Combined Threat Intelligence Security Center release notes for upgrades from Yokohama to Australia

How to use this page

To help you prepare for your upgrade, we have combined the cross-family Threat Intelligence Security Center release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Yokohama to Australia.

Tip:

If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."

Important information for upgrading Threat Intelligence Security Center to Australia

Before you upgrade to Australia, review these pre- and post-upgrade tasks and complete the tasks as needed.


Release	Release notes
Yokohama	No updates for this release.
Zurich	No updates for this release.
Australia	No updates for this release.

New features

Between your current release family and Australia, new features were introduced for Threat Intelligence Security Center.


Release	Release notes
Yokohama	Microsoft Defender for EDR Integration Integration with the Microsoft Defender for EDR allows Cyber Threat Intelligence (CTI) analysts to automatically push malicious or suspicious IP addresses, domains, file hashes, and URLs to Microsoft Defender for continuous monitoring and real-time alerting. Create a security incident from a TISC case Create security incidents and associate observables to the security incidents from a TISC case. Duplicate threat intelligence feeds Duplicate threat intelligence feeds to create an exact copy of the existing feed.
Zurich	Configure Threat Intelligence External Sharing Take advantage of external sharing for secure, automated, and on-demand dissemination of threat intelligence using STIX 2.1 and MISP formats. Supports sharing across external agencies (CISA, ISAC), integrations (SIEMs, EDRs), TAXII-based TISC instances, and inbound intelligence from external entities. About Report Templates in TISC Generate reports outside case management using base templates through a new reporting section in the Threat Intelligence Library. Configure custom MISP API feed Import events, attributes, and objects from the MISP server into the Threat Intelligence Library. Configure Custom Event Types for Timeline and Using Timeline in Investigation Canvas Define, visualize, and manage timeline events associated with nodes through the Investigation Canvas. Configure TISC add-on in Splunk Include optional attributes during configuration that can be stored in the Splunk KV Store. View Premium Threat Feed for CrowdStrike Map CrowdStrike Indicator Malicious confidence to TISC confidence. View Threat Intel Feeds Map specific source values to required observable fields during import process.
Australia	Case Summarization Now Assist for Threat Intelligence Security Center brings generative AI capabilities directly into threat intelligence workflows.  Analysts can generate concise AI-powered summaries of threat cases, including case overview, findings, key actions taken, and recommended next steps. Automatic Threat Actor priority tagging Enable automatic tagging of threat actors based on their origin locations. Configure TISC add-on in Splunk TISC Add-on for Splunk Enterprise adds historical data ingestion and flexible expiration handling. Link nodes in the Relationship Graph The relationship graphs show immediate relationships to the home node for quick rendering of the graph. Filters enable analysts to narrow down to specific nodes and relationships.  MITRE ATT&CK Technique Extraction Rules Enhanced MITRE™ extraction rule schema to add a combined Techniques and tactics regex extraction type. Threat Hunting Playbook Threat hunting playbook is now available out of the box. Analysts can use Playbooks for case management as a guided, stage-based workflow for investigations. View Premium Threat Feed for CrowdStrike Enhanced CrowdStrike premium Threat feed by adding `Malware` to the record types to ingest. Threat Actor records now link to `Malware` through `uses` and `develops` relationships, and to `Location` through `originates-from` and `targets` relationships. Report and Indicator records are linked to `Malware` through `associated-with`. Threat Actor records ingested from CrowdStrike now represent `capabilities`, `target industries`, `target regions`, `target countries`, and `origins` as structured tags rather than free-text, additional context fields. Users can use these attributes as filters. Have I Been Pwned integration Added support in TISC for Have I been pwned? (HIBP) observable enrichment, enabling analysts to identify whether observables have been exposed in known data breaches instances. Configure Tagging Rules in TISC Introduced automated tagging of RSS feed records using configurable tagging rules to apply tags and taxonomies. Create a CWE record Introduced CWEs as related entities with support for relationship linking. Create Remediations Introduced remediations as related entities with support for relationship linking and added support for managing remediations. Create a Product Introduced products as related entities with support for relationship linking. Create a Vendor to a Vulnerability Associated vendors as related entities with support for relationship linking. Automated creation of zero day vulnerability Automatically generate zero day vulnerability records from flagged RSS feeds with extracted and linked CPE, CWE, and CVE details for enhanced threat analysis. The catalog now includes the RSS feed for Google Project Zero, enabling real-time detection of emerging threats. Create Vulnerability Assessment from a Vulnerability Initiate vulnerability assessments directly from identified issues for faster risk evaluation. Sample workflows and flow actions are included to automate the assessment process. Create Security Incident from a Vulnerability Record Create security incident records directly from detected vulnerabilities to expedite incident response and streamline threat management workflows. Enable security incidents for vulnerabilities View vulnerabilities and related intelligence in the TISC Context tab of Security Incident Response Workspace, allowing analysts to quickly access risk data during investigations without navigating to separate records.

Changes

Between your current release family and Australia, some changes were made to existing Threat Intelligence Security Center features.


Release	Release notes
Yokohama	Courses of Action Renamed Course of Actions to Courses of Action. Create Inbound Data Exclusion Rules Renamed Inbound Filtering Rules to Inbound Data Exclusion Rules.
Zurich	[Placeholder link text to key bundle-security.tisc-canvas-internal-intel] Aggregate and analyze the data from internal systems through internal intelligence included in the Investigation Canvas module to help you identify potential threats more effectively. Import Intelligence in TISC Enhanced the Import Intelligence functionality to support direct import of allow list observables. Working with Investigation Canvas The Investigation Canvas feature has been extended to include customized nodes, node relationships, and node legends, as well as the grouping and ungrouping of nodes. Investigation canvas and MITRE ATT&CK Navigate and use the MITRE-ATT&CK model within the Investigation Canvas more effectively by taking advantage of enhanced filtering options.
Australia	MITRE ATT&CK Technique Extraction Rules and View extracted MITRE ATT&CK Techniques Enabled MITRE-ATT&CK extraction rules for RSS feed to map and associate MITRE-ATT&CK techniques. View RSS Feeds Enhanced the RSS feed schema and parsers to support additional fields, including tags, taxonomies, status, and expiration time. Export intelligence data, Sharing of Outbound Intelligence Records from GUI, and Add to TAXII Collections from Library List View Enhanced STIX 2.1 export to include Traffic Light Protocol (TLP) definitions applied to intelligence objects as TLP 2.0 marking definition objects. For more information, see Marking Definition. System properties for TISC Reports The system property `sn_sec_tisc.reporting.email_template_sn_sec_tisc_case` is no longer supported in TISC. It has been renamed to `sn_sec_tisc.default_report_email_template`, effective with the latest release. Configure custom MISP API feed Enhanced MISP API feed ingestion to handle events when the published timestamp is greater than the modified timestamp. Define Vulnerability and Access the Vulnerability Entities Enhanced the vulnerability schema to support additional vulnerability intelligence fields related to CVSS scoring, exploit details, and remediation information.

Removed

Between your current release family and Australia, some Threat Intelligence Security Center features or functionality were removed.


Release	Release notes
Yokohama	No updates for this release.
Zurich	No updates for this release.
Australia	No updates for this release.

Deprecations

Between your current release family and Australia, some Threat Intelligence Security Center features or functionality were deprecated.


Release	Release notes
Yokohama	No updates for this release.
Zurich	No updates for this release.
Australia	No updates for this release.

Activation information

Review information on how to activate Threat Intelligence Security Center.


Release	Release notes
Yokohama	Install Threat Intelligence Security Center by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Zurich	Install Threat Intelligence Security Center by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Australia	Install Threat Intelligence Security Center by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

Additional requirements

If any additional requirements were introduced or changed for Threat Intelligence Security Center we have noted them here.


Release	Release notes
Yokohama	No updates for this release.
Zurich	No updates for this release.
Australia	No updates for this release.

Browser requirements

If any specific browser requirements were introduced or changed for Threat Intelligence Security Center we have noted them here.


Release	Release notes
Yokohama	No updates for this release.
Zurich	No updates for this release.
Australia	No updates for this release.

Accessibility information

Review details on accessibility information for Threat Intelligence Security Center, such as specific requirements or compliance levels.


Release	Release notes
Yokohama	No updates for this release.
Zurich
Australia	No updates for this release.

Localization information

If there are specific localization considerations for Threat Intelligence Security Center we have noted them here.


Release	Release notes
Yokohama	No updates for this release.
Zurich	No updates for this release.
Australia	No updates for this release.

Highlight information

If there are specific highlight considerations for Threat Intelligence Security Center we have noted them here.


Release	Release notes
Yokohama	Integrate with Microsoft Defender to enable Cyber Threat Intelligence (CTI) analysts to automatically push malicious or suspicious IP addresses, domains, file hashes, and URLs from TISC to Microsoft Defender. Added creation of security incident directly from a TISC case with an option to associate observable artifacts to the security incident. Enhanced support to export observables, indicators, and cases from the list views in STIX 2.1 JSON, CSV, and Excel formats. Added settings to ingest indicators of interest based on associations to threat actors, threat reports, or malware families, including an option to include indicators deleted on CrowdStrike. Improved Threat Intelligence Feed configuration functionality to create a duplicate copy of the existing feed. See Threat Intelligence Security Center for more information.
Zurich	External sharing is now generally available, allowing secure and automated sharing of threat intelligence in STIX 2.1 and MISP formats. Redesigned the Investigation Canvas with activity timelines, added internal intelligence, improved node design and interactions, enhanced related records to retrieve all the associated records, and upgraded the MITRE card with filter capabilities for a smoother experience. Introduced the ability to import events directly from the MISP server. Implemented a unified mapping experience for the text based feeds such as TEXT, CSV, and JSON import formats. Implemented confidence mapping for the CrowdStrike (CS) Feed as part of additional settings. You can now map the malicious confidence levels of CrowdStrike indicators to the observable confidence values. See Threat Intelligence Security Center for more information.
Australia	Introduced Now Assist Case Summarization skill that analysts can use to generate concise, AI-based case summaries. Added playbooks support in Case Management, giving analysts a guided, stage-based workflow for investigations. Added historical data ingestion and flexible expiration handling to TISC Add-on for Splunk Enterprise.  Enhanced MITRE Extraction rule schema to add a combined Techniques and Tactics regex extraction type. Enhanced Relationship Graph with filtering support and performance improvements. Enhanced CrowdStrike feed to support ingestion of malwares. See Threat Intelligence Security Center for more information.