Explore

  • Release version: Australia
  • Updated April 7, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Security Center (TISC)

    The Threat Intelligence Security Center (TISC) in ServiceNow provides a centralized workspace for threat intelligence teams to collect, process, analyze, and share threat data. It simplifies management by handling data deduplication, normalization, aggregation, and enrichment. TISC supports collaboration among analysts and integrates with various security tools to enhance threat detection and response.

    Show full answer Show less

    Key Features

    • Threat Intelligence Management: Access a curated catalog of open-source (OSINT) and premium threat feeds. Automatically extract observables from files and aggregate diverse data formats such as STIX, MISP, and JSON.
    • Enrichment and Validation: Remove false positives, assign confidence scores, validate indicators, and add contextual information to improve threat accuracy.
    • Integration Capabilities: Enrich observables using Threat Lookup and Sighting Search. Integrate with CrowdStrike Falcon EDR for real-time alerts and orchestrate security tools like SIEMs, EDRs, and firewalls.
    • Correlation and Analysis: Utilize correlation rules to identify relationships between intelligence records. Customize threat scoring to refine assessments.
    • Internal Intelligence Integration: Integrate internal data from Vulnerability Response, Security Incident Response, and CMDB for comprehensive threat context.
    • User Experience: Tailor dashboards by role, use graphical visualizations such as relationship graphs and investigation canvases, and operate within a dedicated analyst workspace.
    • Threat Case Management: Manage investigative workflows with task tracking, case handling, and link cases to MITRE ATT&CK framework data.
    • Notifications and Data Governance: Set alert rules based on threat changes and define data retention policies to maintain performance and compliance.
    • Reporting and Collaboration: Generate customizable reports and summaries, and securely share intelligence across organizations with controlled workflows and audit logging.
    • Domain Separation: Support multitenant environments for Managed Security Service Providers (MSSPs) to securely segregate customer data.
    • API Integration: Access TISC APIs for seamless connectivity with external security platforms and tools.

    User Roles

    • Administrator: Configures and maintains TISC, manages data sources, settings, and administration tasks.
    • Analyst: Conducts threat analysis and research, imports intelligence, collaborates using TISC tools, and manages the intelligence library.

    Practical Benefits for ServiceNow Customers

    • Centralized Threat Visibility: TISC’s home page provides a comprehensive overview of threat intelligence feeds and organizational security posture.
    • Efficient Threat Data Handling: Flexible import and export capabilities support multiple formats and streamline intelligence ingestion and sharing.
    • Streamlined Investigations: The Threat Analyst Workbench enables end-to-end case management, artifact enrichment, and direct creation of security incidents.
    • Secure Intelligence Sharing: Automated and manual workflows allow controlled sharing within and between organizations, maintaining data integrity and compliance.
    • Enhanced Analytical Insights: Interactive visual tools and correlation engines help analysts uncover complex threat relationships quickly.

    Getting Started

    To deploy TISC, download the Threat Intelligence Security Center application from the ServiceNow Store and follow configuration guides to set up data sources, integrations, and user roles.

    Threat Intelligence Security Center (TISC) enables you to collaborate with threat intelligence teams by collecting, processing, and analyzing threat intelligence feeds in a centralized workspace.

    TISC manages data collection and processing, including deduplication, normalization, and aggregation. It analyzes and disseminates threat intelligence and provides an administration workspace Threat Intelligence Security Center.

    Watch an overview about the Threat Intelligence Security Center application.

    Key features

    Threat Intelligence Security Center (TISC) key features:
    Threat intelligence management:
    • Curated Catalog of OSINT Threat Feeds: Provides access to a broad selection of popular open-source threat intelligence feeds, providing wide coverage.
    • Premium Feed Integration: Enhances the quality of threat intelligence by integrating premium feeds.
    • Automated Observable Extraction: Automatically identifies and extracts the commonly used observable types from uploaded files, streamlining the threat data ingestion process.
    • Diverse Data Aggregation: Supports multiple data formats including STIX, MISP, JSON, and others, enabling seamless feed consolidation.
    • Enrichment Capabilities & Validation: Provides enrichment and validation capabilities by removing false positives, assigning confidence scores, validating indicators, and adding contextual information.
    Integration capabilities:
    • Enrich observables with threat intelligence using Threat Lookup, Sighting Search, and Observable Enrichment to assess whether an observable is malicious.
    • CrowdStrike Falcon EDR: Supports continuous monitoring and real time alerting.
    • Security tools integrations: Orchestrates security tools including SIEMs, EDRs, and firewalls.
    • Correlation Rules Engine: Automatically establishes relationships between intelligence records, enabling deeper insight into threat patterns.
    Threat Intelligence Analysis and operations:
    • Customizable Threat Scoring: Enables fine-tuning of threat scores for more nuanced and accurate threat assessment.
    • Internal Intelligence integration: Enables integration of internal intelligence sources, including Vulnerability Response (VR), Security Incident Response (SIR), and Configuration Management Database (CMDB).
    • User-Specific Dashboards: Tailors visualizations and data views according to Threat Intelligence personas, improving user experience and relevance.
    • Graphical Visualization Tools: Provides intuitive graphical visualizations such as relationship graphs and interactive investigation canvases to simplify analysis of complex threat intelligence data.
    • Dedicated Analyst Workspace: Provides a dedicated, streamlined Threat Intelligence Analyst workspace that enables threat intelligence analysts to focus on investigation and analysis.
    • Threat Case Management: Supports investigative workflows with task tracking and case handling.
    • MITRE-ATT&CK Integration: Enables users to link case records with MITRE-ATT&CK framework data for enhanced kill chain analysis.
    • Seamless SIR Integration: Provides a smooth data migration and interoperability between Security Incident Response and Threat Intelligence Security Center applications.
    • Notification & Alert Rules: Establishes trigger alerts to notify teams based on evolving threat intelligence.
    • Data Retention & Cleanup Policies: Enables organizations to define data management rules to maintain application performance and conformance.
    • Reporting & Collaboration: Generates comprehensive status reports and investigation summaries using rich-text editors and customizable templates.
    • Domain Separation for MSSPs: Supports multitenant environments, enabling Managed Security Service Providers (MSSPs) to segregate customer data securely.
    • Extensive API integration: Offers TISC API for seamless connectivity with other security tools and platforms.

    Threat Intelligence Security Center users and roles

    User Description Contains roles
    Administrator Administers and configures the initial setup and ongoing maintenance of the Threat Intelligence Security Center, including configuring data sources and managing settings.
    • sn_sec_tisc.admin
    • sn_sec_tisc.read
    Analyst Threat Intelligence Analysts conduct analysis and research tasks requested by the team. They can import ad hoc intelligence to support their work and use the system's tools for analysis, collaboration, and managing the intelligence library.
    • sn_sec_tisc.analyst
    • sn_sec_tisc.read

    Threat Intelligence Security Center benefits

    The following table describes the key features and benefits of Threat Intelligence Security Center.
    Feature Benefit Users Contains roles
    Dashboards/Home page Threat Intelligence Security Center home page provides high-level visibility into an organization's threat intelligence, data feeds overview, intelligence sharing and security posture.
    • Administrators
    • Analysts
    • sn_sec_tisc.read
    • sn_sec_tisc.analyst
    • sn_sec_tisc.admin
    Threat Intel Library TISC threat library is a collection of organized objects and entities that provides structured and unstructured security threat information. Threat information is available as feeds from sources such as STIX, MISP, and others.
    • Administrators
    • Analysts
    • sn_sec_tisc.read
    • sn_sec_tisc.analyst
    • sn_sec_tisc.admin
    Integrations TISC integrations module centrally manages and configures all Threat Intelligence feed sources and enrichment integrations from a single location, enabling automated and scheduled ingestion of Threat Intelligence data.
    • Administrators
    • Analysts
    • sn_sec_tisc.read
    • sn_sec_tisc.analyst
    • sn_sec_tisc.admin
    Administration TISC Administration module centrally configures and manages all aspects of TISC data administration. This includes filtering and approval rules, threat scoring, security control lists, taxonomies, notifications, and report templates. Administrators
    • sn_sec_tisc.read
    • sn_sec_tisc.admin
    Imports/Exports
    • TISC Imports module: Flexibly import Threat Intelligence data from multiple sources and formats including structured files, standard formats such as STIX and MISP, raw text, and unstructured files. Track import jobs and approvals in a single view.
    • TISC Exports module: Export observables, indicators, and cases individually or in bulk in recommended formats such as CSV and STIX 2.1.
    • Administrators
    • Analysts
    • sn_sec_tisc.read
    • sn_sec_tisc.analyst
    • sn_sec_tisc.admin
    Threat Analyst Workbench Manage end-to-end threat investigations from a single workspace to create and track cases and case tasks. Collect internal intelligence records such as observables, threat actors, and campaigns, and visualize complex relationships using the Investigation Canvas.

    Accelerate analysis by adding artifacts, running enrichment actions, generating investigation and executive summary reports, and creating security incidents directly from cases.
    • Administrators
    • Analysts
    • sn_sec_tisc.read
    • sn_sec_tisc.analyst
    • sn_sec_tisc.admin
    Threat Intelligence Sharing Securely share threat intelligence within and across organizations using automated and manual sharing workflows. Control what is shared through customizable templates, redaction capabilities, and configurable approval rules for both inbound and outbound intelligence.

    Maintain conformance and traceability through comprehensive audit logging, data retention policies, and bi-directional TISC - to - TISC exchange, while managing TAXII user and group access for secure, governed data sharing.
    • Administrators
    • Analysts
    • sn_sec_tisc.read
    • sn_sec_tisc.analyst
    • sn_sec_tisc.admin