Threat Intelligence Support Common release notes

  • Release version: Store
  • Updated June 11, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Support Common release notes

    The Threat Intelligence Support Common application in ServiceNow continuously evolves to enhance security operations by integrating threat intelligence standards and frameworks such as MITRE ATT&CK and MITRE DEFEND. It supports proactive threat analysis, investigation, and response by improving data ingestion, visualization, and automation capabilities within the Security Operations environment and Security Incident Response (SIR) workspace.

    Show full answer Show less

    Key Features

    • MITRE Framework Integrations: The application supports MITRE ATT&CK and DEFEND frameworks, enabling automated ingestion of framework data, normalized database schema, and interactive visualizations of techniques, threat entities, and defensive relationships directly within the SIR Workspace.
    • Observable Management Enhancements: Introduced features such as precedence modes in observable findings to control upgrades/downgrades, filters to limit automated threat lookups per observable within configurable durations, and improved observable finding calculations for accuracy.
    • Performance and Stability Improvements: Resolved performance issues related to inefficient query patterns and fixed various bugs including null pointer exceptions, ACL misconfigurations, and sandbox submission errors to ensure smooth operation.
    • Security and Compliance: Addressed security vulnerabilities including stored cross-site scripting (XSS) issues and improved access controls with report view ACLs on sensitive tables.
    • Flow Designer Migration: Migrated base system workflows to Flow Designer flows for improved workflow management and automation within the application.
    • Integration Support: Enhanced integration with third-party threat intelligence sources, sandbox environments, and TAXII servers to streamline threat data ingestion and processing.

    Practical Benefits for ServiceNow Customers

    • Improved threat intelligence ingestion and correlation enable security teams to identify and respond to threats more effectively and efficiently.
    • Visual tools for MITRE DEFEND and ATT&CK frameworks facilitate better understanding and communication of threat and defense strategies within incident response workflows.
    • Performance optimizations reduce system latency and improve the reliability of threat intelligence operations, critical for high-volume environments.
    • Enhanced observables management and lookup controls reduce redundant processing and improve the accuracy of threat findings.
    • Security fixes and access control enhancements help maintain compliance and protect sensitive threat intelligence data.
    • Workflow migration to Flow Designer supports future-proof automation and easier maintenance of security orchestration processes.

    What to Expect

    As you update or integrate the Threat Intelligence Support Common application, expect continued improvements in threat data handling, expanded MITRE framework capabilities, and enhanced performance. Regular updates address bugs and security concerns, ensuring the application remains robust and aligned with evolving security operation needs. Integration with the Security Incident Response workspace is also strengthened, promoting seamless incident and threat intelligence workflows.

    Version history for the Security Operations Threat Intelligence Support Common application on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 13.6.4 - June 2026
    • New: Introduced a precedence mode in observable finding mode to control finding upgrades and downgrades.
    • Fixed: Performance issues caused by inefficient query patterns during MITRE ATT&CK operations have been resolved.
    Version 13.6.1 - April 2026
    New: MITRE DEFEND integration with ServiceNow.
    Version 13.6.0 - March 2026
    New: MITRE DEFEND integration with ServiceNow.
    Version 13.5.6 - January 2026
    • New:
      • MITRE DEFEND Framework Integration
        • Automated ingestion of MITRE DEFEND framework data with normalized and validated database schema.
        • Interactive graphical visualization of DEFEND techniques, threat entities, and defensive relationships within the SIR Workspace.
    Version 13.5.2 - December 2025
    Fixed: Resolved Null pointer exception appearing in logs when the SIR record is not found. Addressed SIR-TI MITRE ingestion failure by providing proper error messaging when maximum attachment size is set to a lower value and handling missing clean up for MITRE ingestion attachments.
    Version 13.5.0 - August 2025
    Fixed: Sighting count is getting increased when duplicate observables are adding through "Associate Observables".
    Version 13.3.2 - May 2025
    • Fixed:
      • Remove Run Orchestration UI Action from task observable table.
      • TISC Sighting Result column is missing in Sightings Search Result table.
      • Fixed few issues related to WF to FD migration.
    Version 13.3.1 - February 2025
    Changed: Migrated base system workflows to Flow Designer flows.
    Version 13.3.0 - November 2024
    Fixed a few security bugs.
    Version 13.2.2 - August 2024
    Changed: Supports migration of Workflow to Flow Designer.
    Version 13.1.13 - February 2024
    Fixed: [Read Replica] the system property 'last_run_to_compute_cve_vit_count' is removed and find/create a suitable table to store and access the required value.
    Version 13.1.12 - December 2023
    Fixed: Addressed the misconfiguration of table/field ACLs within the com.snc.threat plugin.
    Version 13.1.9 - November 2023
    • Fixed:
      • The "Sandbox submission failed" message appears before the submission is processed.
      • Added a global variable for the script, including MITREAutoExtraction to improve performance.
      • Over Permissive PWD2 Protection - com_glide_web_service_consumer_glideencrypt for TAXII profiles.
    Version 13.1.3 - August 2023
    • Fixed:
      • The Observable parser was not working correctly for URLs with IP addresses.
      • Sandbox submission failed message was prompted before the sandbox submission was processed.
    Version 13.1.1 - May 2023
    • Fixed:
      • Threat lookup V2 flows don't support filtering the Block from sharing tagged observables.
      • Table External References (sn_ti_stix2_external_reference) grows rapidly.
    Version 13.0.13 - April 2023
    Changed: Updated to support this application on the Security Incident Response workspace.
    Version 13.0.10 - February 2023
    • New: Added changes to support the Security Incident Response workspace.
    • Fixed: Character limitation on fields like 'Source_ip,' 'Dest_ip,' 'Action' for the table Splunk Sighting Search 'sn_ti_sighting_details.'
    Version 13.0.9 - December 2022
    • Changed:
      • Added report view ACLs for the following tables:
        • sn_ti_m2m_indicator_attack_mode
        • sn_ti_mitre_coverage_mapping
        • sn_ti_mitre_mitigation_coverage_mapping
        • sn_ti_scan
        • sn_ti_stix2_m2m_incident_attack
        • sn_ti_stix2_m2m_object
    Version 13.0.8 - November 2022
    • New:
      • Introducing a filter that allows running automated threat lookup on an observable only once within a configured duration. Any re-runs for the same observable will be skipped until the configured duration/period has passed.
      • Introducing a threat lookup finding calculator, which calculates the findings based on the responses received. For third-party integrations that provide the computed results, the threat lookup finding calculator maps the results to supported findings in the system.
      • Updated observable finding calculations based on recent threat lookup results.
    • Fixed:
      • Threat Lookup results created to the wrong domain.
      • Raw JSON payload is missing when a single sighting result is found.
      • Issue with observable type classification.
    Version 13.0.5 - June 2022
    • Fixed:
      • The payload for ICS/Enterprise attack from MITRE is updated. The fix is to accommodate the payload change.
      • Follow best practices while updating records.
      • Cosmetic issues in MITRE-ATTCK card fixed.
      • Stored Cross-Site Scripting (XSS) issue.
      • Deleted the OOB records shipped for Zeustracker-related Threat sources.
      • Modify the "Requests per minute (capability-based)" rate limit checking script to fix sighting search issues.
    Version 13.0.4 - February 2022
    • New: Added new Observable category and type
      • Observable type category: User
      • Observable type: Username
    Version 13.0.3 - January 2022
    • Changed:
      • Submission to Sandbox pop-up window title name is updated.
      • Added a new Description field to the Sandbox configuration.
    Version 13.0.1 - December 2021
    • New: Introduced new features related to MITRE ATT&CK framework which improves the ServiceNow AI Platform SOAR capabilities that enable proactive analysis, response, and reporting on threats across the security infrastructure.
    • Changed: Updated some of the existing features related to MITRE ATT&CK.
    Version 12.0.7 - June 2021
    • Fixed:
      • The hash lookup on observables is now working for the Metadefender integration.
      • The integration run errors for TAXII profiles for large data imports from the MITRE server have been fixed.
      • Capability framework abstract flows pointing to the wrong observable has been fixed.
      • Added support for MD5 Observables for Sandbox submissions.
    Version 12.0.3 - March 2021
    Fixed: TAXII end point is updated to MITRE GitHub to optimize the load on MITRE servers. MITRE collections are now pre-populated with the Threat Intelligence Core app.
    Version 12.0.0 - December 2020
    • New: Introduced the MITRE ATT&CK framework which improves the ServiceNow AI Platform SOAR capabilities that enable proactive analysis, response, and reporting on threats across the security infrastructure.
    • Changed: As part of the inclusive language initiative, allow list and deny list tags have been replaced with allow list and deny list respectively.
    Version 11.0.3 - November 2020
    New: Enabled report_view ACLs for sensitive tables and fields.
    Version 11.0.1 - September 2020
    • New:
      • Updated Threat Intelligence to support STIX 2.0, STIX 2.1 standards
      • Visualizer for STIX 2.0, STIX 2.1 objects and relationships
    Version 10.3.1 - June 2020
    • Fixed:
      • Bug fix for WHOIS Integration configuration tile to support special characters.
      • Bug fix for report_view ACL.
    Version 10.0.0 - March 2020
    New (in v10.0.0) Capability flows for Integration capability framework v2.0.
    Version 9.1.0 - January 2020
    • Fixed:
      • Nodes no longer run out of memory when the TAXII integration (STIXParser) parses a large XML file
      • Manual threat lookup for observables when the Security Incident Response UI app is not installed
    Version 8.0.10 - September 2019
    • Fixed:
      • Nodes running out of memory when the TAXII integration (STIXParser) parses a large XML file
      • Manual threat lookup for observables when Security Incident Response UI app is not installed
    Version 8.0.9 - June 2019
    Refer to Security Incident Response release notes for product changes and updates in the Madrid release.