Manual and Automated Sharing using flows

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manual and Automated Sharing using flows

    This guide explains how to configure both manual sharing via GUI and automated intelligence sharing between Threat Intelligence Security Center (TISC) instances in ServiceNow Australia release. It covers setting up inbound and outbound intelligence profiles, role assignments, authentication, and data exclusion rules on source and target instances. This enables secure, automated exchange of threat intelligence data in the STIX 2.1 format.

    Show full answer Show less

    Configuring the Target TISC Instance

    • Roles and Users: Create a dedicated API ingestion user in the target instance and assign the snsectisc.apipostintel role for authenticating incoming intelligence data.
    • Inbound Intelligence Profile: In Threat Intelligence Security Center workspace, create and enable an inbound profile under Administration > Inbound Intel Sharing Profiles.
    • Settings: Set the data format to STIX 2.1 and assign the API user for authentication.
    • Profile ID: Copy the generated profile ID for use in the source instance configuration.

    Configuring the Source TISC Instance

    • Prerequisites: Ensure required roles such as snsectisc.admin for configuration and admin for API user creation are assigned.
    • Global Sharing Rules: Configure and publish outbound intelligence data exclusion rules and sharing controls according to your organizational needs.
    • Outbound Intelligence Profile: Create and enable an outbound profile to manage data sharing.
    • API Endpoint and Authentication: Set the API endpoint URL to the target instance’s intelligence sharing API and enable authentication using the target instance’s API user credentials.
    • Request Headers: Include the Profile-GUID (copied from the target inbound profile) and specify Shared-Intel-Format as STIX 2.1.
    • Validation: Save, validate connectivity, and enable the outbound profile to start sharing intelligence data.

    Key Outcomes

    • Enables secure, authenticated exchange of threat intelligence data between TISC instances.
    • Supports automation of intelligence sharing using standardized STIX 2.1 format.
    • Provides granular control via exclusion rules and sharing controls to tailor shared data.
    • Ensures integration users and roles are properly assigned for secure API communication.

    This section describes how to configure manual sharing via GUI and automated intelligence sharing between TISC instances. It outlines the setup of inbound and outbound intelligence profiles, required roles, authentication configuration, and exclusion rules in both the source and target instances.

    Configuring the Target TISC Instance

    Role required: sn_sec_tisc.admin

    Prerequisites: Before you begin, ensure you have the appropriate roles assigned.

    Role Requirements
    Table 1. Role Requirements
    Step Action Required Role
    Create API ingestion user Create a dedicated user and assign required role admin (system administrator)
    Configure and manage TISC settings Perform remaining configuration steps sn_sec_tisc.admin
    Post intelligence via API Authenticate and submit intelligence data sn_sec_tisc.api_post_intel (assigned to the integration user)
    1. Create a user with the role sn_sec_tisc.api_post_intel:

      Create a dedicated user in the target TISC instance and assign them the sn_sec_tisc.api_post_intel role. This dedicated user is used to authenticate incoming intelligence data submitted to the instance.

    2. Set up an Inbound Intelligence Profile:
    3. Navigate to Workspaces > Threat Intelligence Security Center > Administration > Inbound Intel Sharing.
    4. Select Inbound Intel Sharing Profiles.
    5. Create a new profile. For more information, see Configuring Inbound Intel Sharing Profiles.
    6. In the User for authentication field, select the user created in the previous step.
    7. Set the Data format to STIX 2.1.
    8. Save and enable the profile to allow the target TISC instance to receive intelligence.
    9. Select the Copy Profile ID to copy the profile ID.
      Note:
      You need the profile ID when configuring the outbound intelligence profile on the source TISC instance. For more information, see Configuring Inbound Intel Sharing Profiles.

    Configuring the Source TISC Instance

    1. Configure global sharing rules: Ensure the following are configured and published based on your requirements:
    2. Create an Outbound Intelligence Profile:
      1. Create a new outbound profile to manage the data sharing process. For more details, see Configuring Outbound Intel Sharing Profiles.
      2. Specify the API endpoint URL as: 
        https://{instance name} /api/sn_sec_tisc/v1/tisc_intel_sharing_api/post_intel
        .
      3. Set the Authentication required to true.
      4. Enter the credentials of the user created in the target TISC instance (refer to the first step of the target setup) for the username and password.
    3. Configure Request Headers: In the Headers to be passed with request field, include the following:
      Profile-GUID: {Profile ID from the target TISC instance}
      Shared-Intel-Format: STIX 2.1
    4. Obtaining the Profile ID: The Profile ID required for the header can be found in the target TISC instance’s Inbound Intelligence Profile. Use the Copy Profile ID button to retrieve it. For more information, see Configuring Inbound Intel Sharing Profiles.
    5. Save and enable the outbound profile.

      After configuration:

      • Save the profile.
      • Validate the connection to confirm it is functioning correctly.
      • Enable the profile to activate intelligence data sharing.