Threat Intelligence Feeds

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Feeds

    Threat Intelligence Feeds in ServiceNow enable automated import of security indicators into your instance, ensuring your threat data remains current and enhancing security monitoring. These feeds are managed through the Threat Intel Catalog within the Integrations section, where you can add, edit, or remove various threat intelligence data sources.

    Show full answer Show less

    Key Features

    • Feed Management: Access and manage all threat intelligence feeds from the All Feeds view in the Threat Intelligence Security Center workspace. You can filter feeds by state (enabled, disabled, draft), view them as cards or lists, refresh, and sort by last modified date or name.
    • Filtering and Searching: Filter feeds by source type (Open Source, Premium, Other) and feed type (CSV, JSON, MISP, RSS, STIX, Custom, Text). Search feeds by name or description for quick navigation.
    • Feed Types Supported: Configure and use multiple feed types including TAXII (STIX/TAXII collections), STIX HTTPS feeds, MISP format feeds, text, CSV, JSON, RSS feeds, and custom feeds with parsers. These feeds primarily extract URLs, domains, file names, hashes, and IP addresses.
    • Field Mapping Configuration: Customize how data fields from feeds (especially text, CSV, JSON) map to observables within ServiceNow, enabling precise data interpretation and integration.
    • Feed Duplication: Duplicate existing feeds with all associated data to modify settings without impacting the original source, facilitating safe experimentation and configuration changes.

    Key Outcomes

    By configuring Threat Intelligence Feeds, ServiceNow customers can automate the ingestion of critical security indicators into their Threat Intelligence Security Center, enabling real-time threat detection and response. This integration supports a variety of industry-standard feed formats, enhancing the flexibility and comprehensiveness of threat monitoring within the ServiceNow environment.

    Configure threat intelligence data sources to automatically import security indicators into your ServiceNow instance. Use feeds to keep threat data current and enhance security monitoring capabilities.

    Use Threat Intelligence Feeds to add, edit, or remove threat intelligence feed data sources. Access data source feeds from the Threat Intel Catalog under the Integrations section.

    The catalog for threat intelligence feeds displays available feed data sources as tiles. You can filter, search, and navigate to source configuration details to perform various actions.

    All Feeds

    You can enable and use feeds displayed as cards in the base system.

    To view feeds, navigate to Workspaces > Threat Intelligence Security Center > Integrations > Threat Intel Feeds > All Feeds.

    Threat Intelligence Feeds

    Actions on the All Feeds view

    You can perform the following actions in the All Feeds section.
    Table 1. Actions on All Integrations view
    Action Description
    All Filter feeds by current state using this drop-down menu. Available filter states:
    • All: Displays all the feeds on the page. This is the default option.
    • Enabled: Displays all the feeds that are in an enabled state.
    • Disabled: Displays all the feeds that are in a inactive state.
    • Draft: Displays all the feeds that are in a draft state.
    Card view View all feeds as cards.
    List view View all feeds as a list.
    Refresh Refresh the page.
    Sort Sort integrations by:
    • Last Modified (recent)
    • Last Modified (oldest)
    • Name (A-Z)
    • Name (Z-A)
    All items Filter threat intelligence feed tiles by source type or feed type.
    Source Type:
    • Open Source
    • Other Source
    • Premium Source
    Feed Type:
    • CSV
    • Custom Feed
    • JSON
    • MISP
    • RSS
    • STIX HTTPs
    • Text
    Search in catalog Search for feeds by name and description within the catalog.

    Threat Intelligence feed types

    You can configure and enable the following threat intelligence feed types:
    Table 2. Threat Intelligence Feeds
    Type Description
    TAXII Feeds Feeds in STIX/TAXII Collections format.
    STIX HTTPS Threat intelligence feeds in STIX format accessible through REST APIs on HTTPS protocol.
    MISP Feeds in MISP Format Feeds.
    Text Feeds hosted as text files.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.
    CSV Feeds hosted as CSV files.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.
    JSON Feeds hosted as JSON files.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.
    RSS Feeds in RSS format. The application will store the data as RSS Feed Records.
    Custom Feeds configured with custom parsers.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.

    For configuration steps, refer to the respective topic for your feed type.