Threat Intelligence Security Center release notes

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Security Center Release Notes - Zurich Release

    The ServiceNow Threat Intelligence Security Center (TISC) application fosters collaboration between security and IT teams to accelerate and improve threat response. The Zurich release introduces significant enhancements, including external sharing, improved investigation capabilities, and expanded integration options. These updates enable organizations to automate and secure the sharing and analysis of threat intelligence more effectively.

    Show full answer Show less

    Key Features

    • External Sharing: Generally available support for secure, automated sharing of threat intelligence using STIX 2.1 and MISP formats across external agencies, integrations (such as SIEMs and EDRs), TAXII-based TISC instances, and inbound feeds.
    • Investigation Canvas Enhancements: Redesigned interface with activity timelines, internal intelligence integration, improved node designs and interactions, enhanced related record retrieval, and upgraded MITRE ATT&CK card with filtering capabilities. Additional features include customized nodes, node relationships, grouping/ungrouping nodes, and priority tagging of MITRE Techniques.
    • Event Importing: Ability to import events directly from MISP servers and support for text-based feeds (TEXT, CSV, JSON) with a unified mapping experience.
    • Confidence Mapping: CrowdStrike feed now supports mapping of malicious confidence levels to observable confidence values, improving indicator reliability assessments.
    • Custom Reporting: New reporting section in the Threat Intelligence Library allows generation of reports outside case management using base templates.
    • UI and Usability Improvements: Introduction of an “Add From Internal Intelligence” option, deletion warnings for observables, code editor for custom field mapping input, and a “Clear Canvas” button to reset investigations.
    • Theming and Accessibility: The Coral theme is now the default for portals and mobile, providing a fresh, brand-neutral look with an optional dark theme to reduce eye strain and enhance readability.
    • Additional Configuration and Integration: Support for configuring TISC add-on in Splunk with optional attributes, adding observables directly to security control lists during import, and setting default Traffic Light Protocol (TLP) levels via system properties.

    Activation and Related Applications

    TISC must be installed by requesting it from the ServiceNow Store. It integrates closely with other ServiceNow Security Operations applications such as Threat Intelligence (for IoC management), Security Incident Response (for managing incident lifecycles and analytics), and shares common functionality activated via the Security Support Common plugin.

    What This Means for ServiceNow Customers

    With the Zurich release of Threat Intelligence Security Center, customers gain enhanced capabilities to automate and secure threat intelligence sharing, improve threat investigations with comprehensive visual tools and internal data, and integrate seamlessly with external intelligence sources and platforms. These improvements help security and IT teams respond faster and with greater confidence to emerging threats, streamline workflows, and improve overall security posture.

    The ServiceNow® Threat Intelligence Security Center application enables your organization to connect security and IT teams so you can respond faster and more efficiently to threats. Threat Intelligence Security Center was enhanced and updated in the Zurich release.

    Threat Intelligence Security Center highlights for the Zurich release

    • External sharing is now generally available, allowing secure and automated sharing of threat intelligence in STIX 2.1 and MISP formats.
    • Redesigned the Investigation Canvas with activity timelines, added internal intelligence, improved node design and interactions, enhanced related records to retrieve all the associated records, and upgraded the MITRE card with filter capabilities for a smoother experience.
    • Introduced the ability to import events directly from the MISP server.
    • Implemented a unified mapping experience for the text based feeds such as TEXT, CSV, and JSON import formats.
    • Implemented confidence mapping for the CrowdStrike (CS) Feed as part of additional settings. You can now map the malicious confidence levels of CrowdStrike indicators to the observable confidence values.

    See Threat Intelligence Security Center for more information.

    Important:
    Threat Intelligence Security Center is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Zurich release

    Take advantage of external sharing for secure, automated, and on-demand dissemination of threat intelligence using STIX 2.1 and MISP formats. Supports sharing across external agencies (CISA, ISAC), integrations (SIEMs, EDRs), TAXII-based TISC instances, and inbound intelligence from external entities.
    About Report Templates in TISC
    Generate reports outside case management using base templates through a new reporting section in the Threat Intelligence Library.
    Configure custom MISP API feed
    Import events, attributes, and objects from the MISP server into the Threat Intelligence Library.
    Configure Custom Event Types for Timeline and Using Timeline in Investigation Canvas
    Define, visualize, and manage timeline events associated with nodes through the Investigation Canvas.
    Configure TISC add-on in Splunk
    Include optional attributes during configuration that can be stored in the Splunk KV Store.
    View Premium Threat Feed for CrowdStrike
    Map CrowdStrike Indicator Malicious confidence to TISC confidence.
    View Threat Intel Feeds
    Map specific source values to required observable fields during import process.

    UI changes

    Introduced Add From Internal Intelligence option to include the data from the internal systems.
    Define an Observable
    Introduced a notice when deleting an observable record to help prevent accidental removal of its associated source records.
    Configure Custom Field Mapping
    The list view has been replaced with a code editor in the Sample data (Input) section of the field mapping, preserving the original structure and formatting of raw data.
    Creating an investigation canvas Clear canvas button
    A Clear canvas button to clear the canvas permanently removes all nodes from the investigation canvas.
    Manage Techniques
    Introduced Priority levels and TISC Tags to categorize and tag MITRE Techniques more effectively.
    Components installed with Threat Intelligence Security Center
    Introduced a new system property to configure the default Traffic Light Protocol (TLP) level.
    Import data using structured file
    Introduced an Add Observable(s) to Security Control List drop-down list to enable the importing of Allow listed observables directly through Import Intelligence.
    Coral theme
    Coral is now the default theme for new portal, web, and mobile experiences with Next Experience or Core UI enabled. This theme provides a fresh look and feel, featuring brand-neutral illustrations to enhance your user experience. A dark theme option is available for web and mobile experiences.

    Changed in this release

    Aggregate and analyze the data from internal systems through internal intelligence included in the Investigation Canvas module to help you identify potential threats more effectively.
    Import Intelligence in TISC
    Enhanced the Import Intelligence functionality to support direct import of allow list observables.
    Working with Investigation Canvas
    The Investigation Canvas feature has been extended to include customized nodes, node relationships, and node legends, as well as the grouping and ungrouping of nodes.
    Investigation canvas and MITRE ATT&CK
    Navigate and use the MITRE-ATT&CK model within the Investigation Canvas more effectively by taking advantage of enhanced filtering options.

    Activation information

    Install Threat Intelligence Security Center by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Accessibility information

    Dark theme
    The new Coral theme includes a dark theme option for web and mobile experiences. This option is commonly used to alleviate eye strain and improve readability.

    Related ServiceNow applications and features

    Threat Intelligence
    The ServiceNow Threat Intelligence application displays indicators of compromise (IoC) and enables you to enrich security incidents with threat intelligence data.
    Security Incident Response
    With Security Incident Response manage the life cycle of your security incidents from initial analysis to containment, eradication, and recovery. Security Incident Response enables you to get a comprehensive understanding of incident response procedures performed by your analysts, and understand trends and bottlenecks in those procedures with analytic-driven dashboards and reporting.
    Security Operations common functionality
    The Security Support Common plugin is activated when any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated.