Sharing intelligence using TAXII Server

  • Release version: Yokohama
  • Updated February 24, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Sharing intelligence using TAXII Server

    ServiceNow Threat Intelligence Sharing Center (TISC) enables structured threat intelligence exchange between instances using TAXII collections. This method allows a source TISC instance to expose threat intelligence data, which a target TISC instance retrieves through a configured TAXII feed. Proper configuration is required on both source and target instances to facilitate secure and automated intelligence sharing.

    Show full answer Show less

    Configuring the Source TISC Instance

    • Global Sharing Rules: Configure and publish outbound intelligence data exclusion rules and sharing controls to define what data is shared.
    • TAXII Collections: Create TAXII collections to organize the intelligence data to be shared.
    • Outbound Intelligence Sharing Templates: Create and publish templates with settings specific to TAXII sharing.
    • Adding Records: Add intelligence records to TAXII collections either manually via the GUI or automatically using flows for continuous sharing.
    • TAXII API User: Create a dedicated API user with role snsectisc.taxiiserverapiuser to authenticate the target instance when it fetches data.

    Configuring the Target TISC Instance

    • Create TAXII Feed: Set up a new TAXII feed in the target instance to connect to the source.
    • Discovery Service Configuration: Use the Discovery Service URL (https://{instancename}/api/snsectisc/taxiiserver/taxii2) as the configuration type.
    • Authentication: Select Basic authentication and provide the credentials of the TAXII API user created on the source instance.
    • Connection Validation: Validate connectivity and retrieve available TAXII collections from the source by clicking the Get TAXII Collections button.
    • Ingestion Setup: Enable the desired collections for ingestion. Configure the Fetch From Time to specify when to start pulling data and set the ingestion frequency for scheduled updates.

    Benefits for ServiceNow Customers

    This TAXII-based sharing framework enables ServiceNow customers to automate and standardize the sharing of threat intelligence between TISC instances, improving situational awareness and response capabilities. By following the outlined configuration steps, customers can securely exchange relevant threat data, ensuring timely updates and maintaining consistency across their security operations.

    You can retrieve threat intelligence from a source TISC instance into a target TISC instance using TAXII collections. This process requires configuration in both the source and target instances.

    TAXII-Based Sharing

    TAXII-based sharing enables structured and standardized exchange of threat intelligence between TISC instances. In this model, the source instance exposes intelligence through TAXII collections, and the target instance retrieves that data using a configured TAXII feed.

    Configuring the source TISC instance

    Complete the following steps in the source TISC instance before configuring the target instance.

    1. Configure global sharing rules:

      Ensure the following are configured and published based on your requirements:

    2. Create TAXII collections: Set up the required TAXII collections in the source TISC instance. For instructions, see Create a TAXII collection.

    3. Create outbound intelligence sharing templates: Create and publish an outbound intelligence sharing template with the required configuration for TAXII sharing. For instructions, see Outbound intelligence sharing templates.
    4. Add records to the TAXII collection: You can add records using either of the following methods:
    5. Create a TAXII API user for the target TISC instance: Create a dedicated API user in the source TISC instance for authentication when the target instance connects to fetch intelligence data.

      Assign the role sn_sec_tisc.taxii_server_api_user.

    Configuring the target TISC instance

    After completing the source configuration, configure the target instance to pull intelligence from the source.

    1. Create a new TAXII feed: In the target TISC instance, create a new TAXII feed. For more information, see Configure a new TAXII feed.
    2. Configure the discovery service: Set Configuration Type to Discovery Service URL and enter the following URL:
      https://{instance_name}/api/sn_sec_tisc/taxii_server/taxii2
    3. Configure Authentication:
      • Select Basic as the authentication method.
      • Provide the username and password of the TAXII API user created in the source instance.
    4. Save the configuration:

      Validate the connection then click the Get TAXII Collections button to retrieve the enabled TAXII collections from the source instance.

    5. Enable and configure ingestion:
      1. Navigate to the collection you want to ingest.
      2. Enable the collection.
      3. Specify the Fetch From Time and the desired ingestion frequency.

      All records added to the collection in the source instance after the specified time are pulled into the target instance according to the configured schedule.