Configure a new threat intelligence feed

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 7 minutes de lecture

    • Configure a new threat intelligence feed.

    Avant de commencer

    Role required: sn_sec_tisc.admin

    To configure a new threat intelligence feed, follow the procedure:

    Procédure

    1. Navigate to All > Workspaces > Threat Intelligence Security Center.
    2. Click on Integrations icon.
    3. Select Threat Intel Feeds > All Feeds.
    4. Select Configure new source.
      The various feed types are displayed.

      TISC All Feeds - Configure new source

    5. Select the respective feed type.
    6. On the form, fill in the fields.
      Tableau 1. Configure new source
      Field Description
      Name Enter a name for the feed.
      Description Description of the feed.
      Feed Type The feed type. For example, MISP.

      By default, this value is displayed based on the type of feed that you selected from the Catalog.
      Logo Attach the logo of the source feed.
      Remarque :
      The size should be 72px/72px.
      Industry Select the industry category such as Aerospace, Agriculture, and so on for which the feed is applicable to.
      Source Type Select the type of source from the list of available source types. List of available sources are:
      • Government
      • ISACs
      • Open Source
      • Premium Source
      • Other Source
    7. Select Select.
    8. Fill in the fields in the Configuration section, as appropriate.
      Tableau 2. Configuration Details
      Field Description
      Expiry period (days) Enter the expiry period for the feed in days. For example, 180 days.
      Remarque :
      Data that is ingested from the source will be expired 180 days after the ingestion.
      Override Source Expiration When enabled, the feed record received will have its expiration time overridden to match the profile’s configuration.
      Use REST Message Select Use REST Message check box if you need to use REST Message/REST Method functionality that is provided by ServiceNow AI Platform.

      If this check box is not selected, then the application uses the endpoint provided in REST Endpoint URL to fetch the data from the feed. For more information, see Outbound REST web service on ServiceNow AI Platform documentation.

      Important :
      The REST message and REST method fields are mandatory when you select REST message.
      REST Message Select the REST Message record from the list of REST message records which are already configured in the instance. For more information, see Outbound REST web service on the ServiceNow AI Platform documentation.
      Remarque :
      Select this value when you need to view specific headers, and define the REST related records using the REST message option.
      REST Method Select REST Method from the list of available REST Methods configured for the selected REST Message. For more information, see Outbound REST web service on the ServiceNow AI Platform documentation.
      REST endpoint URL Enter the REST endpoint URL where the data is hosted by the threat intelligence feed.
      Remarque :
      For MISP feed types, the REST endpoint URLs that end with /manifest.json are supported.
      Confidence Set the confidence for all the applicable records that are ingested through this specific feed.
      Remarque :
      Set the confidence between 0-100 for this source.
      Override Source Confidence When enabled, the feed will have its confidence value overridden to match the profile’s configuration.
      Data Parsing Mechanism Select the appropriate data parsing mechanism option. The available options are:
      • Automated IoC Extraction: This option is selected by default when configuring Text, CSV, or JSON feeds.
      • Custom Field Mapping: Select this option if you want to define how the specific fields in your feed data should be mapped to the observable attributes.

        Once selected, you can configure the mappings in the Field Mapping section. For more detailed information on the custom field mapping, see Configure Custom Field Mapping.
      Authentication Required Select this check box if authentication is required for your new threat intelligence feed.
      Remarque :
      This is only applicable when REST Endpoint URL is being used to retrieve the data.
      Authentication Type The authentication type for the source feed. Following are the authentication types that are configured and provisioned within the base system for the users:
      • API ID / API Key
      • API ID / API Secret
      • API Key
      • API Key / API Secret
      • API Username / API Password / API Key
      • Basic Authentication
      Headers to be passed with request Any headers to be passed with the requests can be provided in Request Header Mapping.
      • Header should be provided in key-value pair separated by colon(':').
      • Each header key value pair should be provided in a new line.
      • For providing authentication parameters as header values, enclose the required Authentication Label with '${' and '}$'. For example, x-api-key:${API Key}$.
      Advanced Select this check box to define custom integration script and report processor script.
      Remarque :
      When you select this check box, the Integration script and Report Processor fields will appear for you to select the custom scripts.
      Integration script Integration script invokes a call to the REST Endpoint URL using the authentication parameters and the headers as configured in the feed, and then the script fetches the data that is available from the specific feed.
      Within the base system following are the custom scripts includes available, which are provisioned within the application for the integrations scripts:
      • MITRESourceIntegration: Used for fetching the data from MITRE feeds.
      • RSSFeedDatasourceIntegration: Used for fetching the data from RSS feeds.
      • SimpleFeedDatasourceIntegration: Used for fetching the data from Simple feeds without authentication or Basic Authentication.
      • SimpleMISPFeedDatasourceIntegration: Used for fetching the data from hosted MISP feeds.

      The default integration script is based on the feed type that you select. For example, if you select MISP feed type which is a standard format to process and fetch the data then the integrations script is SimpleMISPFeedDatasourceIntegration.

      Remarque :

      For the Custom integration scripts, you can create a script include by extending FeedDatasourceIntegrationBase and override the required methods.
      Report processor

      The report processor script processes data fetched from the feed using the integration script.

      The base system includes the following custom scripts, which are provisioned within the application to support report processor script:
      • AtomFeedDatasourceResponseProcessor: Used for processing RSS feeds in Atom format.
      • MITRECollectionDataProcessor: Used for processing MITRE feeds.
      • RSSFeedDatasourceResponseProcessor: Used for processing RSS feeds.
      • SimpleDataplaneFeedResponseProcessor: Used for processing Dataplane feeds.
      • SimpleFeedDatasourceResponseProcessor: Used for processing Simple feeds using regular expression extraction of observables.
      • SimpleFeodotrackerFeedResponseProcessor: Used for processing Feodotracker feeds.
      • SimpleMISPFeedDatasourceResponseProcessor: Used for processing hosted MISP feeds.
      • TAXIIV2CollectionDataProcessor: Used for processing TAXII Collection data.

      The default report processor for MISP feeds is SimpleMISPFeedDatasourceResponseProcessor. This processor is preconfigured by the application and cannot be modified or replaced.
    9. Fill in the fields in the Scheduling section, as appropriate.
      Tableau 3. Scheduling
      Field Description
      Run Set the frequency at which you want to ingest the records. The feed will run and execute based on the scheduled job interval. The available job intervals are:
      • Daily
      • Weekly
      • Monthly
      • Periodically
      • Once
      • On Demand
      • Business Calendar: Entry Start
      • Business Calendar: Entry End
      Remarque :
      By default, the frequency is set to On Demand.
      For more information, see Scheduled Jobs and how to Automatically run a script of your choosing.
      Fetch Data From The start date from when the data needed to be fetched. This field should be set with the time from when the data needs to be ingested from the corresponding source. Once this value is s, the next ingestion run would fetch the data from the configured time and consecutive ingestion runs would fetch incremental Data based on the Run frequency?.

      For example, Source is scheduled to ingest the data every hour. The user sets Fetch Data From to Jan 12 6:00AM on Jan 12 9:30AM, the ingestion triggering on Jan 12 10:00AM would fetch the data from Jan 12 6:00AM to Jan 12 10:00AM. The next ingestion that triggers at 11:00AM would fetch only the incremental data from Jan 12 10:00AM to Jan 12 11:00AM.

      Remarque :
      This means the scheduled runs will fetch data incrementally starting from the specified date onwards.
      Important :
      Also, this is not applicable for Text, CSV, and JSON feeds.
      Tableau 4. Additional Information
      Field Description
      Media URL Indicates the feed URL.
      Feed Comments URL The link provided by the RSS source.
      Tableau 5. TISC Tags
      Field Description
      Select TISC Tags Use the tags to annotate or earmark records that are ingested into the system from this source. Start entering the tag name in the Search bar to choose the available tags in the application or enter new tag name and click Add to assign it to the source.
    10. Select the Save action to store and create the feed.
      The provided details are validated, and by default the feeds status is disabled.
    11. Facultatif : Select the Save as Draft action to only store the feed configurations as draft.
      Users cannot enable a feed when it is saved in draft. i Use the Save as Draft option if you're unsure about the configuration details. After you get the configuration details, you can fill the remaining information in the draft version and create it.
    12. Select Enable to enable the record.
      After the threat intelligence feed record is enabled, you can execute the record to run the integration.
      Remarque :
      • The threat intelligence feed record is labeled and indicated as enabled. Similarly, you can disable the threat intelligence feed by clicking Disable button.
      • You can also enable, disable, or delete a particular feed by using the Actions menu of the required feed tile on the Catalog or Threat Intel Feeds page.
    13. Select select Delete to delete the threat intelligence feed record.
    14. Select Integrations Run section to verify the run details.
      Remarque :
      The threat intelligence feed configuration procedure is same for all other threat intelligence feed types, except for STIX TAXII. For more information on how STIX TAXII is configured, see Configure a new TAXII Feed.