Working with Reports in TISC

  • Release version: Yokohama
  • Updated November 24, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Working with Reports in TISC

    The Reports module in the Threat Intelligence Library section of TISC Yokohama release enables ServiceNow customers to create, manage, and publish structured threat intelligence reports. These reports use data available within the Threat Intelligence Library, supporting sharing via email, previewing, and downloading. Reports are categorized into Case Reports and Intelligence Reports, each serving distinct purposes for threat analysis and reporting.

    Show full answer Show less

    Case Reports

    Case Reports focus on individual threat investigation cases, leveraging case-specific templates that automatically pull relevant data from case fields, related records, and intelligence. Access to these reports is strictly permission-controlled, ensuring that only authorized users or groups can view or interact with them. Case Reports maintain consistency with existing CTI case reporting structures and are available under both All Reports and Case Reports views within the Reports module. This feature provides analysts with secure, structured reports tailored for case-level investigations.

    Intelligence Reports

    Intelligence Reports offer flexibility by allowing analysts to generate structured reports using any threat intelligence data from the Threat Intelligence Library, independent of specific cases. Analysts use Intelligence Report templates and can customize content with record selection tools, slash commands, and table insertions. These reports do not include case-specific fields but enable dynamic content insertion such as record counts, specific records, and system users.

    Slash Commands in Intelligence Report Editor:

    • Mention Count: Inserts total records count from supported tables (e.g., Observable, Indicator, Campaign).
    • Select a Record: Allows browsing and inserting specific record values from supported tables.
    • Select a User: Lets analysts insert system user information directly into reports.

    Intelligence Reports include pre-defined templates and tables offering comprehensive views of threat intelligence, accessible under All Reports and Intelligence Reports views.

    Report Views and Management

    • View All Reports: Displays the complete list of reports.
    • View Case Reports: Filters reports specific to cases.
    • View Intelligence Reports: Filters intelligence-focused reports.
    • View My Reports: Shows reports created by the logged-in user.

    Practical Benefits for ServiceNow Customers

    By leveraging the Reports module in TISC, customers gain the ability to produce structured, shareable, and permission-controlled threat intelligence reports. Case Reports enhance security and relevance by restricting access and auto-populating case data, while Intelligence Reports provide flexible, customizable reporting across broad threat intelligence datasets. Slash commands improve reporting efficiency by enabling dynamic content insertion, streamlining the creation process.

    The Reports module in the Threat Intelligence Library section enables you to create, manage, and publish reports that use any intelligence available in the Threat Intelligence Library.

    Reports in the threat intelligence library are categorized into case reports and intelligence reports.

    They support key capabilities such as previewing, publishing, sharing via email, and downloading. These reports provide analysts with a structured and shareable format for threat intelligence reporting.

    Case Reports

    Case Reports contain information specific to an individual case. Using the case designated templates, analysts can generate reports that automatically pull data from the fields, related records, and intelligence within the selected case.

    Access to the Case Reports is strictly controlled. Only users or groups with permission to access the case can view or interact with its reports. Without the appropriate permissions, the report and its contents are not accessible.

    Case Reports follow the same structure and capabilities as the existing CTI case reporting. For more information, see About Report Templates in TISC. These case reports appear in All Reports and Case Reports views of the threat intelligence library Reports module providing a structured and secure result for case level investigations.

    Intelligence Reports

    Intelligence Reports provide a flexible way to generate structured reports using any available threat intelligence from the Threat Intelligence Library. Using templates of the Intelligence Report category, analysts can create reports that incorporate data from library lists and specific intelligence objects without depending on a case.

    Unlike Case Reports, Intelligence Reports do not display case-specific fields or records. Instead, analysts can use record selection tools, slash commands, and table insertion options to customize the content of the report.

    Slash commands in the threat intelligence report allow you to quickly insert dynamic content such as record counts, specific records, or system users into a report.

    The following describes the usage of slash commands available within the Intelligence Report Editor.
    Slash Command Usage Wokflow Supported Tables
    Mention Count When you select this option, you can choose a table from the Supported Tables list to add the total record count to the report.
    1. Select Mention Count from the slash command menu.
    2. Choose a table from the supported table list.
    3. The application inserts the total records count for the selected table into the report.
    • Observable
    • Indicator
    • Attack Pattern
    • Campaign
    • Course of Action
    • Identity
    • Infrastructure
    • Intrusion Set
    • Location
    • Malware
    • Malware Analysis
    • Marking Definition
    • Object Sighting
    • Observed Data
    • Threat Actor
    • Threat Event
    • Threat Grouping
    • Threat Note
    • Threat Opinion
    • Threat Report
    • Tool
    • Vulnerability
    • Data Component
    • Data Source
    Select a Record

    When you navigate to an observable and type “/”, an option to select a corresponding fields appears. This allows you to browse and search the available fields for that record. Selecting a field automatically inserts its value into your input.

    The following is the screen shot that illustrates the navigation of selecting a record(s) using slash command.

    		 You can select a table from the provided Supported Tables list, and once selected, a drop down menu will display all the available records in that table, allowing you to choose the desired record.
    1. Select Mention Count from the slash command menu.
    2. Choose a table from the supported table list.
    3. The application inserts the total record count for the selected table into the report.
    Select a User By selecting this option, you can choose any individual from the list of system users to include in the report.
    1. Select Select a User from the slash command menu.
    2. Choose a user from the system user list.
    3. The selected user is inserted into the report.
    		 NA

    Reports include pre-defined templates, tables offering a comprehensive view of relevant intelligence.

    Intelligence Reports appear in the All Reports and Intelligence Reports views of the threat intelligence library Reports module.