Threat Intelligence Support Common release notes

  • Release version: Store
  • Updated June 11, 2026
  • 5 minutes to read
  • Version history for the Security Operations Threat Intelligence Support Common application on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 13.6.4 - June 2026
    • New: Introduced a precedence mode in observable finding mode to control finding upgrades and downgrades.
    • Fixed: Performance issues caused by inefficient query patterns during MITRE ATT&CK operations have been resolved.
    Version 13.6.1 - April 2026
    New: MITRE DEFEND integration with ServiceNow.
    Version 13.6.0 - March 2026
    New: MITRE DEFEND integration with ServiceNow.
    Version 13.5.6 - January 2026
    • New:
      • MITRE DEFEND Framework Integration
        • Automated ingestion of MITRE DEFEND framework data with normalized and validated database schema.
        • Interactive graphical visualization of DEFEND techniques, threat entities, and defensive relationships within the SIR Workspace.
    Version 13.5.2 - December 2025
    Fixed: Resolved Null pointer exception appearing in logs when the SIR record is not found. Addressed SIR-TI MITRE ingestion failure by providing proper error messaging when maximum attachment size is set to a lower value and handling missing clean up for MITRE ingestion attachments.
    Version 13.5.0 - August 2025
    Fixed: Sighting count is getting increased when duplicate observables are adding through "Associate Observables".
    Version 13.3.2 - May 2025
    • Fixed:
      • Remove Run Orchestration UI Action from task observable table.
      • TISC Sighting Result column is missing in Sightings Search Result table.
      • Fixed few issues related to WF to FD migration.
    Version 13.3.1 - February 2025
    Changed: Migrated base system workflows to Flow Designer flows.
    Version 13.3.0 - November 2024
    Fixed a few security bugs.
    Version 13.2.2 - August 2024
    Changed: Supports migration of Workflow to Flow Designer.
    Version 13.1.13 - February 2024
    Fixed: [Read Replica] the system property 'last_run_to_compute_cve_vit_count' is removed and find/create a suitable table to store and access the required value.
    Version 13.1.12 - December 2023
    Fixed: Addressed the misconfiguration of table/field ACLs within the com.snc.threat plugin.
    Version 13.1.9 - November 2023
    • Fixed:
      • The "Sandbox submission failed" message appears before the submission is processed.
      • Added a global variable for the script, including MITREAutoExtraction to improve performance.
      • Over Permissive PWD2 Protection - com_glide_web_service_consumer_glideencrypt for TAXII profiles.
    Version 13.1.3 - August 2023
    • Fixed:
      • The Observable parser was not working correctly for URLs with IP addresses.
      • Sandbox submission failed message was prompted before the sandbox submission was processed.
    Version 13.1.1 - May 2023
    • Fixed:
      • Threat lookup V2 flows don't support filtering the Block from sharing tagged observables.
      • Table External References (sn_ti_stix2_external_reference) grows rapidly.
    Version 13.0.13 - April 2023
    Changed: Updated to support this application on the Security Incident Response workspace.
    Version 13.0.10 - February 2023
    • New: Added changes to support the Security Incident Response workspace.
    • Fixed: Character limitation on fields like 'Source_ip,' 'Dest_ip,' 'Action' for the table Splunk Sighting Search 'sn_ti_sighting_details.'
    Version 13.0.9 - December 2022
    • Changed:
      • Added report view ACLs for the following tables:
        • sn_ti_m2m_indicator_attack_mode
        • sn_ti_mitre_coverage_mapping
        • sn_ti_mitre_mitigation_coverage_mapping
        • sn_ti_scan
        • sn_ti_stix2_m2m_incident_attack
        • sn_ti_stix2_m2m_object
    Version 13.0.8 - November 2022
    • New:
      • Introducing a filter that allows running automated threat lookup on an observable only once within a configured duration. Any re-runs for the same observable will be skipped until the configured duration/period has passed.
      • Introducing a threat lookup finding calculator, which calculates the findings based on the responses received. For third-party integrations that provide the computed results, the threat lookup finding calculator maps the results to supported findings in the system.
      • Updated observable finding calculations based on recent threat lookup results.
    • Fixed:
      • Threat Lookup results created to the wrong domain.
      • Raw JSON payload is missing when a single sighting result is found.
      • Issue with observable type classification.
    Version 13.0.5 - June 2022
    • Fixed:
      • The payload for ICS/Enterprise attack from MITRE is updated. The fix is to accommodate the payload change.
      • Follow best practices while updating records.
      • Cosmetic issues in MITRE-ATTCK card fixed.
      • Stored Cross-Site Scripting (XSS) issue.
      • Deleted the OOB records shipped for Zeustracker-related Threat sources.
      • Modify the "Requests per minute (capability-based)" rate limit checking script to fix sighting search issues.
    Version 13.0.4 - February 2022
    • New: Added new Observable category and type
      • Observable type category: User
      • Observable type: Username
    Version 13.0.3 - January 2022
    • Changed:
      • Submission to Sandbox pop-up window title name is updated.
      • Added a new Description field to the Sandbox configuration.
    Version 13.0.1 - December 2021
    • New: Introduced new features related to MITRE ATT&CK framework which improves the ServiceNow AI Platform SOAR capabilities that enable proactive analysis, response, and reporting on threats across the security infrastructure.
    • Changed: Updated some of the existing features related to MITRE ATT&CK.
    Version 12.0.7 - June 2021
    • Fixed:
      • The hash lookup on observables is now working for the Metadefender integration.
      • The integration run errors for TAXII profiles for large data imports from the MITRE server have been fixed.
      • Capability framework abstract flows pointing to the wrong observable has been fixed.
      • Added support for MD5 Observables for Sandbox submissions.
    Version 12.0.3 - March 2021
    Fixed: TAXII end point is updated to MITRE GitHub to optimize the load on MITRE servers. MITRE collections are now pre-populated with the Threat Intelligence Core app.
    Version 12.0.0 - December 2020
    • New: Introduced the MITRE ATT&CK framework which improves the ServiceNow AI Platform SOAR capabilities that enable proactive analysis, response, and reporting on threats across the security infrastructure.
    • Changed: As part of the inclusive language initiative, allow list and deny list tags have been replaced with allow list and deny list respectively.
    Version 11.0.3 - November 2020
    New: Enabled report_view ACLs for sensitive tables and fields.
    Version 11.0.1 - September 2020
    • New:
      • Updated Threat Intelligence to support STIX 2.0, STIX 2.1 standards
      • Visualizer for STIX 2.0, STIX 2.1 objects and relationships
    Version 10.3.1 - June 2020
    • Fixed:
      • Bug fix for WHOIS Integration configuration tile to support special characters.
      • Bug fix for report_view ACL.
    Version 10.0.0 - March 2020
    New (in v10.0.0) Capability flows for Integration capability framework v2.0.
    Version 9.1.0 - January 2020
    • Fixed:
      • Nodes no longer run out of memory when the TAXII integration (STIXParser) parses a large XML file
      • Manual threat lookup for observables when the Security Incident Response UI app is not installed
    Version 8.0.10 - September 2019
    • Fixed:
      • Nodes running out of memory when the TAXII integration (STIXParser) parses a large XML file
      • Manual threat lookup for observables when Security Incident Response UI app is not installed
    Version 8.0.9 - June 2019
    Refer to Security Incident Response release notes for product changes and updates in the Madrid release.