Threat Intelligence Feeds

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Feeds

    Threat Intelligence Feeds in ServiceNow enable customers to add, edit, or remove threat intelligence data sources from a centralized catalog. This catalog is accessible via the Threat Intelligence Security Center workspace and presents available feeds as tiles, with options to filter, search, and navigate to detailed configurations. The feeds help organizations ingest and manage various types of cyber threat intelligence data to enhance their security posture.

    Show full answer Show less

    Key Features

    • Feed Management: Easily enable, disable, or draft threat intelligence feeds from the All Feeds view under Integrations.
    • Filtering and Sorting: Filter feeds by state (Enabled, Disabled, Draft), source type, or feed format; sort feeds by name or last modified date for efficient navigation.
    • Feed Types Supported:
      • TAXII Feeds: STIX/TAXII Collections format for structured threat data exchange.
      • STIX HTTPS: REST API-accessible feeds in STIX format over HTTPS.
      • MISP Feeds: Feeds formatted according to MISP standards.
      • Text, CSV, JSON Feeds: Hosted files from which observables like URLs, domains, hashes, IPs, and file names are extracted.
      • RSS Feeds: RSS format feeds stored as RSS Feed Records.
      • Custom Feeds: Configurable feeds using custom parsers extracting key observables.
    • Field Mapping: Customize how data fields in text, CSV, or JSON feeds are interpreted and mapped to observables within the platform.
    • Feed Duplication: Duplicate existing feeds including all associated data to streamline feed creation or modification.

    Key Outcomes

    By leveraging Threat Intelligence Feeds, ServiceNow customers can seamlessly integrate diverse threat data sources into their security workflows. This integration supports enhanced threat detection, analysis, and response by providing structured and actionable threat intelligence. The ability to configure, filter, and manage various feed types ensures flexibility to adapt to evolving threat environments and organizational needs.

    Use Threat Intelligence Feeds to add, edit, or remove Threat Intelligence feed data source.

    The data source feeds are available from the Threat Intel Catalog under Integrations section.

    The catalog for threat intelligence feeds is built to show the available feed data sources in the form of tiles and has the ability to filter, search, and navigate to the details of the source configuration and perform various actions.

    All Feeds

    The base system includes a series of cards for each of the feeds that you can enable and use.

    The Feeds can be viewed by navigating to Workspaces > Threat Intelligence Security Center > Integrations > Threat Intel Feeds > All Feeds.

    Threat Intelligence Feeds

    Actions on the All Feeds view

    The All Feeds section enables you to perform the following actions.
    Table 1. Actions on All Integrations view
    Action Description
    All Use this drop-down menu to filter feeds based on their current state. You can filter based on the following states:
    • All: Displays all the feeds on the page. This is the default option.
    • Enabled: Displays all the feeds that are in an enabled state.
    • Disabled: Displays all the feeds that are in a disabled state.
    • Draft: Displays all the feeds that are in a draft state.
    Card view Use this action to view all the feeds in the form of cards.
    List view Use this action to view all the feeds in the form of a list view.
    Refresh Use this action to refresh the page.
    Sort Use this action to sort all the integrations based on the following:
    • Last Modified (recent)
    • Last Modified (oldest)
    • Name (A-Z)
    • Name (Z-A)
    All items Use this action to filter and list the threat intelligence feed tiles by source type or feed type.
    Source Type:
    • Open Source
    • Other Source
    • Premium Source
    Feed Type:
    • CSV
    • Custom Feed
    • JSON
    • MISP
    • RSS
    • STIX HTTPs
    • Text
    Search in catalog Use this action to search for feeds based on the name and description within the catalog.

    Types of Threat Intel Feeds

    The following are the types of threat intelligence feeds which can be configured and enabled:
    Table 2. Threat Intelligence Feeds
    Type Description
    TAXII Feeds Feeds that are available as STIX/TAXII Collections format.
    STIX HTTPS Threat Intelligence feeds in STIX format that can be accessed through REST APIs on HTTPS protocol.
    MISP Feeds that are in the MISP Format Feeds.
    Text Feeds that are available as hosted files in text format.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.
    CSV Feeds that are available as hosted files in CSV format.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.
    JSON Feeds that are available as hosted files in JSON format.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.
    RSS Feeds that are available in RSS format. The application will store the data as RSS Feed Records.
    Custom Feeds that are configured using custom parsers.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.

    For the next steps in the procedure, refer to the respective section for configuring a each specific feed type. Threat Intelligence Feeds.