Manual and Automated Sharing using flows

  • Release version: Xanadu
  • Updated February 24, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manual and Automated Sharing using flows

    This guide explains how ServiceNow customers can configure both manual and automated intelligence sharing between Threat Intelligence Security Center (TISC) instances using flows. It covers setting up inbound and outbound intelligence profiles, necessary roles, authentication, and exclusion rules to enable secure and efficient data exchange between source and target TISC instances.

    Show full answer Show less

    Configuring the Target TISC Instance

    • Required Role: snsectisc.admin to configure and manage TISC settings.
    • Create API Ingestion User: Establish a dedicated user in the target instance with the snsectisc.apipostintel role. This user authenticates incoming intelligence data.
    • Set Up Inbound Intelligence Profile:
      • Navigate to Threat Intelligence Security Center administration to create a new inbound profile.
      • Select the dedicated user for authentication.
      • Set the data format to STIX 2.1.
      • Save, enable the profile, and copy the Profile ID for use in the source instance configuration.

    Configuring the Source TISC Instance

    • Configure Global Sharing Rules: Set and publish outbound Intel Data Exclusion Rules and Sharing Controls as per organizational requirements.
    • Create Outbound Intelligence Profile:
      • Define the API endpoint URL to post intelligence data to the target instance.
      • Enable authentication and enter credentials of the dedicated user created in the target instance.
      • Configure request headers to include:
        • Profile-GUID: Profile ID copied from the target inbound profile.
        • Shared-Intel-Format: Set to STIX 2.1.
      • Save, validate the connection, and enable the profile to activate automated intelligence sharing.

    Practical Implications for ServiceNow Customers

    By following these steps, customers can securely automate the sharing of threat intelligence data between TISC instances, ensuring timely and accurate intelligence dissemination across their security infrastructure. Proper role assignment and authentication safeguard data integrity, while exclusion rules and sharing controls allow customization of shared content to meet organizational policies.

    This section describes how to configure manual sharing via GUI and automated intelligence sharing between TISC instances. It outlines the setup of inbound and outbound intelligence profiles, required roles, authentication configuration, and exclusion rules in both the source and target instances.

    Configuring the Target TISC Instance

    Role required: sn_sec_tisc.admin

    Prerequisites: Before you begin, ensure you have the appropriate roles assigned.

    Role Requirements
    Table 1. Role Requirements
    Step Action Required Role
    Create API ingestion user Create a dedicated user and assign required role admin (system administrator)
    Configure and manage TISC settings Perform remaining configuration steps sn_sec_tisc.admin
    Post intelligence via API Authenticate and submit intelligence data sn_sec_tisc.api_post_intel (assigned to the integration user)
    1. Create a user with the role sn_sec_tisc.api_post_intel:

      Create a dedicated user in the target TISC instance and assign them the sn_sec_tisc.api_post_intel role. This dedicated user is used to authenticate incoming intelligence data submitted to the instance.

    2. Set up an Inbound Intelligence Profile:
    3. Navigate to Workspaces > Threat Intelligence Security Center > Administration > Inbound Intel Sharing.
    4. Select Inbound Intel Sharing Profiles.
    5. Create a new profile. For more information, see .
    6. In the User for authentication field, select the user created in the previous step.
    7. Set the Data format to STIX 2.1.
    8. Save and enable the profile to allow the target TISC instance to receive intelligence.
    9. Select the Copy Profile ID to copy the profile ID.
      Note:
      You need the profile ID when configuring the outbound intelligence profile on the source TISC instance. For more information, see .

    Configuring the Source TISC Instance

    1. Configure global sharing rules: Ensure the following are configured and published based on your requirements:
      • Outbound Intel Data Exclusion Rules. For detailed procedure, see .
      • Outbound Intel Sharing Controls. For detailed procedure, see .
    2. Create an Outbound Intelligence Profile:
      1. Create a new outbound profile to manage the data sharing process. For more details, see .
      2. Specify the API endpoint URL as: 
        https://{instance name} /api/sn_sec_tisc/v1/tisc_intel_sharing_api/post_intel
        .
      3. Set the Authentication required to true.
      4. Enter the credentials of the user created in the target TISC instance (refer to the first step of the target setup) for the username and password.
    3. Configure Request Headers: In the Headers to be passed with request field, include the following:
      Profile-GUID: {Profile ID from the target TISC instance}
      Shared-Intel-Format: STIX 2.1
    4. Obtaining the Profile ID: The Profile ID required for the header can be found in the target TISC instance’s Inbound Intelligence Profile. Use the Copy Profile ID button to retrieve it. For more information, see .
    5. Save and enable the outbound profile.

      After configuration:

      • Save the profile.
      • Validate the connection to confirm it is functioning correctly.
      • Enable the profile to activate intelligence data sharing.