Threat Intelligence Feeds

Release version: Yokohama

Updated January 30, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Threat Intelligence Feeds

Threat Intelligence Feeds in ServiceNow enable you to add, edit, or remove various threat intelligence data sources directly from the Threat Intel Catalog within the Threat Intelligence Security Center workspace. These feeds provide actionable cyber threat intelligence (CTI) to enhance your security operations by integrating multiple types of threat data sources.

Show full answer Show less

Key Features

Threat Intel Catalog: Displays available feeds as tiles with filtering, searching, and detailed configuration options.
All Feeds View: Accessible via Workspaces > Threat Intelligence Security Center > Integrations > Threat Intel Feeds > All Feeds, allowing management of enabled, disabled, and draft feeds.
Actions on Feeds: Includes filtering by feed state (All, Enabled, Disabled, Draft), toggling between card and list views, refreshing data, sorting by modification date or name, filtering by source or feed type, and searching by name or description.
Feed Types Supported:
- TAXII Feeds (STIX/TAXII Collections)
- STIX HTTPS Feeds (REST API accessible)
- MISP Format Feeds
- Text, CSV, JSON Feeds (hosted files extracting URLs, domains, hashes, IPs, and file names)
- RSS Feeds (stored as RSS Feed Records)
- Custom Feeds (using custom parsers for specific formats)
Field Mapping: Allows configuration of how feed data fields correspond to observables for formats like Text, CSV, or JSON, ensuring accurate data interpretation.
Feed Duplication: Enables easy copying of existing feeds with all related data such as observables, indicators, and actors.
STIX and TAXII Standards: Supports industry standards for cyber threat intelligence sharing, facilitating automated and structured intelligence exchange over HTTPS.

Practical Use for ServiceNow Customers

By leveraging Threat Intelligence Feeds, customers can integrate diverse external threat data into their ServiceNow Security Operations environment, enriching their threat detection and response capabilities. The flexible feed management interface allows you to enable or disable feeds as needed, customize data field mappings to fit your observables, and maintain updated intelligence by refreshing and sorting feeds efficiently. Understanding and configuring feeds according to their specific types (e.g., TAXII, STIX, MISP) ensures optimal ingestion and usability of threat data. Additionally, duplicating feeds can expedite setup when similar configurations are required.

Next Steps

Access the Threat Intel Catalog to explore and enable relevant threat feeds for your environment.
Configure new feeds with appropriate field mappings to ensure accurate data ingestion.
Use filtering, sorting, and search capabilities to manage and monitor active threat feeds effectively.
Refer to specific configuration guides for each feed type to optimize integration.

Use Threat Intelligence Feeds to add, edit, or remove Threat Intelligence feed data source.

The data source feeds are available from the Threat Intel Catalog under Integrations section.

The catalog for threat intelligence feeds is built to show the available feed data sources in the form of tiles and has the ability to filter, search, and navigate to the details of the source configuration and perform various actions.

All Feeds

The base system includes a series of cards for each of the feeds that you can enable and use.

The Feeds can be viewed by navigating to Workspaces > Threat Intelligence Security Center > Integrations > Threat Intel Feeds > All Feeds.

Threat Intelligence Feeds

Actions on the All Feeds view

The All Feeds section enables you to perform the following actions.

Table 1. Actions on All Integrations view
Action	Description
All	Use this drop-down menu to filter feeds based on their current state. You can filter based on the following states: All: Displays all the feeds on the page. This is the default option. Enabled: Displays all the feeds that are in an enabled state. Disabled: Displays all the feeds that are in a disabled state. Draft: Displays all the feeds that are in a draft state.
	Use this action to view all the feeds in the form of cards.
	Use this action to view all the feeds in the form of a list view.
	Use this action to refresh the page.
	Use this action to sort all the integrations based on the following: Last Modified (recent) Last Modified (oldest) Name (A-Z) Name (Z-A)
All items	Use this action to filter and list the threat intelligence feed tiles by source type or feed type. Source Type: Open Source Other Source Premium Source Feed Type: CSV Custom Feed JSON MISP RSS STIX HTTPs Text
Search in catalog	Use this action to search for feeds based on the name and description within the catalog.

Types of Threat Intel Feeds

The following are the types of threat intelligence feeds which can be configured and enabled:

Table 2. Threat Intelligence Feeds
Type	Description
TAXII Feeds	Feeds that are available as STIX/TAXII Collections format.
STIX HTTPS	Threat Intelligence feeds in STIX format that can be accessed through REST APIs on HTTPS protocol.
MISP	Feeds that are in the MISP Format Feeds.
Text	Feeds that are available as hosted files in text format. Note: Only URLs, domains, file names, hashes, and IP addresses are extracted.
CSV	Feeds that are available as hosted files in CSV format. Note: Only URLs, domains, file names, hashes, and IP addresses are extracted.
JSON	Feeds that are available as hosted files in JSON format. Note: Only URLs, domains, file names, hashes, and IP addresses are extracted.
RSS	Feeds that are available in RSS format. The application will store the data as RSS Feed Records.
Custom	Feeds that are configured using custom parsers. Note: Only URLs, domains, file names, hashes, and IP addresses are extracted.

For the next steps in the procedure, refer to the respective section for configuring a each specific feed type. Threat Intelligence Feeds.