Working with Reports in TISC

  • Release version: Zurich
  • Updated November 24, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Working with Reports in TISC

    The Reports module in the Threat Intelligence Library (TISC) allows users to create, manage, and publish reports based on available intelligence. Reports are categorized into Case Reports, which focus on individual cases, and Intelligence Reports, which provide broader intelligence insights. Key functionalities include previewing, publishing, sharing via email, and downloading reports.

    Show full answer Show less

    Key Features

    • Case Reports: Tailored for specific cases, these reports automatically pull data from designated templates and require permissions for access, ensuring secure handling of sensitive information.
    • Intelligence Reports: These flexible reports draw from any threat intelligence without being tied to a specific case. Analysts can customize content using record selection tools and slash commands.
    • Slash Command Functionality: Analysts can use slash commands for dynamic content insertion, allowing for quick addition of record counts, specific records, or users into reports.

    Key Outcomes

    By utilizing the Reports module, ServiceNow customers can efficiently generate structured reports that enhance threat intelligence sharing and analysis. Access to tailored reports improves investigative processes while ensuring data security. The ability to customize reports with dynamic content offers flexibility and enhances the overall reporting experience.

    The Reports module in the Threat Intelligence Library section enables you to create, manage, and publish reports that use any intelligence available in the Threat Intelligence Library.

    Reports in the threat intelligence library are categorized into case reports and intelligence reports.

    They support key capabilities such as previewing, publishing, sharing via email, and downloading. These reports provide analysts with a structured and shareable format for threat intelligence reporting.

    Case Reports

    Case Reports contain information specific to an individual case. Using the case designated templates, analysts can generate reports that automatically pull data from the fields, related records, and intelligence within the selected case.

    Access to the Case Reports is strictly controlled. Only users or groups with permission to access the case can view or interact with its reports. Without the appropriate permissions, the report and its contents are not accessible.

    Case Reports follow the same structure and capabilities as the existing CTI case reporting. For more information, see About Report Templates in TISC. These case reports appear in All Reports and Case Reports views of the threat intelligence library Reports module providing a structured and secure result for case level investigations.

    Intelligence Reports

    Intelligence Reports provide a flexible way to generate structured reports using any available threat intelligence from the Threat Intelligence Library. Using templates of the Intelligence Report category, analysts can create reports that incorporate data from library lists and specific intelligence objects without depending on a case.

    Unlike Case Reports, Intelligence Reports do not display case-specific fields or records. Instead, analysts can use record selection tools, slash commands, and table insertion options to customize the content of the report.

    Slash commands in the threat intelligence report allow you to quickly insert dynamic content such as record counts, specific records, or system users into a report.

    The following describes the usage of slash commands available within the Intelligence Report Editor.
    Slash Command Usage Wokflow Supported Tables
    Mention Count When you select this option, you can choose a table from the Supported Tables list to add the total record count to the report.
    1. Select Mention Count from the slash command menu.
    2. Choose a table from the supported table list.
    3. The application inserts the total records count for the selected table into the report.
    • Observable
    • Indicator
    • Attack Pattern
    • Campaign
    • Course of Action
    • Identity
    • Infrastructure
    • Intrusion Set
    • Location
    • Malware
    • Malware Analysis
    • Marking Definition
    • Object Sighting
    • Observed Data
    • Threat Actor
    • Threat Event
    • Threat Grouping
    • Threat Note
    • Threat Opinion
    • Threat Report
    • Tool
    • Vulnerability
    • Data Component
    • Data Source
    Select a Record

    When you navigate to an observable and type “/”, an option to select a corresponding fields appears. This allows you to browse and search the available fields for that record. Selecting a field automatically inserts its value into your input.

    The following is the screen shot that illustrates the navigation of selecting a record(s) using slash command.

    		 You can select a table from the provided Supported Tables list, and once selected, a drop down menu will display all the available records in that table, allowing you to choose the desired record.
    1. Select Mention Count from the slash command menu.
    2. Choose a table from the supported table list.
    3. The application inserts the total record count for the selected table into the report.
    Select a User By selecting this option, you can choose any individual from the list of system users to include in the report.
    1. Select Select a User from the slash command menu.
    2. Choose a user from the system user list.
    3. The selected user is inserted into the report.
    		 NA
    Figure 1. Record selection using Slash Command
    Record selection using slash command

    Reports include pre-defined templates, tables offering a comprehensive view of relevant intelligence.

    Intelligence Reports appear in the All Reports and Intelligence Reports views of the threat intelligence library Reports module.