Working with Reports in TISC

  • Release version: Xanadu
  • Updated November 24, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Working with Reports in TISC

    The Reports module in the Threat Intelligence Library section of TISC enables ServiceNow customers to create, manage, and publish structured threat intelligence reports. These reports leverage intelligence data available within the Threat Intelligence Library and are categorized into two types: Case Reports and Intelligence Reports. The module supports previewing, publishing, sharing via email, and downloading, providing analysts with an efficient way to generate and distribute actionable threat intelligence insights.

    Show full answer Show less

    Case Reports

    Case Reports are tailored to individual investigation cases and use designated templates that automatically pull data from case fields, related records, and associated intelligence. Access to these reports is strictly permission-controlled—only authorized users or groups assigned to the case can view or interact with the reports. These reports maintain the structure and capabilities consistent with existing CTI case reporting and appear in both "All Reports" and "Case Reports" views within the Threat Intelligence Library.

    Intelligence Reports

    Intelligence Reports offer flexibility by allowing analysts to generate structured reports from any intelligence data in the Threat Intelligence Library without relying on a specific case. Analysts can customize content using record selection tools, slash commands, and table insertions. These reports exclude case-specific fields but enable dynamic content insertion, such as record counts and specific records, through slash commands.

    Slash Commands in Intelligence Reports

    • Mention Count: Insert total record counts from supported tables (e.g., Observable, Indicator, Threat Actor) directly into reports for quantitative insights.
    • Select a Record: Browse and insert specific field values from supported tables, facilitating precise data inclusion in reports.
    • Select a User: Insert system user information into reports, aiding in attribution or contact details.

    These commands enhance report customization and enable quick integration of dynamic intelligence elements.

    Report Views and Management

    • All Reports: View all created reports regardless of type.
    • Case Reports: Access reports tied to specific cases with restricted permissions.
    • Intelligence Reports: Access reports generated from library intelligence without case dependency.
    • My Reports: View reports created by the logged-in user for personalized management.

    Practical Benefits for ServiceNow Customers

    This reporting functionality allows analysts to efficiently produce and share structured threat intelligence in a secure and permission-controlled environment. The ability to dynamically customize reports using slash commands and templates ensures that reports are relevant, comprehensive, and actionable. Customers can streamline intelligence dissemination, enhance collaboration, and maintain compliance with data access policies.

    The Reports module in the Threat Intelligence Library section enables you to create, manage, and publish reports that use any intelligence available in the Threat Intelligence Library.

    Reports in the threat intelligence library are categorized into case reports and intelligence reports.

    They support key capabilities such as previewing, publishing, sharing via email, and downloading. These reports provide analysts with a structured and shareable format for threat intelligence reporting.

    Case Reports

    Case Reports contain information specific to an individual case. Using the case designated templates, analysts can generate reports that automatically pull data from the fields, related records, and intelligence within the selected case.

    Access to the Case Reports is strictly controlled. Only users or groups with permission to access the case can view or interact with its reports. Without the appropriate permissions, the report and its contents are not accessible.

    Case Reports follow the same structure and capabilities as the existing CTI case reporting. For more information, see Report Templates. These case reports appear in All Reports and Case Reports views of the threat intelligence library Reports module providing a structured and secure result for case level investigations.

    Intelligence Reports

    Intelligence Reports provide a flexible way to generate structured reports using any available threat intelligence from the Threat Intelligence Library. Using templates of the Intelligence Report category, analysts can create reports that incorporate data from library lists and specific intelligence objects without depending on a case.

    Unlike Case Reports, Intelligence Reports do not display case-specific fields or records. Instead, analysts can use record selection tools, slash commands, and table insertion options to customize the content of the report.

    Slash commands in the threat intelligence report allow you to quickly insert dynamic content such as record counts, specific records, or system users into a report.

    The following describes the usage of slash commands available within the Intelligence Report Editor.
    Slash Command Usage Wokflow Supported Tables
    Mention Count When you select this option, you can choose a table from the Supported Tables list to add the total record count to the report.
    1. Select Mention Count from the slash command menu.
    2. Choose a table from the supported table list.
    3. The application inserts the total records count for the selected table into the report.
    • Observable
    • Indicator
    • Attack Pattern
    • Campaign
    • Course of Action
    • Identity
    • Infrastructure
    • Intrusion Set
    • Location
    • Malware
    • Malware Analysis
    • Marking Definition
    • Object Sighting
    • Observed Data
    • Threat Actor
    • Threat Event
    • Threat Grouping
    • Threat Note
    • Threat Opinion
    • Threat Report
    • Tool
    • Vulnerability
    • Data Component
    • Data Source
    Select a Record

    When you navigate to an observable and type “/”, an option to select a corresponding fields appears. This allows you to browse and search the available fields for that record. Selecting a field automatically inserts its value into your input.

    The following is the screen shot that illustrates the navigation of selecting a record(s) using slash command.

    		 You can select a table from the provided Supported Tables list, and once selected, a drop down menu will display all the available records in that table, allowing you to choose the desired record.
    1. Select Mention Count from the slash command menu.
    2. Choose a table from the supported table list.
    3. The application inserts the total record count for the selected table into the report.
    Select a User By selecting this option, you can choose any individual from the list of system users to include in the report.
    1. Select Select a User from the slash command menu.
    2. Choose a user from the system user list.
    3. The selected user is inserted into the report.
    		 NA
    Figure 1. Record selection using Slash Command
    Record selection using slash command

    Reports include pre-defined templates, tables offering a comprehensive view of relevant intelligence.

    Intelligence Reports appear in the All Reports and Intelligence Reports views of the threat intelligence library Reports module.