CAL Indicator Enrichments

Overview

CAL™ Indicator enrichments combine data from a diverse ecosystem of sources to help you understand how Indicators have been observed, classified, or validated across ThreatConnect® and other connected systems. These enrichments provide analysts with deeper visibility into the reputation, behavior, and lifecycle of Indicators across the broader threat landscape.

When CAL enrichment is applied, Indicators display additional fields, impact factors, and classifiers that represent aggregated, anonymized, or computed information, including the following:

• Observations, false positives, and impressions across Indicators in all Communities and Sources and in all participating Organizations on all participating ThreatConnect and Polarity instances
• Feed and provider visibility
• “Known Good” and Safelist status
• Classifications derived from machine-learning (ML) and analytics models
• Metadata extracted or computed from enrichment-only datasets

These enrichments support features in ThreatConnect and in the ThreatConnect CAL integration with Polarity by providing the CAL Global Threat Score, CAL status, CAL Classifiers, and more to enhance the accuracy and efficiency of cyberthreat analysis.

Before You Start

User Roles

• To view CAL enrichments for Indicators in your Organization, your user account can have any Organization role.
• To view CAL enrichments for Indicators in a Community or Source, your user account can have any Community role except Banned for that Community or Source.

Prerequisites

• To view CAL enrichment information for Indicators in your ThreatConnect owners, enable CAL for your ThreatConnect instance and in your Organization:
  • To enable CAL for your ThreatConnect instance, select the CALEnabled checkbox on the Settings tab of the System Settings screen (must be a System Administrator to perform this action).
  • To enable CAL in your Organization, edit your Organization on the Organizations tab of the Account Settings screen and select the Enable CAL Data checkbox on the Permissions tab of the Organization Information window (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).
• Verify that your ThreatConnect instance can receive data from cal.threatconnect.com (if using an On Premises instance).
• To view CAL enrichment information for Indicators in Polarity, install and configure the ThreatConnect CAL integration with Polarity.

Components of CAL Indicator Enrichments

CAL Indicator enrichments are composed of multiple data dimensions that describe an Indicator’s context, behavior, and reputation.

CAL Analytics

CAL leverages the following proprietary analytics from the ThreatConnect and Polarity customer communities to provide important context to support Indicator analysis:

• Observations: The number of times an Indicator has been observed in an actual customer network. The more observations an Indicator has, the more likely it is to be relevant to an investigation.
• Impressions: The number of times an Indicator is viewed, searched for, or looked up via the ThreatConnect CAL Integration with Polarity, the ThreatConnect user interface (UI), or the Get CAL Enrichment Playbook App.
• False Positive reports: Reports from the ThreatConnect CAL Integration with Polarity and reports from ThreatConnect users that an Indicator is a false positive.

These analytics directly influence an Indicator’s CAL Global Threat Score, CAL status, and CAL Classifiers and are displayed as trending data for that Indicator.

Feed-Driven Enrichments

CAL aggregates visibility and metadata from a large collection of open-source (OSINT) and enrichment-only feeds:

• Customer-available feeds contribute observed data such as first seen, last seen, and feed reporting count.  Each feed’s reliability, uniqueness, average CAL Global Threat Score (Scoring Disposition), and other classifiers are summarized in feed report cards, helping analysts assess feed quality and potential data noise.
• Enrichment-only feeds provide additional intelligence for context, such as provider information, file hash triplets, rankings, and geolocation details:
  • IPtoASN Public ASN Mapping
  • Amazon AWS IP Ranges
  • Bambenek DGA Domains
  • Cisco Umbrella
  • Cloudflare IPv4 Ranges
  • Cloudflare IPv6 Ranges
  • ivolo Disposable Email Domains
  • Facebook IP Ranges
  • CAL Proprietary
  • Google Cloud IP Ranges
  • Google Workspace Mailserver IP Ranges
  • IANA Root Zones
  • Majestic Million
  • Microsoft Azure Datacenter IP Ranges
  • Microsoft Office365 IP Ranges
  • Microsoft Office365 Hosts
  • NSRL Database - Android Apps
  • NSRL Database - iOS Apps
  • NSRL Database - Legacy (up to 2014)
  • NSRL Database - Modern (2015+)
  • OWASP File Hash Repository
  • public-dns.info Public DNS Server List
  • Reserved IP Ranges
  • Tranco Top 1 Million
  • Twitter IP Ranges
  • WhoisDS Newly Registered and Recently Expired Domains
• 45 historical feeds (customer-available feeds and enrichment-only feeds) provide long-term context about where an Indicator has previously been identified, but the feed is no longer active and is not providing new data.

Feeds provide the following additional metadata:

• First-seen and last-seen dates
• External context: Tags, intrusion phases, antivirus (AV) detections, malware family name, file name, file size, file type, website rank

CAL Classifiers

CAL Classifiers are meaningful threat-related or contextual labels that categorize Indicators based on analytics, heuristics, and ML-derived models. CAL currently supports over 100 Classifiers, which may be dynamically added or removed as new analytics evolve.

Known Good

The CAL “Known Good” sources identify Indicators that are verified as non-malicious by various reliable sources such as public and manually curated safelists.

Quad9 Resolutions

CAL provides the locations of computers that attempted to access suspicious domains captured by Quad9® infrastructure within the last 90 days—for example, on the CAL™ - Quad9 Observed Attempted Resolutions section of the DNS Resolution card on the Details screen for Address and Host Indicators in the ThreatConnect UI.

File and File Hash Information

CAL provides metadata on File Indicators in ThreatConnect and in the ThreatConnect CAL Integration with Polarity. For example, the CAL™ File Hash Information card on the Details screen for File Indicators in the ThreatConnect UI profiles a file’s name, size, type, and reporting feed. CAL also determines whether there are additional hash types for File Indicators. If CAL identifies hashes that do not belong together, it chooses a hash based on the one that is least likely to collide (SHA256, then SHA1, then MD5). CAL also provides details on the source of the hash triplet’s information.

IP Address Owner Information

CAL provides IP address owner and geolocation data in ThreatConnect and in the ThreatConnect CAL Integration with Polarity. For example, the CAL™ Provider Information section of the GeoLocation Data card for Address Indicators in the ThreatConnect UI provides the name of the service provider claiming ownership of the Address, the geographic region assigned to the Address, and the service for which the Address is used.

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
 Quad9® is a registered trademark of Quad9 Foundation.

20178-01 v.01.A