MISP integration for Security Operations release notes

  • Release version: Store
  • Updated June 11, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MISP integration for Security Operations release notes

    The MISP integration for Security Operations in ServiceNow enables enhanced investigation and response capabilities for security incidents by integrating MISP threat intelligence. It supports features such as sightings search, observable enrichment, event search, and the creation and updating of MISP events directly within the ServiceNow platform. The integration evolves regularly to improve performance, security, and usability within the Security Incident Response (SIR) workspace and Flow Designer environment.

    Show full answer Show less

    Key Features and Updates

    • Observable Enrichment and Sightings Search: Enables detailed investigation by enriching observables with MISP data and searching for sightings effectively, including fixes for special characters and type mismatches.
    • Event Creation and Management: Allows automatic creation and updating of MISP events with support for local and global security tags, improving threat intelligence categorization and correlation.
    • Integration with MITRE ATT&CK: Automatically rolls up MITRE ATT&CK Techniques from associated MISP events into Security Incidents, enhancing threat analysis.
    • Flow Designer Migration: Workflows for MISP enrichment and automation have been migrated to Flow Designer, streamlining configuration and execution.
    • Security Enhancements: Dictionary-level fields are upgraded to Strict Read-Only to prevent unauthorized changes, ensuring consistent security enforcement across UIs, scripts, and integrations.
    • Performance Improvements: Query optimizations reduce database load, improving responsiveness and reliability.
    • SSO Compatibility and Workspace Support: Fixes for validation when MISP is behind SSO and enhancements to render MISP forms natively within the SIR workspace.
    • Maintenance and Cleanup: Implementation of table cleanup rules to maintain data hygiene within the integration.

    Practical Benefits for ServiceNow Customers

    • Seamless threat intelligence integration that enhances security incident investigation and response workflows.
    • Improved accuracy and automation in handling MISP events and observables, reducing manual effort.
    • Enhanced security controls to safeguard integration data and configurations.
    • Optimized performance ensures faster processing and better user experience within Security Operations.
    • Support for latest ServiceNow features such as Flow Designer and SIR workspace integration for modernized operations.

    What to Expect

    By adopting the latest versions of the MISP integration, customers can expect a more secure, efficient, and fully integrated threat intelligence experience within their ServiceNow Security Operations environment. Regular updates address known issues and add capabilities that align with evolving security investigation needs.

    Version history for the MISP integration for Security Operations on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 1.4.6 - June 2026
    Fixed: Cobalt Raven Non-Glide Query ACLs Directive.
    Version 1.4.5 - April 2026
    Fixed: Optimised queries to reduce database operations and improve performance.
    Version 1.4.4 - February 2026
    Fixed: MISP Events with NULL Attributes or Tags now process correctly from queue tables. Previously, these events failed during automatic creation, causing the queue status to remain stuck at "running" instead of progressing to the next status.
    Version 1.4.0 - December 2025
    New: Upgraded all dictionary-level read-only fields to Strict Read-Only to enhance security and prevent unauthorized changes. This update ensures the server consistently enforces read-only behaviour across all UIs, scripts, and integrations.
    Version 1.3.11 - August 2025
    New: Introduced an improvement to Security Incident Response where MITRE ATT&CK Techniques from associated MISP Events are automatically rolled up and reflected in the corresponding Security Incident.
    Version 1.2.1 - June 2025
    • Fixed:
      • Sightings Search Flow triggering an error.
      • REST Action error when called from Script Action: Refresh MISP Galaxies Event Handler.
    Version 1.2.0 - November 2024
    Changed: Migration of Workflows to Flow Designer for MISP integration.
    Version 1.1.2 - August 2024
    • New:
      • Migrated workflows to flow designer for MISP enrichment capabilities.
      • Introduced a new field called Security tags for the automatic MISP profile configuration, and also verifies those observables with the security tags which are not attached to the automatic event created using the profile.
      • Introduced local and global tags in Automatic MISP profile configuration, which will eventually add the selected tags to the newly created automatic MISP event.
    Version 1.1.1 - May 2024
    • Fixed:
      • When the observable has symbol '!' in the starting, MISP enrichment flow was considering it as a filter condition and was not giving proper results. This is now fixed.
      • When sighting search was triggered for observable with same name but with different type in MISP then the flow was not successful. This is now fixed.
    Version 1.0.12 - January 2024

    Fixed: MISP integration validation was failing when the MISP instance was configured behind SSO. This is now fixed.

    Version 1.0.11 - December 2023
    Changed: Added supporting changes to render MISP forms on SIR workspace.
    Version - May 2023
    Fixed: Implement table cleanup rules for MISP.
    Version 1.0.7 - April 2023
    Changed: Updated to support this integration on the Security Incident Response workspace.
    Version 1.0.5 - February 2023
    New: Updated to support Security Incident Response workspace.
    Version 1.0.3 - November 2022
    • Fixed:
      • For editing tags, MISP write role is given in addition to sn_si read.
      • POL_ON_MISP automatic profile UI.
      • MITRE-ATT&CK information was not shown for Associated Observables when MISP is installed on an instance.
    Version 1.0.1 - August 2021
    New: MISP integration enables you to investigate security incidents by supporting capabilities like sightings search, observable enrichment, event search, along with the ability to create and update events in MISP.