Threat Intelligence Security Center release notes

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Security Center release notes - Yokohama

    The Threat Intelligence Security Center (TISC) application in the Yokohama release enhances the collaboration between security and IT teams within your organization, enabling faster and more efficient threat response. This release introduces new integrations, improved data handling, and additional functionalities to streamline threat intelligence management.

    Show full answer Show less

    Key Features

    • Microsoft Defender for EDR Integration: Enables Cyber Threat Intelligence (CTI) analysts to automatically push malicious or suspicious IP addresses, domains, file hashes, and URLs from TISC to Microsoft Defender for continuous monitoring and real-time alerting.
    • Create Security Incidents from TISC Cases: Allows creation of security incidents directly from a TISC case, with the option to associate observable artifacts to the incident, improving incident tracking and response.
    • Export Enhancements: Supports exporting observables, indicators, and cases from list views in STIX 2.1 JSON, CSV, and Excel formats for flexible data analysis and sharing.
    • Indicator Ingestion Settings: Added configuration to ingest indicators of interest based on associations with threat actors, threat reports, or malware families, including options to include indicators deleted on CrowdStrike.
    • Duplicate Threat Intelligence Feeds: Improved feed configuration allows creating duplicate copies of existing threat intelligence feeds for streamlined management.
    • Terminology Updates: The term "Course of Actions" has been renamed to "Courses of Action," and "Inbound Filtering Rules" renamed to "Inbound Data Exclusion Rules" for clarity.

    Activation and Related Information

    Threat Intelligence Security Center is available for installation via the ServiceNow Store. Customers must request the application through the store to enable it. The Security Support Common plugin activates automatically when any main Security Operations plugins—such as Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance—are enabled.

    The Threat Intelligence application complements TISC by displaying indicators of compromise (IoCs) and enriching security incidents with threat intelligence data.

    The ServiceNow® Threat Intelligence Security Center application empowers your organization to connect security and IT teams so you can respond faster and more efficiently to threats. Threat Intelligence Security Center was enhanced and updated in the Yokohama release.

    Threat Intelligence Security Center highlights for the Yokohama release

    • Integrate with Microsoft Defender to enable Cyber Threat Intelligence (CTI) analysts to automatically push malicious or suspicious IP addresses, domains, file hashes, and URLs from TISC to Microsoft Defender.
    • Added creation of security incident directly from a TISC case with an option to associate observable artifacts to the security incident.
    • Enhanced support to export observables, indicators, and cases from the list views in STIX 2.1 JSON, CSV, and Excel formats.
    • Added settings to ingest indicators of interest based on associations to threat actors, threat reports, or malware families, including an option to include indicators deleted on CrowdStrike.
    • Improved Threat Intelligence Feed configuration functionality to create a duplicate copy of the existing feed.

    See Threat Intelligence Security Center for more information.

    Important:
    Threat Intelligence Security Center is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Yokohama release

    Microsoft Defender for EDR Integration
    Integration with the Microsoft Defender for EDR allows Cyber Threat Intelligence (CTI) analysts to automatically push malicious or suspicious IP addresses, domains, file hashes, and URLs to Microsoft Defender for continuous monitoring and real-time alerting.
    Create a security incident from a TISC case
    Create security incidents and associate observables to the security incidents from a TISC case.
    Duplicate threat intelligence feeds
    Duplicate threat intelligence feeds to create an exact copy of the existing feed.

    Changed in this release

    Courses of Action
    Renamed Course of Actions to Courses of Action.
    Create Inbound Data Exclusion Rules
    Renamed Inbound Filtering Rules to Inbound Data Exclusion Rules.

    Activation information

    Install Threat Intelligence Security Center by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Security Operations common functionality
    The Security Support Common plugin is activated when any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated.

    Related ServiceNow applications and features

    Threat Intelligence
    The ServiceNow Threat Intelligence application displays indicators of compromise (IoC) and enables you to enrich security incidents with threat intelligence data.