Threat Intelligence Security Center release notes

  • Release version: Australia
  • Updated March 12, 2026
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Security Center Release Notes - Australia Release

    The ServiceNow Threat Intelligence Security Center (TISC) is a comprehensive, native threat intelligence platform on the ServiceNow AI Platform. It streamlines the ingestion, enrichment, investigation, response, and sharing of threat intelligence, empowering security teams to efficiently defend against evolving threats. The Australia release introduces significant enhancements aimed at improving analyst productivity, enriching threat data, and expanding integration capabilities.

    Show full answer Show less

    Key Features

    • Now Assist Case Summarization: AI-driven generation of concise case summaries, including overviews, findings, actions, and recommendations, to accelerate analyst workflows.
    • Playbooks Support in Case Management: Guided, stage-based workflows enable structured and efficient investigations for threat hunting and response.
    • Splunk Add-on Enhancements: Supports historical data ingestion and flexible expiration handling, improving integration with Splunk Enterprise.
    • Relationship Graph Improvements: New filtering capabilities and performance optimizations help analysts visualize and navigate threat relationships more effectively.
    • Enhanced MITRE ATT&CK Extraction: Schema now supports combined Techniques and Tactics regex extraction for richer threat tactic identification.
    • Expanded CrowdStrike Feed: Now includes malware ingestion, enhanced linking of threat actors to malware and locations, and structured tagging of attributes for filtering.
    • Have I Been Pwned (HIBP) Integration: Enables enrichment of observables with breach exposure data to identify compromised entities.
    • Automated Tagging and New Entity Support: Configurable tagging rules for RSS feeds; addition of CWE, remediation, product, vendor, and zero-day vulnerability entities with relationship linking.
    • Vulnerability and Incident Management Enhancements: Ability to create vulnerability assessments and security incidents directly from vulnerability records, streamlining risk evaluation and response.
    • UI and Catalog Updates: Improved Threat Intelligence Library navigation and new catalog entries such as the Google Project Zero RSS feed for real-time threat detection.
    • AI Platform Licensing Tiers: Introduction of Foundation, Advanced, and Prime tiers offering graduated AI capabilities and access levels, including generative AI skills and autonomous workflows.

    Practical Benefits for ServiceNow Customers

    • Accelerate threat case investigations with AI-generated summaries and guided playbooks, improving analyst efficiency and accuracy.
    • Enhance threat data quality and depth through enriched feeds and new entity relationships, enabling better contextual understanding.
    • Leverage integrations such as Splunk and CrowdStrike to unify threat intelligence workflows and historical data analysis.
    • Improve incident response speed by directly linking vulnerabilities to assessments and security incidents within the platform.
    • Utilize automated tagging and structured data to create actionable filters and improve threat hunting capabilities.
    • Benefit from continuous updates and real-time threat detection sources like Google Project Zero.
    • Choose AI capabilities aligned with your organization's needs through flexible licensing tiers.

    Activation and Related Applications

    TISC is available for installation via the ServiceNow Store. Customers should request access from the store and review version history for cumulative updates. This application integrates closely with other ServiceNow security offerings, including Threat Intelligence, Security Incident Response, and Vulnerability Response, providing a unified security operations experience.

    The ServiceNow® Threat Intelligence Security Center application is a threat intelligence platform built natively on the ServiceNow AI Platform to operationalize threat intelligence from feed ingestion and enrichment to investigation, response, and sharing. TISC enables security teams to act efficiently on intelligence and defend against threats. TISC was enhanced and updated in the Australia release.

    Threat Intelligence Security Center highlights for the Australia release

    • Introduced Now Assist Case Summarization skill that analysts can use to generate concise, AI-based case summaries.
    • Added playbooks support in Case Management, giving analysts a guided, stage-based workflow for investigations.
    • Added historical data ingestion and flexible expiration handling to TISC Add-on for Splunk Enterprise. 
    • Enhanced MITRE Extraction rule schema to add a combined Techniques and Tactics regex extraction type.
    • Enhanced Relationship Graph with filtering support and performance improvements.
    • Enhanced CrowdStrike feed to support ingestion of malwares.

    See Threat Intelligence Security Center for more information.

    Important:
    Threat Intelligence Security Center is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Australia release

    ServiceNow product tiers
    The ServiceNow AI Platform now brings you a new AI experience with three licensing tiers available:
    • Foundation: AI basics to deliver insights
    • Advanced: AI to boost productivity across relevant use cases
    • Prime: Act autonomously with all AI assets and create your own

    Depending on your entitlements, you will have access to certain application features, generative AI skills, agentic workflows, and AI agents.

    Summarize a Case with Now Assist for Threat Intelligence Security Center
    Now Assist for Threat Intelligence Security Center brings generative AI capabilities directly into threat intelligence workflows.  Analysts can generate concise AI-powered summaries of threat cases, including case overview, findings, key actions taken, and recommended next steps.
    Automatic Threat Actor priority tagging
    Enable automatic tagging of threat actors based on their origin locations.
    Configure TISC add-on in Splunk
    TISC Add-on for Splunk Enterprise adds historical data ingestion and flexible expiration handling.
    Link nodes in the Relationship Graph
    The relationship graphs show immediate relationships to the home node for quick rendering of the graph. Filters enable analysts to narrow down to specific nodes and relationships. 
    MITRE ATT&CK Technique Extraction Rules
    Enhanced MITRE™ extraction rule schema to add a combined Techniques and tactics regex extraction type.
    Threat Hunting Playbook
    Threat hunting playbook is now available out of the box. Analysts can use Playbooks for case management as a guided, stage-based workflow for investigations.
    View Premium Threat Feed for CrowdStrike
    Enhanced CrowdStrike premium Threat feed by adding Malware to the record types to ingest. Threat Actor records now link to Malware through uses and develops relationships, and to Location through originates-from and targets relationships. Report and Indicator records are linked to Malware through associated-with. Threat Actor records ingested from CrowdStrike now represent capabilities, target industries, target regions, target countries, and origins as structured tags rather than free-text, additional context fields. Users can use these attributes as filters.
    Have I Been Pwned integration
    Added support in TISC for Have I been pwned? (HIBP) observable enrichment, enabling analysts to identify whether observables have been exposed in known data breaches instances.
    Configure Tagging Rules in TISC
    Introduced automated tagging of RSS feed records using configurable tagging rules to apply tags and taxonomies.
    Create a CWE record
    Introduced CWEs as related entities with support for relationship linking.
    Create Remediations
    Introduced remediations as related entities with support for relationship linking and added support for managing remediations.
    Create a Product
    Introduced products as related entities with support for relationship linking.
    Create a Vendor to a Vulnerability
    Associated vendors as related entities with support for relationship linking.
    Automated creation of zero day vulnerability
    Automatically generate zero day vulnerability records from flagged RSS feeds with extracted and linked CPE, CWE, and CVE details for enhanced threat analysis. The catalog now includes the RSS feed for Google Project Zero, enabling real-time detection of emerging threats.
    Create Vulnerability Assessment from a Vulnerability
    Initiate vulnerability assessments directly from identified issues for faster risk evaluation. Sample workflows and flow actions are included to automate the assessment process.
    Create Security Incident from a Vulnerability Record
    Create security incident records directly from detected vulnerabilities to expedite incident response and streamline threat management workflows.
    Enable security incidents for vulnerabilities
    View vulnerabilities and related intelligence in the TISC Context tab of Security Incident Response Workspace, allowing analysts to quickly access risk data during investigations without navigating to separate records.

    UI changes

    TISC Library Repository
    Enhanced Threat Intelligence Library list views by grouping observables, indicators, threat entities, RSS feed, and vulnerability artifacts into appropriate categories for improved navigation.
    Create Vulnerability Assessment from a Vulnerability
    Introduced a new button Create Vulnerability Assessment to conduct a vulnerability assessment for a specific vulnerability.
    Create Security Incident from a Vulnerability Record
    Introduced a new button Create Security Incident to facilitate identifying vulnerabilities and enable faster incident response within the threat analysis.
    Threat Intelligence Security Center Catalog
    Introduced a new catalog entry which includes the RSS feed for Google Project Zero, enabling real-time detection of emerging threats.

    Changed in this release

    MITRE ATT&CK Technique Extraction Rules and View extracted MITRE ATT&CK Techniques
    Enabled MITRE-ATT&CK extraction rules for RSS feed to map and associate MITRE-ATT&CK techniques.
    View RSS Feeds
    Enhanced the RSS feed schema and parsers to support additional fields, including tags, taxonomies, status, and expiration time.
    Export intelligence data, Sharing of Outbound Intelligence Records from GUI, and Add to TAXII Collections from Library List View
    Enhanced STIX 2.1 export to include Traffic Light Protocol (TLP) definitions applied to intelligence objects as TLP 2.0 marking definition objects. For more information, see Marking Definition.
    System properties for TISC Reports
    The system property sn_sec_tisc.reporting.email_template_sn_sec_tisc_case is no longer supported in TISC. It has been renamed to sn_sec_tisc.default_report_email_template, effective with the latest release.
    Configure custom MISP API feed
    Enhanced MISP API feed ingestion to handle events when the published timestamp is greater than the modified timestamp.
    Define Vulnerability and Access the Vulnerability Entities
    Enhanced the vulnerability schema to support additional vulnerability intelligence fields related to CVSS scoring, exploit details, and remediation information.

    Activation information

    Install Threat Intelligence Security Center by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Related ServiceNow applications and features

    Threat Intelligence
    The ServiceNow Threat Intelligence application displays indicators of compromise (IoC) and enables you to enrich security incidents with threat intelligence data.
    Security Incident Response
    With Security Incident Response manage the life cycle of your security incidents from initial analysis to containment, eradication, and recovery. Security Incident Response enables you to get a comprehensive understanding of incident response procedures performed by your analysts, and understand trends and bottlenecks in those procedures with analytic-driven dashboards and reporting.
    Vulnerability Response
    Vulnerability Response is part of the Security Operations application suite. Together, these applications connect security to your IT department, increase the speed and efficiency of your response, and give you a definitive view of your security posture.
    Security Operations common functionality
    The Security Support Common plugin is activated when any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated.