Threat Intelligence Security Center Knowledge Base articles

  • Release version: Xanadu
  • Updated February 26, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Security Center Knowledge Base articles

    This collection of curated Knowledge Base (KB) articles supports ServiceNow customers in effectively managing the Threat Intelligence Security Center (TISC). The articles cover essential topics such as best practices, configuration guidance, integration details, and operational workflows. They serve as a comprehensive resource to help you understand TISC concepts, perform migrations, configure integrations, and optimize threat intelligence management within your environment.

    Show full answer Show less

    Key Articles and Their Practical Use

    • KB1778603: Acts as a consolidated index to all TISC KB articles, providing a convenient starting point for locating resources.
    • KB1748938: Clarifies architectural and functional differences between TISC and the Threat Intelligence module within Security Incident Response (SIR-TI), helping you choose the right tool for your needs.
    • KB1778607: Details the integration architecture and data synchronization between SIR-TI and TISC, enabling seamless interoperability.
    • KB1706151: Provides a step-by-step migration guide for moving threat intelligence data from legacy SIR-TI to TISC, including validation and mapping procedures.
    • KB1587754, KB1587756, KB1587758: Explain the internal logics of parent entity identification, duplicate record resolution, and data aggregation within TISC to maintain data quality and reduce noise.
    • KB1648039: Offers best practices for deploying and maintaining TISC to ensure optimal performance and data accuracy.
    • KB1909534: Describes configuration and operational details for security control lists (AllowList, DenyList, WatchList) in TISC, including search behavior nuances.
    • KB2148681: Covers common use cases for exchanging threat intelligence between TISC instances and external platforms, including configuration guidance.
    • KB2332774, KB2197697, KB2326271: Provide detailed guidance on configuring data sharing in MISP format, mapping MISP data into TISC, and normalizing CrowdStrike custom feed data respectively.
    • KB2677048: Offers strategies to improve deduplication job performance by cleaning up duplicate records from the same source, enhancing operational efficiency.

    Additional Resources

    For further configuration and administration details, customers should consult the ServiceNow Security Operations product documentation and the TISC release notes for the current version.

    This section provides a curated list of key Knowledge Base (KB) articles related to Threat Intelligence Security Center (TISC). These resources include best practices, configuration guidance, compatibility information, and operational workflows to help you effectively manage threat intelligence and security within TISC.

    The following knowledge base articles provide guidance on TISC concepts, configuration, integration, and best practices. The articles are maintained in the ServiceNow internal knowledge base and are referenced from the parent index article KB1778603.

    Table 1. TISC Knowledge Base Articles
    KB ID Title Description
    KB1778603 Knowledge base links for Threat Intelligence Security Center A consolidated index of all knowledge base articles related to TISC. Use this article as the starting point for locating TISC documentation resources.
    KB1748938 Difference Between Threat Intelligence Security Center (TISC) and Threat Intelligence Module in SIR (SIR-TI) Explains the key architectural and functional differences between the standalone TISC product and the Threat Intelligence module available within Security Incident Response (SIR-TI).
    KB1778607 How SIR/TI and TISC Integration Works Describes the integration architecture and data flow between the SIR Threat Intelligence module and the Threat Intelligence Security Center, including synchronization behavior and supported configurations.
    KB1706151 Migration of Data from Existing Threat Intelligence to Threat Intelligence Security Center Provides a step-by-step guide for migrating threat intelligence data from the legacy SIR-TI module to TISC, including pre-migration checks, data mapping, and validation steps.
    KB1587754 Parent Identification Logic for Various Entities in TISC Explains the logic TISC uses to identify and assign parent entities across different threat intelligence record types such as observables, indicators, and threat groups.
    KB1587756 De-duplication Logic for Various Entities in TISC Describes how TISC identifies and resolves duplicate records across threat intelligence entities to maintain data integrity and reduce noise in the threat intelligence repository.
    KB1587758 Aggregation Logic for Various Entities in TISC Details the rules and processes TISC uses to aggregate threat intelligence data ingested from multiple sources into unified, consolidated entity records.
    KB1648039 Best Practices Guide for TISC Provides recommended practices for deploying, configuring, and maintaining the Threat Intelligence Security Center for optimal performance, data accuracy, and operational efficiency.
    KB1909534 Security Control List (AllowList, DenyList, WatchList) for Threat Intelligence Security Center Documents the configuration and usage of security control lists in TISC, including AllowList, DenyList, and WatchList. Also notes a known behavior: searches with a larger number of characters return more results compared to searches with fewer characters.
    KB2148681 TISC Intelligence Exchange Use Case Guide Covers common use cases for exchanging threat intelligence data between TISC instances and with external platforms, including configuration steps and representative scenarios.
    KB2332774 TISC Outbound Intelligence in MISP Format Explains how to configure TISC to share outbound threat intelligence in MISP-compatible format so that external consumers and partner instances can ingest the data.
    KB2197697 TISC MISP Processing – MISP to TISC Mapping Provides field-level mapping details for ingesting and processing MISP threat intelligence data within TISC, including object type conversions and attribute handling.
    KB2326271 TISC CrowdStrike Custom Feed – Internal Field Mapping Documents the internal field mapping applied when TISC processes CrowdStrike custom feed data, enabling consistent normalization of CrowdStrike indicators into the TISC data model.
    KB2677048 Improving Observable/Indicator Deduplication Job Performance – Duplicate Records from Same Source Cleanup Describes techniques and configurations to improve the performance of the TISC deduplication job, with guidance on cleaning up duplicate observable and indicator records that originate from the same source.

    Related Resources

    For additional information about TISC configuration and administration, see the ServiceNow product documentation for Security Operations and the TISC release notes for the current release.