Sharing intelligence using TAXII Server

  • Release version: Xanadu
  • Updated February 24, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Sharing intelligence using TAXII Server

    This guide explains how ServiceNow Threat Intelligence Service Consumption (TISC) instances can share threat intelligence using TAXII (Trusted Automated eXchange of Indicator Information) collections. TAXII-based sharing allows standardized and structured exchange of threat data between source and target TISC instances, enabling automated retrieval and ingestion of intelligence data.

    Show full answer Show less

    Configuring the Source TISC Instance

    • Global Sharing Rules: Set and publish Outbound Intel Data Exclusion Rules and Outbound Intel Sharing Controls according to your sharing policies.
    • TAXII Collections: Create TAXII collections in the source instance to organize and expose intelligence data.
    • Outbound Sharing Templates: Create and publish templates that define configuration specifics for outbound TAXII sharing.
    • Adding Records: Populate TAXII collections with intelligence records either manually via the GUI or automatically through workflows.
    • TAXII API User: Create a dedicated API user with the role snsectisc.taxiiserverapiuser to authenticate target instance connections.

    Configuring the Target TISC Instance

    • Create TAXII Feed: Set up a new TAXII feed in the target instance to pull data from the source.
    • Discovery Service Configuration: Use the Discovery Service URL format https://{instancename}/api/snsectisc/taxiiserver/taxii2 to locate TAXII collections.
    • Authentication: Configure Basic Authentication using the API user credentials created in the source instance.
    • Validate and Retrieve Collections: Confirm connectivity and retrieve available TAXII collections from the source.
    • Enable Ingestion: Enable desired collections, specify a starting point with Fetch From Time, and set ingestion frequency to automatically pull new intelligence data.

    Key Outcomes

    By following these steps, ServiceNow customers can automate the secure sharing and ingestion of threat intelligence between TISC instances. This ensures timely access to relevant threat data, enhancing detection and response capabilities through standardized TAXII protocols.

    You can retrieve threat intelligence from a source TISC instance into a target TISC instance using TAXII collections. This process requires configuration in both the source and target instances.

    TAXII-Based Sharing

    TAXII-based sharing enables structured and standardized exchange of threat intelligence between TISC instances. In this model, the source instance exposes intelligence through TAXII collections, and the target instance retrieves that data using a configured TAXII feed.

    Configuring the source TISC instance

    Complete the following steps in the source TISC instance before configuring the target instance.

    1. Configure global sharing rules:

      Ensure the following are configured and published based on your requirements:

    2. Create TAXII collections: Set up the required TAXII collections in the source TISC instance. For instructions, see Create a TAXII collection.

    3. Create outbound intelligence sharing templates: Create and publish an outbound intelligence sharing template with the required configuration for TAXII sharing. For instructions, see Outbound intelligence sharing templates.
    4. Add records to the TAXII collection: You can add records using either of the following methods:
    5. Create a TAXII API user for the target TISC instance: Create a dedicated API user in the source TISC instance for authentication when the target instance connects to fetch intelligence data.

      Assign the role sn_sec_tisc.taxii_server_api_user.

    Configuring the target TISC instance

    After completing the source configuration, configure the target instance to pull intelligence from the source.

    1. Create a new TAXII feed: In the target TISC instance, create a new TAXII feed. For more information, see Configure a new TAXII feed.
    2. Configure the discovery service: Set Configuration Type to Discovery Service URL and enter the following URL:
      https://{instance_name}/api/sn_sec_tisc/taxii_server/taxii2
    3. Configure Authentication:
      • Select Basic as the authentication method.
      • Provide the username and password of the TAXII API user created in the source instance.
    4. Save the configuration:

      Validate the connection then click the Get TAXII Collections button to retrieve the enabled TAXII collections from the source instance.

    5. Enable and configure ingestion:
      1. Navigate to the collection you want to ingest.
      2. Enable the collection.
      3. Specify the Fetch From Time and the desired ingestion frequency.

      All records added to the collection in the source instance after the specified time are pulled into the target instance according to the configured schedule.