Editor, or Director for that Community or Source. ### Prerequisites - To use the AI-powered features of Document Parsing Import (that is, to leverage [MITRE ATT&CK AI Classification](https://knowledge.threatconnect.com/docs/mitre-attack-ai-classification-in-threatconnect) to extract and import implicit MITRE ATT&CK techniques and sub-techniques), select the **aiPoweredImportEnabled** checkbox on the **Feature Flags** tab of the **System Settings** screen (must be a System Administrator to perform this action). - To be able to create [cross-owner associations](https://knowledge.threatconnect.com/docs/best-practices-cross-owner-associations) between imported objects and existing Groups that match Groups parsed by Document Parsing Import, select the **crossOwnerAssociationEnabled** checkbox on the **Feature Flags** tab of the **System Settings** screen (must be a System Administrator to perform this action). ## MITRE and CVE Parsing Document Parsing Import parses explicit [MITRE ATLAS™](https://atlas.mitre.org/matrices/ATLAS) techniques and tactics and [MITRE ATT&CK® Enterprise](https://attack.mitre.org/matrices/enterprise/) techniques, sub-techniques, tactics, malware, tools, intrusion sets, and courses of action, as well as CVEs, from the provided content and imports them into ThreatConnect according to the mapping in Table 1. Parsing of explicit content refers to identification of words and phrases in the text content that exactly match MITRE ATLAS and MITRE ATT&CK Enterprise entity (technique, sub-technique, etc.) terms or CVE-IDs. | Parsed Group Type | ThreatConnect Group Type | | --- | --- | | MITRE ATLAS technique | Attack Pattern | | MITRE ATLAS tactic | Tactic | | MITRE ATT&CK Enterprise technique | Attack Pattern | | MITRE ATT&CK Enterprise sub-technique | Attack Pattern | | MITRE ATT&CK Enterprise tactic | Tactic | | MITRE ATT&CK Enterprise malware | Malware | | MITRE ATT&CK Enterprise tool | Tool | | MITRE ATT&CK Enterprise intrusion set | Intrusion Set | | MITRE ATT&CK Enterprise course of action | Course of Action | | CVE | Vulnerability | If AI-powered features for Document Parsing Import are enabled on your ThreatConnect instance, implicit MITRE ATT&CK Enterprise techniques and sub-techniques are also parsed from the content and imported into ThreatConnect. Parsing of implicit content refers to identification of techniques and sub-techniques from sentences in the text content, even if the technique or sub-technique name is not explicitly mentioned. ExampleThe following text is submitted to Document Parsing Import: `The CEO was sent a malicious email with graphics and links to malicious websites that were blue and green.` The following Attack Pattern Groups are created: - T1566 - Phishing - T1566.002 - Phishing: Spearphishing Link ## Access Document Parsing Import You can access the Document Parsing Import feature in the following areas of ThreatConnect: - **Top navigation bar**: **Import**![Import icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Import%20icon.png)menu - **Search: Groups** and **Search: Indicators** screen: **+ Create & Import** > **Import** ## Import Groups and Indicators From an Unstructured File or Text Block Follow these steps to use Document Parsing Import to import Groups and Indicators from an unstructured file or text block: 1. [Open Document Parsing Import.](/v1/docs/document-parsing-import#access-document-parsing-import) 2. Fill out the fields on the **Import**tab of the **Import Intel - Document Parsing**screen (Figure 1) as follows:![Figure 1_Document Parsing Import_7.11.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_Document%20Parsing%20Import_7.11.2.png) - **Owner**: Select the [owner](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect) to import parsed Groups and Indicators into. - **+ IMPORT FILE**: If you want to import objects from a file, click this button and select a file to upload. - **Text**: If you imported a file, its contents will be displayed in this box. Alternatively, you may enter text directly into the box. - **Parse options**: You must select at least one of the following checkboxes to proceed with the import: - **Parse for groups to import**: Select this checkbox to parse the text displayed in the **Text:** box for Groups. - **Parse for indicators to import**: Select this checkbox to parse the text displayed in the **Text:**box for Indicators.NoteParsed Indicators are automatically refanged if the version in the **Text:** box is defanged.NoteDocument Parsing Import parses only the following [Indicator types](https://knowledge.threatconnect.com/docs/en/the-threatconnect-data-model#indicators): Address, ASN, CIDR, Email Address, File, Host, and URL. It does not parse any other Indicator types, including custom Indicator types. - **Text Replacement**: Use the **Find:**and **Replace:**fields to configure bulk changes to the **Text:**box contents. Click **APPLY** to apply the changes. - **History**: If you used text replacement during previous Document Parsing Import or [Unstructured Indicator Import](https://knowledge.threatconnect.com/docs/unstructured-indicator-import) sessions, this section will be added to display your six most recent **Find:**and **Replace:**values. Click **APPLY** for a **Find:**/**Replace:** pair****to perform text replacement using those values. - Click **Next**. 3. Fill out the fields on the **Validate**tab of the **Import Intel - Document Parsing**screen (Figure 2) as follows:![Figure 2_Document Parsing Import_7.11.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_Document%20Parsing%20Import_7.11.2.png) - **Parsed Indicators**: This section displays Indicators parsed from the text. Select the checkbox for each Indicator you want to import into the owner.HintUse the **Indicator Type** dropdown to filter the parsed Indicators by Indicator type.NoteIndicators on your ThreatConnect instance’s systemwide [exclusion list](https://knowledge.threatconnect.com/docs/creating-indicator-exclusion-lists) and on the [CAL Safelist](https://knowledge.threatconnect.com/docs/cal-safelist-and-known-good-indicators) are not included in the table. Indicators on the exclusion list for the owner into which you are importing data are included in the table, labeled with (excluded), and cannot be selected for import.NoteIf your ThreatConnect instance supports [private Indicators](https://knowledge.threatconnect.com/docs/private-indicators), a **Private**column is available for selection of Indicators to mark as private. - **Parsed Groups**: This section displays Groups parsed from the text, including the Group’s name, CAL’s description for the Group, the [Group type](https://knowledge.threatconnect.com/docs/en/the-threatconnect-data-model#groups), the object ID (the Name/Summary for Groups with known aliases in CAL or the MITRE ID number for MITRE ATLAS and ATT&CK objects), and the part of the text that matched to the Group. Select the checkbox for each Group you want to import into the owner.ImportantCAL updates its CVE database every 24 hours. If your parsed text includes a newly assigned CVE-ID from the last 24 hours, CAL may not yet have data on the corresponding CVE, even if the CVE exists as a Vulnerability Group in one of your ThreatConnect owners. In this case, the row for that CVE will not have a name or description, and you will not be able to import the CVE as a Vulnerability with Document Parsing Import. If this happens, clear the checkbox for the CVE, proceed with the rest of the import, and then either create a new Vulnerability Group for the CVE using the **Create & Import** > **Create** feature on the [**Search: Groups** screen](https://knowledge.threatconnect.com/docs/searching-groups) or wait up to 24 hours and try the Document Parsing Import again.NoteThe **Object ID** and **Name** columns are combined to form the name/summary for Groups that are MITRE objects.NoteAs part of the import, the **CAL Matched Text** and **CAL Object ID** [attributes](https://knowledge.threatconnect.com/docs/attributes) are added to the selected Groups and populated with the value of the **Matched Text**and **Object ID**fields, respectively, for the Group. - Click **Next**. 4. Fill out the fields on the **Confirm**tab of the **Import Intel - Document Parsing**screen (Figure 3) as follows:![Figure 3_Document Parsing Import_7.11.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_Document%20Parsing%20Import_7.11.2.png) - **New Indicators**: Click **VIEW**button to view the new Indicators selected for import. - **Existing Indicators**: Click **VIEW**button to view Indicators selected for import that already exist in the owner. When the import runs, the existing Indicators will be updated with the Description and Source attributes, threat rating, and confidence rating provided for Indicators on the **Optional Data** tab and the security labels and Tags provided on the **Labels** tab. - **New Groups**: Click **VIEW**to view the new Groups selected for import. - **Existing Groups**: Click **VIEW**to view a table of Groups in the owner whose name/summary matches the name of a Group selected for import. If cross-owner associations are enabled on your ThreatConnect instance, the table will also show matching Groups in all of your ThreatConnect owners. Select the existing Groups you want to update with the Description and Source attributes provided for Groups on the **Optional Data** tab and the security labels and Tags provided on the **Labels** tab. - Click **Next**. 5. Fill out the fields of the **Optional Data**tab of the **Import Intel - Document Parsing**screen (Figure 4) as follows:![Figure 4_Document Parsing Import_7.11.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_Document%20Parsing%20Import_7.11.2.png) - **Indicator Optional Data**: Enter the following information to apply to all selected new and existing Indicators:ImportantFor existing Indicators, information entered in the fields in this section will replace existing data.NoteThis section is not displayed if you did not select any Indicators for import. - **Description**: Enter a default [Description](https://knowledge.threatconnect.com/docs/the-description-attribute) for the Indicators. - **Source**: Enter a default [Source](https://knowledge.threatconnect.com/docs/the-source-attribute) for the Indicators. - **Threat Rating**: Select the [threat rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicators. - **Confidence Rating**: Set the [confidence rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicators. - **Active**: Select this checkbox to set the [Indicator status](https://knowledge.threatconnect.com/docs/indicator-status) of new Indicators to active, or clear the checkbox to set the Indicator status of new Indicators to inactive. - **Update Existing Status**: Select this checkbox to update the Indicator status of existing Indicators to the status indicated by the **Active** checkbox. - **DNS**: Select this checkbox to enable [DNS resolution tracking](https://knowledge.threatconnect.com/docs/dns-resolutions) for all new Host Indicators. - **Whois**: Select this checkbox to enable [WHOIS lookups](https://knowledge.threatconnect.com/docs/whois-registration-information) for all new Host Indicators. - **Group Optional Data**: Enter the following information to apply to all selected new and existing Groups:ImportantFor existing Groups, information entered in the fields in this section will replace existing data.NoteThis section is not displayed if you did not select any Groups for import. - **Use****individual descriptions from CAL**: Select this checkbox to have CAL provide the default [Description](https://knowledge.threatconnect.com/docs/the-description-attribute) for each Group. - **Description**: If you did not select the **Use individual descriptions from CAL** checkbox, enter a default [Description](https://knowledge.threatconnect.com/docs/the-description-attribute) for the Groups. - **Source**: Enter a default [Source](https://knowledge.threatconnect.com/docs/the-source-attribute) for the Groups. - Click **Next**. 6. Fill out the fields on the **Labels**section of the **Import Intel - Doc Analysis**screen (Figure 5) as follows:![Figure 5_Document Parsing Import_7.11.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%205_Document%20Parsing%20Import_7.11.2.png) - **Security Labels**: Select [security labels](https://knowledge.threatconnect.com/docs/applying-security-labels)to apply to all selected new and existing Groups and Indicators.ImportantFor existing Groups and Indicators, the selected security labels will be added to the object. Existing security labels will not be removed. - **Tags**: Enter [Tags](https://knowledge.threatconnect.com/v1/docs/applying-tags)to apply to all selected new and existing Groups and Indicators.ImportantFor existing Groups and Indicators, the Tags will be added to the object. Existing Tags will not be removed.ImportantWhen entering text in the **Tags** field, click on a suggested Tag or click **+** to add the Tag. Added Tags are displayed in a bubble to the right of the **Tags** field. If a Tag is not displayed in that area, then it will not be added to the selected Groups and Indicators.NoteSynonymous Tags in a [Tag normalization rule](https://knowledge.threatconnect.com/docs/tag-normalization) will be converted to their main Tag after you complete the import. Tags that match an [ATT&CK Tag](https://knowledge.threatconnect.com/docs/attack-tags) will be applied as the ATT&CK Tag after you complete the import. - Click **Next**. 7. Fill out the fields on the **Save**tab of the **Import Intel - Document Parsing**screen (Figure 6) as follows:![Figure 6_Document Parsing Import_7.11.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%206_Document%20Parsing%20Import_7.11.2.png) - **Create Document and associate to indicators using this file.**: Select this checkbox to create a [Document Group](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#group-types) for the source file and [associate](https://knowledge.threatconnect.com/docs/associations)it to selected new and existing Groups and Indicators.NoteThis checkbox is not displayed if you did not import a file on the **Import** tab. - **Document Name**: Enter Document Group’s name/summary.NoteThis checkbox is not displayed if you did not select the **Create Document and associate to indicators using this file.** checkbox. - **Associate Indicators to Imported Groups**: Select this checkbox to associate all selected Indicators with all selected new Groups. Note that this operation also creates second-level (i.e., indirect) associations between all selected Indicators. - **Associate Indicators to Existing Groups**: Select this checkbox to associate all selected Indicators with the existing Groups selected in the tables on the **Confirm** and **Save** tabs. Note that this operation also creates second-level (i.e., indirect) associations between all selected Indicators. - **Associate All Groups**: Select this checkbox to associate all Groups with each other: - New Groups - Existing Groups selected in the tables on the **Confirm** and **Save** tabs - The Document Group created if you selected the **Create Document and associate to indicators using this file.** checkbox - **+ NEW ASSOCIATION**: Click this button to select existing Groups in your Organization to associate with the selected new Groups and the selected new and existing Indicators. Selected Groups are added to the table.NoteYou can select only Groups of a single type at a time. To select Groups of multiple types, repeat the **+ NEW ASSOCIATION** operation for each Group type.ImportantYou cannot remove Groups from the table on the **Save** tab. If you want to remove a Group in the table, click **CANCEL** and restart the import. - Click **Save** to complete the Document Processing Import. --- *ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc. CVE®, MITRE ATT&CK®, and ATT&CK® are registered trademarks, and MITRE ATLAS™ is a trademark, of The MITRE Corporation.* 20154-01 v.02.B ## Related - [CAL Doc Analysis Service](/cal-doc-analysis-service.md) - [MITRE ATT&CK AI Classification in ThreatConnect](/mitre-attack-ai-classification-in-threatconnect.md)