Threat Intelligence Security Center (TISC) Feature Updates - August & December 2025

TISC Store Release Updates:  2025 August & December

We are bringing to you, the recent developments in TISC over the past two store releases. Please read further to know more.

If you missed earlier, checkout our previous TISC posts here - 

• TISC is Generally Available now! (2024'May)
• TISC - Updates : 2024'August To 2024'October
• TISC - Updates : 2024'November To 2025'June

Key Highlights

Threat Intelligence External Sharing : Enhance intelligence collaboration, comply with regulatory requirements, and strengthen ecosystem security through the external sharing capability in TISC. This secure, standards-based feature (STIX 2.1, MISP) allows for information exchange with external agencies, third-party products, and other TISC instances. It supports both on-demand and automated sharing via REST and TAXII protocols, utilizing template-driven interfaces and configurable controls for data transfer and review. This ensures seamless and secure sharing with partners and regulators, reducing operational friction while maximizing the utility of shared intelligence.

Intelligence Reports : With a dedicated reporting section in the Threat Intelligence Library, CTI team can quickly create and manage reports for operations and compliance, separate from case management. Base templates and enhanced library search simplify report generation and access, while case-level visibility controls and detailed access management ensure reports remain efficient and secure.

Timeline in Investigation Canvas : Enhances event correlation, root cause analysis, and incident reconstruction using timeline capabilities in the Investigation Canvas, enabling flexible temporal analysis and event-type configuration for deeper insight into incident progression and faster investigative outcomes.

Investigation Canvas Upgrades : Accelerate complex investigations, improve collaboration, and streamline the visual analysis of threat relationships through the enhanced Investigation Canvas. The advanced visualization capabilities, multi-node actions, bulk operations, refined activity streams, and integration of internal intelligence records (including incidents and vulnerabilities) as nodes support more comprehensive investigative processes. Features such as new node creation, grouping and ungrouping, case linkage, record retrieval, and a legend for node and edge types provide a more intuitive and effective environment for generating clear, actionable insights. The MITRE ATT&CK card now lets users create saved filters for adversary-specific TTPs and technique attributes. Also, selected nodes appear as pills for better context on the card.

MISP API Feed Integration : Streamline and automate the process of acquiring threat data to boost operational efficiency and deliver timely, relevant intelligence, all while reducing manual effort. Integrate directly with MISP server API, enabling dynamic event ingestion with advanced filtering features.

RPZ API for Sinkhole Integration : To enhance proactive network defense, we have implemented an API that exports threat intelligence in RPZ format for automated domain blocking at the DNS level. This facilitates DNS sinkhole deployments targeting domains, IPv4/IPv6 addresses, and CIDR ranges, thereby reducing exposure to malicious domains and streamlining the deployment of DNS-based security measures.

Core Enhancements & Fixes : To enhance the efficiency of threat intelligence operations, ensure superior intelligence quality, and provide deeper contextual understanding for investigations—facilitating more rapid and precise detection and response—we have resolved few issues and implemented the following improvements to our core features. (See release notes for details)

• Import Intelligence: The Import Intelligence module now allows you to directly add observables to the Allowlist or Denylist. It supports STIX objects and relationships, and enables direct import of intelligence exported from other TISC instances.
• CrowdStrike Feed: The advanced settings for the CrowdStrike feed now let you map qualitative confidence levels from CrowdStrike to quantitative values used by TISC.
• Feed Integration Enhancements: You can now configure custom field mappings in feed settings, which works with TEXT, CSV, and JSON formats.
• MITRE ATT&CK Enhancements: Rules for extracting MITRE techniques and tactics have been expanded, including extraction from Observable Enrichment results. You can now also assign priorities and tags to MITRE techniques.
• TISC and SIR Integration: Provided options to include confidence levels, tags, and notes when transferring observables from the SIR workspace to TISC.
• Default TLP Setting: There's now a system property to set the default TLP value applied to new records created in TISC.
• Threat Intelligence Security Center for Splunk: The integration has been improved, allowing you to select additional observable attributes for inclusion in the Splunk KV Lookup.

ServiceNow’s Threat Intelligence Security Center (TISC) is a unified intelligence engine designed to help enterprises transform fragmented threat data into coordinated, high‑velocity defense. By consolidating threat collection, enrichment, correlation, and automated actioning into a single platform, TISC accelerates detection and response while enabling CTI, SOC (Security Operations Center), IR (Incident Response), VRM (Vulnerability Response Management), and Cyber Fusion teams to operate from a shared, intelligence‑driven workflow. Its advanced investigation and visualization experiences—such as the Threat Analyst Workbench and Investigation Canvas—equip analysts to quickly map, assess, and act on emerging threats with greater precision and context.

Built natively on the Now Platform, TISC leverages ServiceNow’s ecosystem, extensibility, and continuous innovation to deliver a scalable, future‑ready threat intelligence capability. Pre‑built integrations, enrichment connectors, and external threat‑sharing mechanisms expand its reach and amplify intelligence value across the enterprise, enabling organizations to collaborate more effectively and strengthen collective security posture. The result is a modern, end‑to‑end threat intelligence platform that not only simplifies operations but sets a new standard for agility, interoperability, and strategic resilience.

Key capabilities: 

• Threat Data Collection, Processing & Management
  • Comprehensive catalog of widely-used OSINT threat feed sources
  • Integration with premium feeds to strengthen threat intelligence
  • Collects data from multiple sources (STIX/TAXII, STIX/HTTPS, MISP, JSON,CSV, TEXT, RSS, custom feeds and more).
  • Automatically identify and extract observables from uploaded files.
  • Allows importing of adhoc intelligence in various formats.
  • Provides pipelines for deduplication, normalization, and aggregation.
  • Facilitates smooth data migration (using utility provided) from SIR Threat Intelligence to TISC, ensuring continuity during transition.
  • Granular expiration policies for indicators and observables
  • Ability to set data retention and cleanup guidelines, maintaining governance throughout the data lifecycle
  • Inbound data exclusion rules to reduce noise
• Enrichment
  • Enrich using third party integrations to eliminate false positives, confirm indicators, add context, and apply confidence levels.
  • Connects internal intelligence (VR, SIR, Assets, Services, CMDB) to enhance observables with enterprise context.
• Correlation & Prioritization
  • Correlation rules for automatic relationship mapping among observables and objects
  • Customizable threat scoring tool for detailed prioritization and triage of IOCs.
  • Automates MITRE ATT&CK technique extraction and case-level roll-ups.
• Analysis, Hunting & Casework
  • Dedicated workspace for Threat Intelligence Analysts to streamline case management, tasks, and queues.
  • Enables threat hunting through an interactive Investigation Canvas with graphical analysis and MITRE ATT&CK framework, which now Supports saved filters in the MITRE card to match specific adversary TTPs.
  • Timeline feature in the investigation canvas for analyzing temporal patterns.
  • Graphical viewer for IOC/entity relationship mapping.
  • Dashboard customization tailored to different CTI roles, including analysts, leads, and managers.
• Dissemination
  • Integrates smoothly with SIR (Security Incident Response) for contextual sharing.
  • Set notification rules to activate alerts based on intelligence received.
  • Template driven reporting tools for generating and sharing status reports, investigation summaries and intelligence reports.
  • Secure and template driven bi-directional threat intelligence sharing with external organizations in standard formats (STIX 2.1, MISP) and sharing via STIX/TAXII collections between TISC instances.
  • API to export IOCs in RPZ format for sinkhole integrations.
• Automation & Orchestration
  • Connects with downstream security tools and platforms for rule-based, automated actions and playbook workflows.
  • Supports point integrations and sample flows for automated actions.
  • Uses TISC API for security tool integration.
  • Web-hooks functionality enables real-time, trigger-driven notifications.
• MSSP Support
  • Provides domain separation capabilities for MSSP-specific scenarios.

Find more details about each feature, refer our product documentation.

Important Resources:

• Product Documentation: Threat Intelligence Security Center
• ServiceNow Store: Threat Intelligence Security Center
• TISC Demo Video 
• QuickStart Guide and Now Create Resources for TISC
• TISC Implementation Bootcamp 
• On-Demand Webinar: Understand Threat Intelligence Security Center's Value to your Organization
• Knowledge Base Links for Threat Intelligence Security Center (Now Support login required)

Want to know more about the product?

If you are interested in having a 1:1 conversation and would like to see a demo of this product, you can reach out to your ServiceNow Account Executive or Sales Representative, or simply comment on this post.