🎉 ThreatConnect® 7.12 is now available! We love customer feedback. Write a review of ThreatConnect and we'll give you up to $50 as a thank-you gift!

Prepare for CAL ATL Changes in CAL 3.15 Release

  • Updated on Mar 23, 2026
  • Published on Mar 3, 2026
  • 4 minute(s) read
Prev Next

Overview

The CAL™ 3.15 release, scheduled for late March 2026, will deliver a major upgrade for ThreatConnect® and Polarity customers leveraging CAL Automated Threat Library (ATL). In addition to bringing in data from new blogs and report sources and improving the frequency and reliability of data retrieval, this release includes changes that streamline and update blog metadata and remove blogs that no longer exist or provide relevant data:

  • Tag names for some CAL ATL blogs were changed to ensure consistency and correctness.
  • Some CAL ATL blogs were consolidated under a single Tag.
  • Retired blogs that were re-activated were added back to CAL ATL.
  • Blogs that stopped publishing relevant data were retired.
  • URLs for CAL ATL blogs were updated as needed.
Important
These changes may affect customer workflows, automations, and dashboards that incorporate updated Tag names. ThreatConnect will automatically normalize these Tags in the CAL 3.15 release. You do not need to take any further action.

CAL ATL Updates for CAL 3.15

The CAL Automated Threat Library Source includes the following features under the CAL 3.15 release:

  • 125 of the best blog and report sources—including CERTs, government agencies, security research organizations, industry vendors, and security news—to help power CTI workflows, orchestration, and decision making. These sources include the following:
    • 46 new blog and report sources
    • Reactivated blog and report sources:
      • 360 Netlab Blog
      • Check Point Research
      • CrowdStrike (formerly CrowdStrike Blog)
      • Dark Reading
      • Flashpoint
      • Internet Crime Complaint Center (IC3)
      • RedPacket Security (formerly Red Packet Security Pikabot C2, Red Packet Security Ransomware Feed, and Red Packet Security Posh C2)
      • Security Week
      • Splunk (formerly Splunk Threat Research Team)
      • The DFIR Report
      • The Digest (Crypto-Ransomware) (formerly ID Ransomware)
      • VIPRE Labs (formerly VIPRE Labs Blog)
  • Hourly updates for all blog and report sources
  • Improved reliability of retrieved information
  • Reduced false positives from links identified as indicators of compromise (IoCs) in blogs and reports

What Do I Need to Do?

The CAL 3.15 release is scheduled for late March 2026. You do not need to make any changes, as automatic Tag normalization rules will make all necessary adjustments to account for changed Tags. If you think you may not want automated Tag normalization to occur on your ThreatConnect instance, please reach out to your Customer Support Manager to be excluded.

Warning
Opting out of automatic Tag normalization for the CAL 3.15 update will require you to make manual changes to playbooks, dashboards, ThreatConnect Query Language (TQL) queries, and other areas that use legacy Tag names.

Table 1 lists the updated blogs, including changes to their corresponding Tag and a description of the change.

 

Blog NameSource URLOld ThreatConnect TagCurrent ThreatConnect TagWhat Changed?
360 Netlab Bloghttps://blog.netlab.360.com/N/ABlog: 360 Netlab BlogBlog reactivated in CAL ATL
Bitdefenderhttps://www.bitdefender.com/en-usBlog: Bitdefender LabsBlog: BitdefenderTag change
Bleeping Computerhttps://www.bleepingcomputer.comBlog: BleepingComputerBlog: Bleeping ComputerTag change
Canadian Centre for Cyber Securityhttps://www.cyber.gc.caBlog: Government of Canada Alerts and AdvisoriesBlog: Canadian Centre for Cyber SecurityTag change
Center for Internet Securityhttps://www.cisecurity.org

Blog: CIS - Center for Internet Security (Advisories)

Blog: CIS - Center for Internet Security (Alerts)

Blog: Center for Internet Security (Alert)

Blog: Center for Internet SecurityMultiple Tags consolidated into a single Tag
Centre gouvernemental de veillehttps://www.cert.ssi.gouv.fr

Blog: CERT-FR MENACES ET INCIDENTS

Blog: Government Centre for Monitoring, Alerting and Responding to Computer Attacks (Scada)

Blog: Government Centre for Monitoring, Alerting and Responding to Computer Attacks (Alerts)

Blog: Centre gouvernemental de veilleMultiple Tags consolidated into a single Tag
CERT-UAhttps://cert.gov.ua/Blog: CERT-UA NewsBlog: CERT-UATag change
Check Point Researchhttps://research.checkpoint.comN/ABlog: Check Point ResearchBlog reactivated in CAL ATL
CISAhttps://cisa.gov/Blog: CISA Cybersecurity Alerts & AdvisoriesBlog: CISATag change
CrowdStrikehttps://www.crowdstrike.comBlog: CrowdStrike BlogBlog: CrowdStrikeBlog reactivated in CAL ATL; Tag change
Cyber Security Newshttps://cybersecuritynews.comBlog: Cybersecurity NewsBlog: Cyber Security NewsTag change
Cyberscoop - Attackshttps://www.cshub.com/rss/categories/attacksBlog: CyberScoop AttacksN/ABlog retired from CAL ATL - stopped publishing data in April 2025
Cyberscoop - Security Strategyhttps://www.cshub.com/rss/categories/security-strategyBlog: Cyber Security HubN/ABlog retired from CAL ATL - stopped publishing data in August 2025
Cyberscoop - Threat Defensehttps://www.cshub.com/rss/categories/threat-defenseBlog: CyberScoopN/ABlog retired from CAL ATL - stopped publishing data in June 2025
Dark Readinghttps://www.darkreading.com/N/ABlog: Dark ReadingBlog reactivated in CAL ATL
DataBreacheshttps://databreaches.net/Blog: Data Breach TodayBlog: DataBreachesTag change
Flashpointhttps://www.flashpoint-intel.comBlog: flashpointBlog: FlashpointBlog reactivated in CAL ATL; Tag change
Fox-IThttps://blog.fox-it.comBlog: Fox ITBlog: Fox-ITTag change
GreyNoise Labshttps://www.greynoise.ioBlog: GreyNoiseBlog: GreyNoise LabsTag change
Heimdal Security Bloghttps://heimdalsecurity.com/blog/Blog: Heimdal SecurityBlog: Heimdal Security BlogTag change
Internet Crime Complaint Center (IC3)https://www.ic3.govN/ABlog: IC3Blog reactivated in CAL ATL
JPCERT コーディネーションセンターhttps://blogs.jpcert.or.jp/en

Blog: JPCERT

Blog: JPCERT Coordination Center official Blog

Blog: JPCERT コーディネーションセンターMultiple Tags consolidated into a single Tag
Malwarebyteshttps://www.malwarebytes.com/BLOG: Malware Bytes Threat AnalysisVIPRE Labs BlogBlog: MalwarebytesTag change
Mandianthttps://www.mandiant.com/resources/blog/rss.xmlBlog: MandiantBlog: Think With GoogleMandiant no longer publishes threat intelligence information, but redirects to Google Cloud Threat Intelligence Blog, which is now added to CAL ATL
Microsoft Enterprisehttps://www.microsoft.com/en-us/security/blog/
Blog: Microsoft SecureBlog: Microsoft EnterpriseTag change
NCSC UKhttps://www.ncsc.gov.ukBlog: NCSC Reports, Guidance and Blog-postBlog: NCSC UKTag change
Nextron Systemshttps://nextron-systems.com/Blog: NextronBlog: Nextron SystemsTag change
Palo Alto Networkshttps://security.paloaltonetworks.comBlog: Palo Alto Daily PostBlog: Palo Alto NetworksTag change
Project Zerohttps://projectzero.googleBlog: Google Project ZeroBlog: Project ZeroTag change
Proofpointhttps://www.proofpoint.comBlog: Proof PointBlog: ProofpointTag change
RedPacket Securityhttps://www.redpacketsecurity.com

Blog: Red Packet Security Pikabot C2

Blog: Red Packet Security Ransomware Feed

Blog: Red Packet Security Posh C2

Blog: RedPacket SecurityBlog reactivated in CAL ATL; multiple Tags consolidated into a single Tag
SANS Internet Storm Centerhttps://isc.sans.eduBlog: SANSBlog: SANS Internet Storm CenterTag change
Security Weekhttps://www.securityweek.comN/ABlog: Security WeekBlog reactivated in CAL ATL
Sekoiahttp://blog.sekoia.ioBlog: Sekoia.ioBlog: SekoiaTag change
Sentinel Onehttps://www.sentinelone.comBlog: SentinelOneBlog: Sentinel OneTag change
Sophoshttps://www.sophos.com

Blog: Sophos

Blog: Sophos - Threat Research

Blog: SophosMultiple Tags consolidated into a single Tag
Splunkhttps://www.splunk.com/en_us/blog/author/secmrkt-research.htmlBlog: Splunk Threat Research TeamBlog: SplunkBlog reactivated in CAL ATL; Tag change
Sucuri Bloghttps://blog.sucuri.netBlog: SucuriBlog: Sucuri BlogTag change
Talos Bloghttps://blog.talosintelligence.comBlog: Cisco Talos BlogBlog: Talos BlogTag change
Tech Xplorehttps://techxplore.comBlog: TechXploreBlog: Tech XploreTag change
TG Softhttps://tgsoft.it/Blog: VirITBlog: TG SoftTag change
The Citizen Labhttps://citizenlab.caBlog: Citizen LabBlog: The Citizen LabTag change
The Cyber Expresshttps://thecyberexpress.comBlog: The Cyber Express Daily FirewallBlog: The Cyber ExpressTag change
The DFIR Reporthttps://thedfirreport.com/N/ABlog: The DFIR ReportBlog reactivated in CAL ATL
The Digest (Crypto-Ransomware)https://id-ransomware.blogspot.com/BLOG: ID RansomwareBlog: The Digest (Crypto-Ransomware)Blog reactivated in CAL ATL; Tag change
The Register Securityhttps://www.theregister.com/security/headlines.atomBlog: The Register SecurityN/ABlog retired from CAL ATL due to copyright licensing changes; licensed content from this blog may be added to CAL ATL in the future
Traficomin Kyberturvallisuuskeskushttps://www.kyberturvallisuuskeskus.fi

Blog: kyberturvallisuuskeskus - Information Security Now!

Blog: kyberturvallisuuskeskus – Vulnerabilities

Blog: Traficom

Blog: Traficomin KyberturvallisuuskeskusMultiple Tags consolidated into a single Tag
Trend Micro Bloghttps://blog.trendmicro.comBlog: TrendMicroBlog: Trend Micro BlogTag change
Unit 42https://unit42.paloaltonetworks.comBlog: Unit42Blog: Unit 42Tag change
VIPRE Labshttps://vipre.com/BLOG: VIPRE Labs BlogBlog: VIPRE LabsBlog reactivated in CAL ATL; Tag change

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20183-01 v.03.A

Related articles
Company
Sales and Support
Follow Us
© 2012–2024 ThreatConnect, Inc. All Rights Reserved.