Threat Intelligence Security Center release notes
The ServiceNow® Threat Intelligence Security Center application is a threat intelligence platform built natively on the ServiceNow AI Platform to operationalize threat intelligence from feed ingestion and enrichment to investigation, response, and sharing. TISC enables security teams to act efficiently on intelligence and defend against threats. TISC was enhanced and updated in the Australia release.
Threat Intelligence Security Center highlights for the Australia release
- Introduced Now Assist Case Summarization skill that analysts can use to generate concise, AI-based case summaries.
- Added playbooks support in Case Management, giving analysts a guided, stage-based workflow for investigations.
- Added historical data ingestion and flexible expiration handling to TISC Add-on for Splunk Enterprise.
- Enhanced MITRE Extraction rule schema to add a combined Techniques and Tactics regex extraction type.
- Enhanced Relationship Graph with filtering support and performance improvements.
- Enhanced CrowdStrike feed to support ingestion of malwares.
See Threat Intelligence Security Center for more information.
New in the Australia release
Australia Patch 3- ServiceNow product tiers
- The ServiceNow AI Platform now brings you a new AI experience with three licensing tiers available:
- Foundation: AI basics to deliver insights
- Advanced: AI to boost productivity across relevant use cases
- Prime: Act autonomously with all AI assets and create your own
Depending on your entitlements, you will have access to certain application features, generative AI skills, agentic workflows, and AI agents.
- Summarize a Case with Now Assist for Threat Intelligence Security Center
- Now Assist for Threat Intelligence Security Center brings generative AI capabilities directly into threat intelligence workflows. Analysts can generate concise AI-powered summaries of threat cases, including case overview, findings, key actions taken, and recommended next steps.
- Automatic Threat Actor priority tagging
- Enable automatic tagging of threat actors based on their origin locations.
- Configure TISC add-on in Splunk
- TISC Add-on for Splunk Enterprise adds historical data ingestion and flexible expiration handling.
- Link nodes in the Relationship Graph
- The relationship graphs show immediate relationships to the home node for quick rendering of the graph. Filters enable analysts to narrow down to specific nodes and relationships.
- MITRE ATT&CK Technique Extraction Rules
- Enhanced MITRE™ extraction rule schema to add a combined Techniques and tactics regex extraction type.
- Threat Hunting Playbook
- Threat hunting playbook is now available out of the box. Analysts can use Playbooks for case management as a guided, stage-based workflow for investigations.
- View Premium Threat Feed for CrowdStrike
- Enhanced CrowdStrike premium Threat feed by adding
Malwareto the record types to ingest. Threat Actor records now link toMalwarethroughusesanddevelopsrelationships, and toLocationthroughoriginates-fromandtargetsrelationships. Report and Indicator records are linked toMalwarethroughassociated-with. Threat Actor records ingested from CrowdStrike now representcapabilities,target industries,target regions,target countries, andoriginsas structured tags rather than free-text, additional context fields. Users can use these attributes as filters.
- Have I Been Pwned integration
- Added support in TISC for Have I been pwned? (HIBP) observable enrichment, enabling analysts to identify whether observables have been exposed in known data breaches instances.
- Configure Tagging Rules in TISC
- Introduced automated tagging of RSS feed records using configurable tagging rules to apply tags and taxonomies.
- Create a CWE record
- Introduced CWEs as related entities with support for relationship linking.
- Create Remediations
- Introduced remediations as related entities with support for relationship linking and added support for managing remediations.
- Create a Product
- Introduced products as related entities with support for relationship linking.
- Create a Vendor to a Vulnerability
- Associated vendors as related entities with support for relationship linking.
- Automated creation of zero day vulnerability
- Automatically generate zero day vulnerability records from flagged RSS feeds with extracted and linked CPE, CWE, and CVE details for enhanced threat analysis. The catalog now includes the RSS feed for Google Project Zero, enabling real-time detection of emerging threats.
- Create Vulnerability Assessment from a Vulnerability
- Initiate vulnerability assessments directly from identified issues for faster risk evaluation. Sample workflows and flow actions are included to automate the assessment process.
- Create Security Incident from a Vulnerability Record
- Create security incident records directly from detected vulnerabilities to expedite incident response and streamline threat management workflows.
- Enable security incidents for vulnerabilities
- View vulnerabilities and related intelligence in the TISC Context tab of Security Incident Response Workspace, allowing analysts to quickly access risk data during investigations without navigating to separate records.
UI changes
- TISC Library Repository
- Enhanced Threat Intelligence Library list views by grouping observables, indicators, threat entities, RSS feed, and vulnerability artifacts into appropriate categories for improved navigation.
- Create Vulnerability Assessment from a Vulnerability
- Introduced a new button Create Vulnerability Assessment to conduct a vulnerability assessment for a specific vulnerability.
- Create Security Incident from a Vulnerability Record
- Introduced a new button Create Security Incident to facilitate identifying vulnerabilities and enable faster incident response within the threat analysis.
- Threat Intelligence Security Center Catalog
- Introduced a new catalog entry which includes the RSS feed for Google Project Zero, enabling real-time detection of emerging threats.
Changed in this release
- MITRE ATT&CK Technique Extraction Rules and View extracted MITRE ATT&CK Techniques
- Enabled MITRE-ATT&CK extraction rules for RSS feed to map and associate MITRE-ATT&CK techniques.
- View RSS Feeds
- Enhanced the RSS feed schema and parsers to support additional fields, including tags, taxonomies, status, and expiration time.
- Export intelligence data, Sharing of Outbound Intelligence Records from GUI, and Add to TAXII Collections from Library List View
- Enhanced STIX 2.1 export to include Traffic Light Protocol (TLP) definitions applied to intelligence objects as TLP 2.0 marking definition objects. For more information, see Marking Definition.
- System properties for TISC Reports
- The system property
sn_sec_tisc.reporting.email_template_sn_sec_tisc_caseis no longer supported in TISC. It has been renamed tosn_sec_tisc.default_report_email_template, effective with the latest release.
- Configure custom MISP API feed
- Enhanced MISP API feed ingestion to handle events when the published timestamp is greater than the modified timestamp.
- Define Vulnerability and Access the Vulnerability Entities
- Enhanced the vulnerability schema to support additional vulnerability intelligence fields related to CVSS scoring, exploit details, and remediation information.
Activation information
Install Threat Intelligence Security Center by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.