Threat Intelligence Security Center Knowledge Base articles

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Security Center Knowledge Base articles

    This collection of Knowledge Base (KB) articles provides ServiceNow customers with essential resources to effectively manage and operate the Threat Intelligence Security Center (TISC). It includes best practices, configuration guidance, integration details, and operational workflows designed to optimize threat intelligence management within TISC.

    Show full answer Show less

    Key Features

    • Comprehensive Documentation Index: KB1778603 serves as a centralized entry point for all TISC-related KB articles, simplifying access to relevant information.
    • Product Differentiation: KB1748938 clarifies architectural and functional differences between the standalone TISC and the Threat Intelligence module within Security Incident Response (SIR-TI), aiding in informed solution adoption.
    • Integration Guidance: KB1778607 explains the integration architecture and data synchronization between SIR-TI and TISC, supporting seamless interoperability.
    • Data Migration: KB1706151 offers a detailed, step-by-step procedure for migrating threat intelligence data from legacy SIR-TI to TISC, including validation processes.
    • Entity Management Logic: Articles KB1587754, KB1587756, and KB1587758 describe the parent identification, deduplication, and aggregation mechanisms TISC uses to maintain data integrity and unify threat intelligence records.
    • Operational Best Practices: KB1648039 provides recommended deployment and maintenance practices to ensure optimal TISC performance and data accuracy.
    • Security Controls: KB1909534 details configuration of AllowList, DenyList, and WatchList controls within TISC, including notes on search behavior.
    • Intelligence Exchange and Formats: KB2148681, KB2332774, and KB2197697 cover use cases, configuration, and data mapping for exchanging threat intelligence data, including support for MISP format and CrowdStrike custom feeds.
    • Performance Enhancements: KB2677048 advises on improving deduplication job performance and cleaning duplicate records from the same source to maintain efficient operations.

    Practical Application for Customers

    ServiceNow customers can leverage these KB articles to:

    • Understand the scope and capabilities of TISC compared to other threat intelligence modules.
    • Confidently migrate existing threat intelligence data into TISC with minimal disruption.
    • Implement integration and synchronization strategies between TISC and Security Incident Response modules.
    • Configure and manage security controls to refine threat intelligence data processing.
    • Adopt best practices to enhance system performance, data quality, and operational efficiency.
    • Enable effective exchange of threat intelligence data with external partners and platforms using standardized formats.

    Additional Resources

    For comprehensive configuration and administration details, customers should consult the ServiceNow Security Operations product documentation and the TISC release notes relevant to their current version.

    This section provides a curated list of key Knowledge Base (KB) articles related to Threat Intelligence Security Center (TISC). These resources include best practices, configuration guidance, compatibility information, and operational workflows to help you effectively manage threat intelligence and security within TISC.

    The following knowledge base articles provide guidance on TISC concepts, configuration, integration, and best practices. The articles are maintained in the ServiceNow internal knowledge base and are referenced from the parent index article KB1778603.

    Table 1. TISC Knowledge Base Articles
    KB ID Title Description
    KB1778603 Knowledge base links for Threat Intelligence Security Center A consolidated index of all knowledge base articles related to TISC. Use this article as the starting point for locating TISC documentation resources.
    KB1748938 Difference Between Threat Intelligence Security Center (TISC) and Threat Intelligence Module in SIR (SIR-TI) Explains the key architectural and functional differences between the standalone TISC product and the Threat Intelligence module available within Security Incident Response (SIR-TI).
    KB1778607 How SIR/TI and TISC Integration Works Describes the integration architecture and data flow between the SIR Threat Intelligence module and the Threat Intelligence Security Center, including synchronization behavior and supported configurations.
    KB1706151 Migration of Data from Existing Threat Intelligence to Threat Intelligence Security Center Provides a step-by-step guide for migrating threat intelligence data from the legacy SIR-TI module to TISC, including pre-migration checks, data mapping, and validation steps.
    KB1587754 Parent Identification Logic for Various Entities in TISC Explains the logic TISC uses to identify and assign parent entities across different threat intelligence record types such as observables, indicators, and threat groups.
    KB1587756 De-duplication Logic for Various Entities in TISC Describes how TISC identifies and resolves duplicate records across threat intelligence entities to maintain data integrity and reduce noise in the threat intelligence repository.
    KB1587758 Aggregation Logic for Various Entities in TISC Details the rules and processes TISC uses to aggregate threat intelligence data ingested from multiple sources into unified, consolidated entity records.
    KB1648039 Best Practices Guide for TISC Provides recommended practices for deploying, configuring, and maintaining the Threat Intelligence Security Center for optimal performance, data accuracy, and operational efficiency.
    KB1909534 Security Control List (AllowList, DenyList, WatchList) for Threat Intelligence Security Center Documents the configuration and usage of security control lists in TISC, including AllowList, DenyList, and WatchList. Also notes a known behavior: searches with a larger number of characters return more results compared to searches with fewer characters.
    KB2148681 TISC Intelligence Exchange Use Case Guide Covers common use cases for exchanging threat intelligence data between TISC instances and with external platforms, including configuration steps and representative scenarios.
    KB2332774 TISC Outbound Intelligence in MISP Format Explains how to configure TISC to share outbound threat intelligence in MISP-compatible format so that external consumers and partner instances can ingest the data.
    KB2197697 TISC MISP Processing – MISP to TISC Mapping Provides field-level mapping details for ingesting and processing MISP threat intelligence data within TISC, including object type conversions and attribute handling.
    KB2326271 TISC CrowdStrike Custom Feed – Internal Field Mapping Documents the internal field mapping applied when TISC processes CrowdStrike custom feed data, enabling consistent normalization of CrowdStrike indicators into the TISC data model.
    KB2677048 Improving Observable/Indicator Deduplication Job Performance – Duplicate Records from Same Source Cleanup Describes techniques and configurations to improve the performance of the TISC deduplication job, with guidance on cleaning up duplicate observable and indicator records that originate from the same source.

    Related Resources

    For additional information about TISC configuration and administration, see the ServiceNow product documentation for Security Operations and the TISC release notes for the current release.