Contents x
Prepare for CAL ATL Changes in CAL 3.15 Release
  • 03 Mar 2026
  • 4 Minutes to read
  • Print
  • Dark
    Light
  • PDF
Contents

Prepare for CAL ATL Changes in CAL 3.15 Release

  • Updated on 03 Mar 2026
  • 4 Minutes to read
  • Print
  • Dark
    Light
  • PDF
Article summary

Overview

The CAL™ 3.15 release, scheduled for early April 2026, will deliver a major upgrade for ThreatConnect® and Polarity customers leveraging CAL Automated Threat Library (ATL). In addition to bringing in data from new blogs and report sources and improving the frequency and reliability of data retrieval, this release includes changes that streamline and update blog metadata and remove blogs that no longer exist or provide relevant data:

  • Tag names for some CAL ATL blogs were changed to ensure consistency and correctness.
  • Some CAL ATL blogs were consolidated under a single Tag.
  • Retired blogs that were re-activated were added back to CAL ATL.
  • Blogs that stopped publishing relevant data were retired.
  • URLs for CAL ATL blogs were updated as needed.
Important
These changes may affect customer workflows, automations, and dashboards that incorporate updated Tag names. ThreatConnect will automatically normalize these Tags in the CAL 3.15 release. You do not need to take any further action.

CAL ATL Updates for CAL 3.15

The CAL Automated Threat Library Source includes the following features under the CAL 3.15 release:

  • 125 of the best blog and report sources—including CERTs, government agencies, security research organizations, industry vendors, and security news—to help power CTI workflows, orchestration, and decision making. These sources include the following:
    • 46 new blog and report sources
    • Reactivated blog and report sources:
      • 360 Netlab Blog
      • Check Point Research
      • CrowdStrike (formerly CrowdStrike Blog)
      • Dark Reading (formerly Darkreading)
      • Flashpoint
      • Internet Crime Complaint Center Industry Alerts (IC3)
      • labs.vipre.com (formerly VIPRE Labs Blog)
      • Red Packet Security (formerly Red Packet Security Pikabot C2, Red Packet Security Ransomware Feed, and Red Packet Security Posh C2)
      • Security Week
      • Splunk (formerly Splunk Threat Research Team)
      • The DFIR Report
      • The Digest (Crypto-Ransomware) (formerly ID Ransomware)
  • Hourly updates for ALL blog and report sources
  • Improved reliability of retrieved information
  • Reduced false positives from links identified as indicators of compromise (IoCs) in blogs and reports

What Do I Need to Do?

The CAL 3.15 release is scheduled for early April 2026. You do not need to make any changes, as automatic Tag normalization rules will make all necessary adjustments to account for changed Tags. If you think you may not want automated Tag normalization to occur on your ThreatConnect instance, please reach out to your Customer Support Manager to be excluded.

Warning
Opting out of automatic Tag normalization for the CAL 3.15 update will require you to make manual changes to playbooks, dashboards, ThreatConnect Query Language (TQL) queries, and other areas that use legacy Tag names.

Table 1 lists the updated blogs, including changes to their corresponding Tag and a description of the change.

 

Blog NameSource URLOld ThreatConnect TagCurrent ThreatConnect TagWhat Changed?
360 Netlab Bloghttps://blog.netlab.360.com/N/ABlog: 360 Netlab BlogBlog reactivated in CAL ATL
Bitdefenderhttps://www.bitdefender.com/en-usBlog: Bitdefender LabsBlog: BitdefenderTag change
Bleeping Computerhttps://www.bleepingcomputer.comBlog: BleepingComputerBlog: Bleeping ComputerTag change
Canadian Centre for Cyber Securityhttps://www.cyber.gc.caBlog: Government of Canada Alerts and AdvisoriesBlog: Canadian Centre for Cyber SecurityTag change
Center for Internet Securityhttps://www.cisecurity.org

Blog: CIS - Center for Internet Security (Advisories)

Blog: CIS - Center for Internet Security (Alerts)

Blog: Center for Internet Security (Alert)

Blog: Center for Internet SecurityMultiple Tags consolidated into a single Tag
CERT-UAhttp://cert.gov.uaBlog: CERT-UA NewsBlog: CERT-UATag change
Check Point Researchhttps://research.checkpoint.comN/ABlog: Check Point ResearchBlog reactivated in CAL ATL
CISAhttp://cisa.govBlog: CISA Cybersecurity Alerts & AdvisoriesBlog: CISATag change
CrowdStrikehttps://www.crowdstrike.comN/ABlog: CrowdStrikeBlog reactivated in CAL ATL
Cyber Security Newshttps://cybersecuritynews.comBlog: Cybersecurity NewsBlog: Cyber Security NewsTag change
Cyberscoop - Attackshttps://www.cshub.com/rss/categories/attacksBlog: CyberScoop AttacksN/ABlog retired from CAL ATL - stopped publishing data in April 2025
Cyberscoop - Security Strategyhttps://www.cshub.com/rss/categories/security-strategyBlog: Cyber Security HubN/ABlog retired from CAL ATL - stopped publishing data in August 2025
Cyberscoop - Threat Defensehttps://www.cshub.com/rss/categories/threat-defenseBlog: CyberScoopN/ABlog retired from CAL ATL - stopped publishing data in June 2025
Dark Readinghttp://www.darkreading.comN/ABlog: Dark ReadingBlog reactivated in CAL ATL
DataBreacheshttp://databreaches.netBlog: Data Breach TodayBlog: DataBreachesTag change
Endpoint Threat Protectionhttps://www.sentinelone.comBlog: SentinelOneBlog: Endpoint Threat ProtectionTag change
Flashpointhttps://www.flashpoint-intel.comBlog: flashpointBlog: FlashpointBlog reactivated in CAL ATL; Tag change
Fox-IThttps://blog.fox-it.comBlog: Fox ITBlog: Fox-ITTag change
Google Online Security Bloghttps://security.googleblog.comBlog: Google Security BlogBlog: Google Online Security BlogTag change
Government Centre for Monitoring, Alerting and Responding to Computer Attackshttps://www.cert.ssi.gouv.fr/cti/feed/

Blog: CERT-FR MENACES ET INCIDENTS

Blog: Government Centre for Monitoring, Alerting and Responding to Computer Attacks (Scada)

Blog: Government Centre for Monitoring, Alerting and Responding to Computer Attacks (Alerts)

Blog: Centre gouvernemental de veilleMultiple Tags consolidated to a single Tag
Greynoise Labshttps://www.greynoise.ioBlog: GreyNoiseBlog: Greynoise LabsTag change
Hack Readhttps://www.hackread.comBlog: HackReadBlog: Hack ReadTag change
Heimdal Security Bloghttps://heimdalsecurity.com/blog/Blog: Heimdal SecurityBlog: Heimdal Security BlogTag change
Hipaajournalhttps://www.hipaajournal.comBlog: Hipaa JournalBlog: HipaajournalTag change
Internet Crime Complaint Center Industry Alerts (IC3)https://www.ic3.govN/ABlog: Federal Bureau of InvestigationBlog reactivated in CAL ATL
JPCERT コーディネーションセンターhttps://blogs.jpcert.or.jp/en

Blog: JPCERT

Blog: JPCERT Coordination Center official Blog

Blog: JPCERT コーディネーションセンターMultiple Tags consolidated into a single Tag
labs.vipre.comhttps://vipre.com/BLOG: VIPRE Labs BlogBlog: labs.vipre.comBlog reactivated in CAL ATL; Tag change
Mandianthttps://www.mandiant.com/resources/blog/rss.xmlBlog: MandiantBlog: Think With GoogleMandiant no longer publishes threat intelligence information, but redirects to Google Cloud Threat Intelligence Blog, which is now added to CAL ATL
Microsoft Enterprisehttps://www.microsoft.com/en-usBlog: Microsoft SecureBlog: Microsoft EnterpriseTag change
Ncsc.gov.ukhttps://www.ncsc.gov.ukBlog: NCSC Reports, Guidance and Blog-postBlog: Ncsc.gov.ukTag change
Nextron systemshttp://nextron-systems.comBlog: NextronBlog: Nextron systemsTag change
Palo Alto Networkshttps://security.paloaltonetworks.comBlog: Palo Alto Daily PostBlog: Palo Alto NetworksTag change
Project Zerohttps://projectzero.googleBlog: Google Project ZeroBlog: Project ZeroTag change
Proofpoint UKhttps://www.proofpoint.comBlog: Proof PointBlog: Proofpoint UKTag change
Recordedfuturehttps://www.recordedfuture.com/blogBlog: Recorded FutureBlog: RecordedfutureTag change
Red Packet Securityhttps://www.redpacketsecurity.com

Blog: Red Packet Security Pikabot C2

Blog: Red Packet Security Ransomware Feed

Blog: Red Packet Security Posh C2

Blog: RedPacket SecurityBlog reactivated in CAL ATL; multiple Tags consolidated into a single Tag
Reversing Labshttp://www.reversinglabs.comBlog: ReversingLabsBlog: Reversing LabsTag change
SANS Internet Storm Centerhttps://isc.sans.eduBlog: SANSBlog: SANS Internet Storm CenterTag change
Securelist.comhttps://securelist.comBlog: SecurelistBlog: Securelist.comTag change
Security Weekhttps://www.securityweek.comN/ABlog: Security WeekBlog reactivated in CAL ATL
Sekoiahttp://blog.sekoia.ioBlog: Sekoia.ioBlog: SekoiaTag change
Sophos securityhttps://www.sophos.com

Blog: Sophos

Blog: Sophos - Threat Research

Blog: Sophos securityMultiple Tags consolidated into a single Tag
Splunkhttps://www.splunk.com/en_us/blogBlog: Splunk Threat Research TeamBlog: SplunkBlog reactivated in CAL ATL; Tag change
Sucuri Bloghttps://blog.sucuri.netBlog: SucuriBlog: Sucuri BlogTag change
Talos Bloghttps://blog.talosintelligence.comBlog: Cisco Talos BlogBlog: Talos BlogTag change
Tech Xplorehttps://techxplore.comBlog: TechXploreBlog: Tech XploreTag change
Tgsofthttp://tgsoft.itBlog: VirITBlog: TgsoftTag change
The Citizen Labhttps://citizenlab.caBlog: Citizen LabBlog: The Citizen LabTag change
The Cyber Expresshttps://thecyberexpress.comBlog: The Cyber Express Daily FirewallBlog: The Cyber ExpressTag change
The DFIR Reporthttp://thedfirreport.comN/ABlog: The DFIR ReportBlog reactivated in CAL ATL
The Digest (Crypto-Ransomware)http://id-ransomware.blogspot.comBLOG: ID RansomwareBlog: The Digest (Crypto-Ransomware)Blog reactivated in CAL ATL; Tag change
The Record Mediahttps://therecord.mediaBlog: The RecordBlog: The Record MediaTag change
The Register Securityhttps://www.theregister.com/security/headlines.atomBlog: The Register SecurityN/ABlog retired from CAL ATL due to copyright licensing changes; licensed content from this blog may be added to CAL ATL in the future
Traficomin Kyberturvallisuuskeskushttps://www.kyberturvallisuuskeskus.fi

Blog: kyberturvallisuuskeskus - Information Security Now!

Blog: kyberturvallisuuskeskus – Vulnerabilities

Blog: Traficom

Blog: Traficomin KyberturvallisuuskeskusMultiple Tags consolidated into a single Tag
Trend Micro Bloghttps://blog.trendmicro.comBlog: TrendMicroBlog: Trend Micro BlogTag change
Unit 42https://unit42.paloaltonetworks.comBlog: Unit42Blog: Unit 42Tag change

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20183-01 v.01.A

Was this article helpful?
Related articles
What's Next
Company
Sales and Support
Follow Us
© 2012–2026 ThreatConnect, Inc. All Rights Reserved.