Configure a new data source

  • Release version: Washingtondc
  • Updated April 14, 2025
  • 6 minutes to read

    • Configure new threat intelligence feed data source.

    Before you begin

    Role required: sn_sec_tisc.admin

    To configure a new threat intelligence feed data source, follow the procedure:

    Procedure

    1. Navigate to AllWorkspacesThreat Intelligence Security Center.
    2. Click on Integrations icon.
    3. Select Threat Intel Feeds > All Feeds.
    4. Click Configure new source.
      The various feed types are displayed.

      TISC All Feeds - Configure new source

    5. Select the respective feed type.
    6. On the form, fill in the fields.
      Table 1. Create New Data Source
      Field Description
      Name Enter a name for the feed.
      Description Description of the feed.
      Feed Type The feed type. For example, MISP.

      By default, this value is displayed based on the type of feed that you selected from the Catalog.
      Logo Attach the logo of the source feed.
      Industry Select the industry category such as Aerospace, Agriculture, and so on for which the feed data source is applicable to.
      Source Type Select the type of source from the list of available source types. List of available sources are:
      • Government
      • ISACs
      • Open Source
      • Premium Source
      • Other Source
    7. Click Select.
    8. Fill in the fields in the Configuration section, as appropriate.
      Table 2. Configuration
      Field Description
      Expiry period (days) Enter the expiry period for the feed in days. For example, 180 days.
      Note:
      Whatever the data that is ingested from the source will be expired 180 days after the ingestion.
      Use REST Message Select Use REST Message check box if you need to use REST Message/REST Method functionality that is provided by ServiceNow AI Platform.

      If this check box is not selected, then the application uses the endpoint provided in REST Endpoint URL to fetch the data from the feed. For more information, see Outbound REST web service on ServiceNow AI Platform documentation.

      Note:
      The REST message and REST method fields are mandatory when you select the REST message.
      REST Message Select the REST Message record from the list of REST message records which are already configured in the instance. For more information, see Outbound REST web service on the ServiceNow AI Platform documentation.
      Note:
      Select this value when you need to view specific headers, and define the REST related records using the REST message option.
      REST Method Select REST Method from the list of available REST Methods configured for the selected REST Message. For more information, see Outbound REST web service on the ServiceNow AI Platform documentation.
      Confidence Set the confidence for all the applicable records that are ingested through this specific feed.
      Note:
      Set the confidence between 0-100 for this source.
      REST endpoint URL Enter the REST endpoint URL where the data is hosted by the data source.
      Authentication Required Select this check box if authentication is required for your new data source.
      Note:
      Add a statement mentioning this is only applicable when REST Endpoint URL is being used to retrieve the data.
      Authentication Type The authentication type for the source feed. Following are the authentication types that are configured and provisioned within the base system for the users:
      • API ID / API Key
      • API ID / API Secret
      • API Key
      • API Key / API Secret
      • API Username / API Password / API Key
      • Basic Authentication
      Note:
      The authentication type in the base system for the custom source feed type are Client ID and Client Secret.
      Headers to be passed with request Any headers to be passed with the requests can be provided in Request Header Mapping. Header should be provided in key-value pair separated by colon(':'). Each header key value pair should be provided in a new line. For providing authentication parameters as header values, enclose the required Authentication Label with '${' and '}$'. For example, x-api-key:${API Key}$.
      Advanced Select this check box to define custom integration script and report processor script.
      Note:
      When you select this check box, the Integration script and Report Processor fields will be appeared for you to select the custom scripts.
      Integration script Integration script invokes a call to the REST Endpoint URL using the authentication parameters and the headers as configured in the feed, and then the script fetches the data that is available from the specific feed.
      Within the base system following are the custom scripts includes, which are provisioned within the application for the integrations scripts:
      • FeedDatasourceIntegrationBase
      • MITRESourceIntegration
      • RSSFeedDatasourceIntegration
      • SimpleFeedDatasourceIntegration
      • SimpleMISPFeedDatasourceIntegration

      The default integration script is based on the feed type that you select. For example, if you select MISP feed type which is a standard format to process and fetch the data then the integrations script is SimpleFeedDatasourceIntegration.

      Note:

      For the Custom integration scripts, you can create a script include by extending FeedDatasourceIntegrationBase and override the required methods.
      Report processor

      The report processor script processes the data that is fetched form the feed using integration script.

      Within the base system following are the custom scripts includes, which are provisioned within the application for the integrations scripts:
      • FeedDatasourceResponseProcessor
      • MITRECollectionDataProcessor
      • RSSFeedDatasourceResponseProcessor
      • SimpleFeedDatasourceResponseProcessor
      • SimpleMISPFeedDatasourceResponseProcessor
      • TAXIIV2CollectionDataProcessor

      The default Report Processor for STIX HTTPS is TAXIIV2CollectionDataProcessor. By default, this option is displayed and you cannot modify or select any other report processor.
    9. Fill in the fields in the Scheduling section, as appropriate.
      Table 3. Scheduling
      Field Description
      Run Set the frequency at which you want to ingest the records. The feed will run and execute based on the scheduling job interval. The available job intervals are:
      • Daily
      • Weekly
      • Monthly
      • Periodically
      • Once
      • On Demand
      • Business Calendar: Entry Start
      • Business Calendar: Entry End
      Note:
      By default, the frequency is set to On Demand.
      For more information, see Scheduled Jobs and how to Automatically run a script of your choosing.
      Fetch Data From The start date from when the data needed to be fetched. This field should be set with the time from when the data needs to be ingested from the corresponding source. Once this field is set, the next ingestion run would fetch the data from the configured time and consecutive ingestion runs would fetch incremental Data.

      For example, Source is scheduled to ingest the data every hour. The user sets Fetch Data From to Jan 12 6:00AM on Jan 12 9:30AM, the ingestion triggering on Jan 12 10:00AM would fetch the data from Jan 12 6:00AM to Jan 12 10:00AM. The next ingestion that triggers at 11:00AM would fetch only the incremental data from Jan 12 10:00AM to Jan 12 11:00AM.

      Note:
      This means the scheduled runs will fetch data incrementally starting from the specified date onwards.
      Table 4. Tags
      Field Description
      Select Tags Use the tags to annotate or ear mark records that are ingested into the system from this source. Start entering the tag name in the Search bar to choose the available tags in the application or enter new tag name and click Add to assign it to the source.
    10. Click the Save action to store and create the feed.
      The provided details are validated, and by default the feeds status is disabled.
    11. Optional: Click the Save as Draft action to only store the feed configurations as draft.
      Users cannot enable a feed when it is saved in draft. If you're not sure about the configuration details, you can use the Save as Draft option. After you get the configuration details, you can fill the remaining information in the draft version and create it.
    12. To enable the feed, click Enable
      The feed is enabled successfully. You can also enable, disable, or delete a particular feed by using the Actions menu of the required feed tile on the Catalog or Threat Intel Feeds page.
      Note:
      If the Run Frequency is set to On Demand in the Scheduling section of the data source form page then whenever you enable the integration, a message prompt is displayed alerting the users that they have now successfully enabled the source. You must change the run frequency to enable the source configuration to automatically ingest data.
    13. Click Enable to enable the record.
      Once the feed data source record is enabled, you can execute the record to run the integration.
      Note:
      The data source record is labeled and indicated as enabled. Similarly, you can disable the data source feed by clicking Disable button.
    14. Click Delete to delete the feed data source record.
    15. Select Integrations Run section to verify the run details.
      Note:
      The above feed data source configuration procedure is same for all other feed data source types, except for STIX TAXII. For more information on how STIX TAXII is configured, see Configure a new TAXII Feed.