Threat Intelligence Security Center (TISC) - Updates : Nov'2024 To June'2025.

TISC Store Release Updates:  2024 November To 2025 June

We are bringing to you, the recent developments in TISC over the past two store releases. Please read further to know more.

If you missed earlier, checkout our previous TISC posts here - 

• Threat Intelligence Security Center (TISC) is generally available now!
• Threat Intelligence Security Center (TISC): Updates from 2024 August and November releases 

Key Highlights

• Threat Intelligence External Sharing (Outbound/Inbound) [Innovation Labs Release]: 

Improve collaboration and broaden threat visibility through two-way CTI sharing with external agencies, security products, and other TISC instances. Automate the sharing process using templates and controls, minimizing manual efforts, and supporting standard formats like STIX 2.1 and MISP. Utilize structured STIX format for threat data and TAXII for secure, real-time transport to enable better threat intelligence dissemination. Ensure context-rich threat information is available for parsing, correlation, and operational use. TISC supports the following modes of external threat intelligence sharing:

1. Analyst driven sharing from workspace

2. Automated sharing via flows

3. Sharing via STIX/TAXII collections

4. Receive intelligence shared by external parties in STIX 2.1 and MISP Formats

Note: The feature is available in Innovation Labs (IL) for your validation and feedback to the product team. You can use this private link to access the store app: Link to store app

• Export Cyber Threat Intelligence (CTI): Enhance access to cyber threat intelligence and decision-making capabilities with flexible data export options available in commonly used formats such as Excel, CSV, and STIX 2.1 JSON. 

• Additional Source Filters in CrowdStrike Feed : Ingest intelligence from the CrowdStrike Premium Feed and manage the large volume of data that lacks prioritization or contextual relevance. Enable filtering based on threat actors, malware families, and targeted industries to ingest only relevant IOCs. Improve efficiency in threat monitoring by prioritizing pertinent intelligence.

• Integration with Microsoft Defender EDR: To avoid delays caused by fragmented threat information, it is important to enable rapid detection and investigation of endpoint threats. This can be achieved by gaining visibility into TISC indicators within Microsoft Defender and adding indicators directly from TISC. This approach helps streamline threat monitoring and improve endpoint threat detection using actionable observables.

• Option to initiate a Security Incident from TISC Workspace: Efficiently streamline SOC team engagement from the TISC workspace by initiating security incidents directly within TISC. Observables are curated as artifacts, with specified priority levels and assignment requests. This feature is intended to optimize the workflows of the SOC team, ensuring prompt and coordinated responses to security incidents.

• We also resolved few issues and made enhancements in core capabilities, including ability to extend MITRE Repository data with Threat Intelligence entities, option to duplicate a feed configuration, additional actions on the investigation canvas and other minor enhancements for improved user experience. (See release notes for details)

TISC is an advanced Threat Intelligence Platform designed to enable organizations to convert threat data into decisive actions. It optimizes the processes of collecting, enriching, and correlating intelligence, thereby accelerating threat detection and response times. Seamless integrations with your security ecosystem ensure more efficient and informed decision-making. With support for external sharing, TISC promotes collaboration with peers and partners, fortifying collective defense.

Developed on the ServiceNow platform, TISC leverages a multitude of core capabilities beyond its inherent features, utilizing the platform's extensive ecosystem for enhanced functionality. It capitalizes on ServiceNow's expansive marketplace of pre-built integrations and extensions to seamlessly integrate with third-party systems, broadening its capabilities and providing comprehensive solutions tailored to meet diverse business requirements. By adopting ServiceNow's continuous technological updates and advancements, TISC maintains a leading edge in innovation, delivering increased value to users while remaining agile and adaptable in an ever-evolving digital environment.

Key capabilities: 

• Curated catalog of popular OSINT Threat feed sources.
  
• Integration of premium feeds to enhance threat intelligence.
  
• Capability to automatically identify and extract all observables from the uploaded files.
  
• Granular expiration policies
• Data aggregation from diverse feeds, including STIX, MISP, JSON and more.
  
• Enrichment capabilities, for the removal of false positives, confidence/scoring of indicators, validation of indicators, and the addition of contextual information.
  
• Correlation rules for automatically establishing relationships between observables.
  
• Customizable threat score calculator for nuanced threat assessment.
  
• Integration of internal intelligence encompassing VR, SIR, Assets, Services, and CMDB.
  
• User-specific dashboards tailored for Threat Intel personas.
  
• Graphical visualization tools for comprehending Threat Intel data.
  
• Dedicated Threat Intel Analyst Workspace for streamlined operations.
  
• Threat hunting with case/task management functionalities and interactive investigation canvas
  
• Automated MITRE ATT&CK Technique extraction and rollup.
  
• Enable seamless integration with SIR and facilitate smooth data migration from Threat Intelligence within SIR to the Threat Intelligence Security Center.
  
• Establish notification rules to trigger alerts based on threat intelligence.
  
• Define data retention and cleanup policies.
  
• Generate and share status reports and investigation summaries using Case reports' rich text editor experience and customizable report templates.
  
• Domain separation support for MSSP use cases.
  
• Integrate with security tools using TISC API.
• Point integrations with security tools and sample flows for automated actions
• Webhook support for real-time, trigger-based notifications
• Data migration utility for migration from SIR Threat Intelligence module to TISC

• Two-way threat intelligence sharing with external entities. (Innovation Labs)

• Sharing threat intelligence with other TISC instances via STIX/TAXII collections. (Innovation Labs)

Find more details about each feature, refer our product documentation.

Important Resources:

• Product Documentation: Threat Intelligence Security Center
• ServiceNow Store: Threat Intelligence Security Center
• TISC Demo Video 
• QuickStart Guide and Now Create Resources for TISC
• TISC Implementation Bootcamp 
• On-Demand Webinar: Understand Threat Intelligence Security Center's Value to your Organization
• Knowledge Base Links for Threat Intelligence Security Center (Now Support login required)

Want to know more about the product?

If you are interested in having a 1:1 conversation and would like to see a demo of this product, you can reach out to your ServiceNow Account Executive or Sales Representative, or simply comment on this post.