Set up Threat Intelligence Security Center

  • Release version: Xanadu
  • Updated August 21, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Set up Threat Intelligence Security Center

    The Threat Intelligence Security Center (TISC) is a ServiceNow application designed to help organizations ingest, enrich, and manage threat intelligence data effectively. Before using TISC, you must download and install it from the ServiceNow Store. Proper role assignment and prerequisite plugins are essential for a smooth integration and operation.

    Show full answer Show less

    Roles and Responsibilities

    • Threat Intelligence Administrator (snsectisc.admin): Responsible for configuring data sources, enrichment integrations, data import approvals, threat score calculation criteria, taxonomies, and the MITRE ATT&CK repository relevant to the organization. This role performs the initial setup and ongoing configuration tasks and can assign the analyst role to users.
    • Threat Intelligence Analyst (snsectisc.analyst): Focuses on viewing data overviews via the product homepage, importing intelligence data, searching across ingested data, managing threat library data, performing enrichment actions on observables, and creating and managing cases using the Threat Analyst Workbench.

    Setup Considerations

    • Assign the snsectisc.admin role to administrators responsible for configuring the system after installing the TISC application.
    • Assign the snsectisc.analyst role to users who will actively work with threat data and cases.

    Dependency Plugins

    TISC requires several core ServiceNow applications and plugins to be installed and activated before configuration. These include:

    • Security Case Management components
    • Threat Intelligence Support Common
    • Column Level Encryption
    • Large JSON and XML Payload Builder API
    • Security Support Core
    • Node map Experience Component
    • Reporting UI Component for Workspace
    • Rich Text Editor Component for Security Operations
    • Security Integration Framework
    • Security Support Common and Orchestration components

    Ensuring these dependencies are installed supports the proper functioning of TISC and its integrations.

    Before you use the Threat Intelligence Security Center, you must download it from the ServiceNow Store.

    Roles installed

    Review the following information and verify that you’ve completed all the tasks for a smooth integration. Below is the list of different user persona defined to access and work with the application:
    • Threat Intelligence Analyst (sn_sec_tisc.analyst)
    • Threat Intelligence Administrator (sn_sec_tisc.admin)
    Table 1. Entitlements applicable for TISC Roles
    Setup Description
    Assign and verify the required ServiceNow AI Platform and Threat Intelligence Security Center roles. The following roles are required for configuration and verification of the expected results:
    • As an admin, you must install the TISC application from the ServiceNow Store and assign the role as sn_sec_tisc.admin.
    • This sn_sec_tisc.admin role performs the following tasks:
      • Configures the Data Sources to ingest the data. For more information, see Threat Intelligence Feeds.
      • Configured the integrations required for Enriching Observable data in TISC. For more information, see TISC Enrichment Integrations.
      • Configures Data Import Approval Roles for importing data using Import Assistant. For more information, see Working with Data Imports.
      • Configures Threat Score Calculator using required criteria for automatic calculation of Threat Score of observables. For more information, see Define Threat Score Calculator.
      • Configures required Taxonomies and Taxonomy Values. For more information, see Creating Taxonomies.
      • Configure the MITRE ATT&CK repository relevant to your organization. For more information, see MITRE-ATT&CK Repository.
      Note:
      As a sn_sec_tisc.admin, you can also assign the sn_sec_tisc.analyst role.
    • The sn_sec_tisc.analyst role performs the following tasks:
      • Views the overview of data in the system using Product Homepage. For more information, see Home page in TISC Workspace.
      • Import data into system using Import Intelligence button in Threat Library Page. For more information, see Threat Intelligence Security Center Library.
        • Search across the data present in the application using search provided in Threat Library page.
        • Manages the data ingested from various sources in Threat Library.
        • Performs various Enrichment actions on Observables.
        • Creates and Manages Cases. For more information, see Creating cases using Threat Analyst Workbench.

    Dependency Plugins

    Plugin Description
    This following applications are required for installation of this application:
    • Security Case Management common workspace components [com.snc.escm.ws_commons].
    • Threat Intelligence Support Common [com.snc.threat].
    • Column Level Encryption (com.glide.encryption)
    • Large JSON and XML Payload Builder API (com.glide.streaming_builder)
    • Security Support Core (com.snc.security_support.core)
    • Node map Experience Component (sn_node_map)
    • Reporting UI Component for Workspace(sn_sec_reporting)
    • Rich Text Editor Component for Security Operations(sn_escm_rte)
    • Security Integration Framework(sn_sec_int)
    • Security Support Common(sn_sec_cmn)
    • Security Support Orchestration(sn_sec_cmn_orch)
    		 Verify that the ServiceNow core applications that are required to support the integration are installed and activated before you configure this integration.