Set up Threat Intelligence Security Center

  • Release version: Yokohama
  • Updated August 21, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Set up Threat Intelligence Security Center

    The Threat Intelligence Security Center (TISC) is a ServiceNow application that must be downloaded from the ServiceNow Store before use. It provides capabilities for ingesting, enriching, managing, and analyzing threat intelligence data. Proper role assignment and prerequisite installations are essential for smooth integration and operation.

    Show full answer Show less

    Roles and Responsibilities

    • Threat Intelligence Administrator (snsectisc.admin): Responsible for configuring data sources, integrations for data enrichment, data import approvals, threat score calculators, taxonomies, and the MITRE ATT&CK repository. This role also assigns the Analyst role and manages overall application setup.
    • Threat Intelligence Analyst (snsectisc.analyst): Focuses on viewing data overviews, importing intelligence data, searching and managing ingested data, performing enrichment actions on observables, and creating and managing cases.

    Configuration and Setup Tasks

    • Install the TISC application from the ServiceNow Store.
    • Assign the snsectisc.admin role to administrators for configuration tasks.
    • Configure data sources to ingest threat intelligence feeds.
    • Set up integrations to enrich observable data within TISC.
    • Define and configure roles for data import approvals.
    • Create and configure threat score calculators to automate threat scoring.
    • Establish taxonomies and taxonomy values for threat classification.
    • Configure the MITRE ATT&CK repository relevant to your organization’s needs.
    • Assign the snsectisc.analyst role to users responsible for data analysis and case management.

    Scripting Access Roles

    Specific roles provide scripting permissions on key TISC tables for integration, enrichment, and threat score calculation:

    • snsectisc.integrationwrite: Access to enrichment integration tables.
    • snsectisc.ruleswrite: Access to threat score calculator rules.

    Required Plugins and Dependencies

    The following core ServiceNow applications and plugins must be installed and activated to support TISC functionality:

    • Security Case Management common workspace components
    • Threat Intelligence Support Common
    • Column Level Encryption
    • Large JSON and XML Payload Builder API
    • Security Support Core
    • Node Map Experience Component
    • Reporting UI Component for Workspace
    • Rich Text Editor Component for Security Operations
    • Security Integration Framework
    • Security Support Common
    • Security Support Orchestration

    Ensure all these applications and dependencies are installed and activated before configuring the Threat Intelligence Security Center for optimal integration and operation.

    Before you use the Threat Intelligence Security Center, you must download it from the ServiceNow Store.

    Roles installed

    Review the following information and verify that you’ve completed all the tasks for a smooth integration. Below is the list of different user persona defined to access and work with the application:
    • Threat Intelligence Analyst (sn_sec_tisc.analyst)
    • Threat Intelligence Administrator (sn_sec_tisc.admin)
    Table 1. Entitlements applicable for TISC Roles
    Setup Description
    Assign and verify the required ServiceNow AI Platform and Threat Intelligence Security Center roles. The following roles are required for configuration and verification of the expected results:
    • As an admin, you must install the TISC application from the ServiceNow Store and assign the role as sn_sec_tisc.admin.
    • This sn_sec_tisc.admin role performs the following tasks:
      • Configures the Data Sources to ingest the data. For more information, see Threat Intelligence Feeds.
      • Configured the integrations required for Enriching Observable data in TISC. For more information, see TISC Enrichment integrations.
      • Configures Data Import Approval Roles for importing data using Import Assistant. For more information, see Working with Data Imports.
      • Configures Threat Score Calculator using required criteria for automatic calculation of Threat Score of observables. For more information, see Define Threat Score Calculator.
      • Configures required Taxonomies and Taxonomy Values. For more information, see Creating Taxonomies.
      • Configure the MITRE ATT&CK repository relevant to your organization. For more information, see MITRE-ATT&CK Repository.
      Note:
      As a sn_sec_tisc.admin, you can also assign the sn_sec_tisc.analyst role.
    • The sn_sec_tisc.analyst role performs the following tasks:
      • Views the overview of data in the system using the application homepage. For more information, see Home page in TISC Workspace.
      • Import data into system using Import Intelligence button in Threat Library Page. For more information, see Threat Intelligence Security Center Library.
        • Searches across the data present in the application using search provided in Threat Library page.
        • Manages the data ingested from various sources in Threat Library.
        • Performs various Enrichment actions on Observables.
        • Creates and Manages Cases. For more information, see Creating cases using Threat Analyst Workbench.

    Granular roles in TISC with scripting access

    The following roles provide scripting access to the listed tables:
    Role Table
    sn_sec_tisc.integration_write sn_sec_tisc_enrichment_integration
    sn_sec_tisc.rules_write sn_sec_tisc_threat_score_calculator_rule

    Dependency Plugins

    Plugin Description
    This following applications are required for installation of this application:
    • Security Case Management common workspace components [com.snc.escm.ws_commons].
    • Threat Intelligence Support Common [com.snc.threat].
    • Column Level Encryption (com.glide.encryption)
    • Large JSON and XML Payload Builder API (com.glide.streaming_builder)
    • Security Support Core (com.snc.security_support.core)
    • Node map Experience Component (sn_node_map)
    • Reporting UI Component for Workspace(sn_sec_reporting)
    • Rich Text Editor Component for Security Operations(sn_escm_rte)
    • Security Integration Framework(sn_sec_int)
    • Security Support Common(sn_sec_cmn)
    • Security Support Orchestration(sn_sec_cmn_orch)
    		 Verify that the ServiceNow core applications that are required to support the integration are installed and activated before you configure this integration.