Threat Intelligence Security Center release notes

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Security Center release notes - Xanadu Release

    The ServiceNow® Threat Intelligence Security Center (TISC) application enhances collaboration between security and IT teams to improve the speed and efficiency of threat response. The Xanadu release introduces new integrations, advanced visualization, automation capabilities, and expanded MITRE ATT&CK technique support to empower security analysts in conducting threat investigations and managing security incidents with enriched intelligence.

    Show full answer Show less

    Key Features

    • Entity Relationship Visualization: Visualize connections between observables, indicators of compromise (IOCs), threat actors, and cases with interactive relationship graphs and new Investigation Canvases for deeper analysis.
    • Integrations:
      • CrowdStrike Falcon EDR: Enables continuous monitoring and real-time alerts using TISC intelligence.
      • Palo Alto Networks: Manage External Dynamic Lists (EDLs) directly from TISC to block malicious IPs, URLs, and domains.
    • MITRE ATT&CK Support: All observables, indicators, and entities support MITRE technique associations, which can be rolled up at the case level both manually and automatically. Automatic extraction rules capture techniques into intelligence records.
    • Automation and API Enhancements: Automate analyst workflows with sample automation flows, create observables through TISC API 2.0, and use webhooks for trigger-based notifications.
    • Bulk Taxonomy Import: Support for bulk uploading taxonomy values to streamline classification.
    • Threat Score Customization: Custom Threat Score Calculator allows defining threat score criteria based on user-defined rules within TISC.
    • User Interface Improvements: Enhanced relationship graphs, direct alias addition in the threat intelligence library, and related info displayed in the Security Incident Response Workspace TISC Context tab.
    • Expiration Rules: Define granular expiration policies for data sources and record types to manage threat intelligence lifecycle.

    Practical Benefits for ServiceNow Customers

    • Speed up threat detection and response by unifying intelligence and IT workflows through automated actions and real-time alerting.
    • Improve investigative accuracy with enriched contextual data visualizations and MITRE ATT&CK technique associations.
    • Enhance threat blocking capabilities via Palo Alto Networks integration and External Dynamic Lists.
    • Streamline data management and classification using bulk imports and customizable expiration rules.
    • Leverage API enhancements and automation to integrate TISC intelligence with existing security workflows and tools.
    • Customize threat scoring to better align with organizational risk criteria, facilitating prioritization of security incidents.

    Installation and Related Applications

    To activate the Threat Intelligence Security Center, customers must request the application from the ServiceNow Store. The TISC application integrates with other Security Operations suite components such as Security Incident Response, Vulnerability Response, and Threat Intelligence, enabling a comprehensive security posture and response capability.

    The ServiceNow® Threat Intelligence Security Center (TISC) application empowers your organization to connect security and IT teams so you can respond faster and more efficiently to threats.

    Threat Intelligence Security Center highlights for the Xanadu release

    • Visualize node connections between entities like observables, IOCs, and threat actors, and link cases or canvases to enrich analysis.
    • Enable continuous monitoring and real-time alerts based on intelligence from TISC with CrowdStrike Falcon EDR integration.
    • Block malicious IPs, URLs, and domains using External Dynamic List (EDL) capabilities with Threat Intelligence data and Palo Alto Networks integration.
    • Manage the analyst actions through automation flows.
    • Conduct research on threats to support the reactive and proactive needs of security teams.​
    • Create and track threat investigations using Case Management.​

    See Threat Intelligence Security Center for more information.

    New in the Xanadu release

    All observables, indicators, and entities now supports MITRE technique associations.
    Roll up of MITRE technique associations
    MITRE techniques can now be rolled up from artifacts at a case level both manually and automatically.
    Palo Alto Networks integration
    Integration with Palo Alto is now available to manage External Dynamic Lists (EDLs) directly from TISC.
    CrowdStrike Falcon EDR integration
    Integration with CrowdStrike Falcon EDR is now available for continuous monitoring and real-time alerting based on TISC intelligence.
    Working with Investigation Canvases
    Introduced a new Investigation Canvas for deeper and interactive case analysis.
    View details in Relationship Graph
    Enhanced the user experience on relationship visualizations.
    Bulk import Taxonomies
    Supports bulk taxonomy values upload.
    TISC API References
    Creating observables in TISC is now available through the implementation of TISC API 2.0.
    Defining Expiration Rules
    Define expiration policies at a more granular level by creating expiration rules for data source and record type combinations.
    Working with Webhooks
    Initiate trigger-based notifications by using Webhooks.
    Working with automated flows
    Automate analyst actions through sample automation flows.
    Add observables to TISC Case
    Add security incident and observables directly to a TISC case in the Security Incident Response Workspace.
    MITRE ATT&CK Technique Extraction Rules
    Capture automatically extracted MITRE techniques to the intelligence records such as observables, indicators, and all STIX entities.

    Changed in this release

    TISC Library Repository
    New aliases can now be added directly from the form views of the threat intelligence library.

    UI changes

    View related info from TISC
    In the Security Incident Response Workspace, the TISC Context tab now shows the related information for selected observables.
    Custom Threat Score Calculator in TISC
    The Customer Threat Score Calculator automatically defines threat score criteria for security incidents based on user-defined criteria.

    Activation information

    Install Threat Intelligence Security Center by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
    Security Operations common functionality
    When any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated, the Security Support Common plugin is activated.

    Related ServiceNow applications and features

    Vulnerability Response
    Vulnerability Response is part of the Security Operations application suite. Together, these applications connect security to your IT department, increase the speed and efficiency of your response, and provide you with an overview of your security posture.
    Threat Intelligence
    The ServiceNow® Threat Intelligence application displays indicators of compromise (IoC) and enables you to enrich security incidents with threat intelligence data.