Manual and Automated Sharing using flows

Release version: Yokohama

Updated February 24, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Manual and Automated Sharing using flows

This content explains how ServiceNow customers can configure both manual and automated intelligence sharing between Threat Intelligence Security Center (TISC) instances using flows. It details the necessary setup steps for inbound and outbound intelligence profiles, required user roles, authentication, and data exclusion rules to enable secure and efficient sharing of threat intelligence data.

Show full answer Show less

Configuring the Target TISC Instance

Role Requirements: Assign specific roles to users involved in the sharing process:
- admin (system administrator): For creating the API ingestion user.
- snsectisc.admin: To configure and manage TISC settings.
- snsectisc.apipostintel: Assigned to a dedicated integration user to authenticate incoming intelligence data.
Create API Ingestion User: Set up a dedicated user in the target TISC instance with the snsectisc.apipostintel role to authenticate incoming data submissions.
Set up Inbound Intelligence Profile:
- Navigate to Workspaces > Threat Intelligence Security Center > Administration > Inbound Intel Sharing and create a new inbound profile.
- Select the dedicated authentication user created earlier.
- Specify the data format as STIX 2.1.
- Save, enable the profile, and copy the Profile ID for use in the source instance configuration.

Configuring the Source TISC Instance

Configure Global Sharing Rules: Set up and publish the following to control outbound data sharing:
- Outbound Intelligence Data Exclusion Rules
- Outbound Intelligence Sharing Controls
Create Outbound Intelligence Profile:
- Define a new outbound profile to manage data sharing.
- Specify the API endpoint URL in the format: https://{instance name}/api/snsectisc/v1/tiscintelsharingapi/postintel.
- Set authentication to true and provide the credentials of the dedicated user from the target instance.
- Configure request headers as follows:
  - Profile-GUID: Use the Profile ID copied from the target inbound profile.
  - Shared-Intel-Format: Set to STIX 2.1.
- Save, enable, and validate the profile to ensure the connection is functioning correctly.

Key Outcomes

Enables secure, authenticated sharing of threat intelligence data between TISC instances.
Supports standardized data format (STIX 2.1) for interoperability.
Allows granular control over what intelligence data is shared through exclusion rules and sharing controls.
Provides a scalable solution for both manual and automated intelligence sharing using ServiceNow flows.

This section describes how to configure manual sharing via GUI and automated intelligence sharing between TISC instances. It outlines the setup of inbound and outbound intelligence profiles, required roles, authentication configuration, and exclusion rules in both the source and target instances.

Configuring the Target TISC Instance

Role required: sn_sec_tisc.admin

Prerequisites: Before you begin, ensure you have the appropriate roles assigned.

Role Requirements

Table 1. Role Requirements
Step	Action	Required Role
Create API ingestion user	Create a dedicated user and assign required role	admin (system administrator)
Configure and manage TISC settings	Perform remaining configuration steps	sn_sec_tisc.admin
Post intelligence via API	Authenticate and submit intelligence data	sn_sec_tisc.api_post_intel (assigned to the integration user)

Create a user with the role sn_sec_tisc.api_post_intel:
Create a dedicated user in the target TISC instance and assign them the sn_sec_tisc.api_post_intel role. This dedicated user is used to authenticate incoming intelligence data submitted to the instance.
Set up an Inbound Intelligence Profile:
Navigate to Workspaces > Threat Intelligence Security Center > Administration > Inbound Intel Sharing.
Select Inbound Intel Sharing Profiles.
Create a new profile. For more information, see .
In the User for authentication field, select the user created in the previous step.
Set the Data format to STIX 2.1.
Save and enable the profile to allow the target TISC instance to receive intelligence.
Select the Copy Profile ID to copy the profile ID.
Note:
You need the profile ID when configuring the outbound intelligence profile on the source TISC instance. For more information, see .

Configuring the Source TISC Instance

Configure global sharing rules: Ensure the following are configured and published based on your requirements:
- Outbound Intel Data Exclusion Rules. For detailed procedure, see .
- Outbound Intel Sharing Controls. For detailed procedure, see .
Create an Outbound Intelligence Profile:
1. Create a new outbound profile to manage the data sharing process. For more details, see .
2. Specify the API endpoint URL as:
```
https://{instance name} /api/sn_sec_tisc/v1/tisc_intel_sharing_api/post_intel
```
  .
3. Set the Authentication required to true.
4. Enter the credentials of the user created in the target TISC instance (refer to the first step of the target setup) for the username and password.
Configure Request Headers: In the Headers to be passed with request field, include the following:
```
Profile-GUID: {Profile ID from the target TISC instance}
```
```
Shared-Intel-Format: STIX 2.1
```
Obtaining the Profile ID: The Profile ID required for the header can be found in the target TISC instance’s Inbound Intelligence Profile. Use the Copy Profile ID button to retrieve it. For more information, see .
Save and enable the outbound profile.
After configuration:
- Save the profile.
- Validate the connection to confirm it is functioning correctly.
- Enable the profile to activate intelligence data sharing.