TISC Intel Exchange API
Enables external systems to share threat intelligence data with the Threat Intelligence Security Center (TISC) application.
This API requires the Threat Intelligence Security Center application, which is available on the ServiceNow Store.
For additional information about TISC, see Threat Intelligence Security Center.
This API runs in the sn_sec_tisc namespace. The calling user must have the sn_sec_tisc.api_post_intel role.
The current version of this API is v1.
TISC Intel Exchange - POST /sn_sec_tisc/tisc_intel_sharing_api/post_intel
Shares threat intelligence data from an external source with the Threat Intelligence Security Center (TISC) application.
This endpoint creates an inbound intelligence record, as well as records for indicators, objects, and observables.
Indicator records are created in the Indicator Source [sn_sec_tisc_indicator_source] table.
Object records are created in the following tables that extend Object Source [sn_sec_tisc_object_source].
- Attack Pattern Source [sn_sec_tisc_attack_pattern_source]
- Campaign Source [sn_sec_tisc_campaign_source]
- Course of Action Source [sn_sec_tisc_course_of_action_source]
- Data Component [sn_sec_tisc_data_component]
- Data Source [sn_sec_tisc_data_source]
- Identity Source [sn_sec_tisc_identity_source]
- Infrastructure Source [sn_sec_tisc_infrastructure_source]
- Intrusion Set Source [sn_sec_tisc_intrusion_set_source]
- Location Source [sn_sec_tisc_location_source]
- Malware Analysis Source [sn_sec_tisc_malware_analysis_source]
- Malware Source [sn_sec_tisc_malware_source]
- Marking Definition Source [sn_sec_tisc_marking_definition_source]
- Object Sighting Source [sn_sec_tisc_object_sighting_source]
- Observed Data Source [sn_sec_tisc_observed_data_source]
- Threat Actor Source [sn_sec_tisc_threat_actor_source]
- Threat Event Source [sn_sec_tisc_threat_event_source]
- Threat Grouping Source [sn_sec_tisc_threat_grouping_source]
- Threat Note Source [sn_sec_tisc_threat_note_source]
- Threat Opinion Source [sn_sec_tisc_threat_opinion_source]
- Threat Report Source [sn_sec_tisc_threat_report_source]
- Tool Source [sn_sec_tisc_tool_source]
- Vulnerability Source [sn_sec_tisc_vulnerability_source]
Observable records are created in the following tables that extend Observable Source [sn_sec_tisc_observable_source].
- Artifact Source [sn_sec_tisc_artifact_source]
- AS Number Source [sn_sec_tisc_as_number_source]
- Directory Source [sn_sec_tisc_directory_source]
- Domain Name Source [sn_sec_tisc_domain_name_source]
- Email Address Source [sn_sec_tisc_email_address_source]
- Email Message Source [sn_sec_tisc_email_message_source]
- Email Subject Source [sn_sec_tisc_email_subject_source]
- File Source [sn_sec_tisc_file_source]
- IPv4 Address Source [sn_sec_tisc_ipv4_address_source]
- IPv4 CIDR Source [sn_sec_tisc_ipv4_cidr_source]
- IPv6 Address Source [sn_sec_tisc_ipv6_address_source]
- IPv6 CIDR Source [sn_sec_tisc_ipv6_cidr_source]
- MAC Address Source [sn_sec_tisc_mac_address_source]
- MD5 Hash Source [sn_sec_tisc_md5_hash_source]
- Mutex Name Source [sn_sec_tisc_mutex_name_source]
- Network Source [sn_sec_tisc_network_source]
- Other Observable Source [sn_sec_tisc_other_observable_source]
- Process Source [sn_sec_tisc_process_source]
- SHA1 Hash Source [sn_sec_tisc_sha1_hash_source]
- SHA256 Hash Source [sn_sec_tisc_sha256_hash_source]
- SHA512 Hash Source [sn_sec_tisc_sha512_hash_source]
- Software Source [sn_sec_tisc_software_source]
- URL Source [sn_sec_tisc_url_source]
- User Account Source [sn_sec_tisc_user_account_source]
- Windows Registry Key Source [sn_sec_tisc_windows_registry_key_source]
- X.509 Certificate Source [sn_sec_tisc_x_509_certificate_source]
URL format
Versioned URL: /api/sn_sec_tisc/{api_version}/tisc_intel_sharing_api/post_intel
Default URL: /api/sn_sec_tisc/tisc_intel_sharing_api/post_intel
Supported request parameters
| Name | Description |
|---|---|
| api_version | Optional. Version of the endpoint to access. For example, v1 or v2. Only specify this value to use an endpoint version other than the
latest.
Data type: String |
| Name | Description |
|---|---|
| None |
| Name | Description |
|---|---|
| <Object> | STIX 2.1 or MISP payload containing the threat intelligence data to share with TISC. When using MISP, it must be an array of MISP event payloads. |
Headers
The following request and response headers apply to this HTTP action only, or apply to this action in a distinct way. For a list of general headers used in the REST API, see Supported REST API headers.
| Header | Description |
|---|---|
| Accept | Data format of the response body. Only supports application/json. |
| Profile-GUID | Unique identifier of the inbound intelligence profile configured in the receiving instance that data is being shared with. To obtain the unique identifier, navigate to the Administration tab of , then go to Inbound Intelligence Profiles and click the profile you want to use. On the profile page, select Copy Profile ID or Email Profile Details. |
| Shared-Intel-Format | Format of the data being shared. Possible values:
|
Status codes
The following status codes apply to this HTTP action. For a list of possible status codes used in the REST API, see REST API HTTP response codes.
| Status code | Description |
|---|---|
| 200 | Successful. The request was successfully processed. |
| 400 | Bad Request. Possible errors:
|
| 422 | Unprocessable Content. The request body doesn't follow the format specified by the Shared-Intel-Format request header. |
| 500 | Internal server error. An unexpected error occurred while processing the request. The response contains additional information about the error. |
Response body parameters (JSON)
| Name | Description |
|---|---|
| error | Error information. This parameter is only returned if the request failed. Data type: Object |
| error.message | Error message containing the reason the request failed. Data type: String |
| error.detail | Additional details about why the request failed. Data type: String |
| result | Details about the records that were successfully created.Data type: Object |
| result.createdEntitiesCount | Count of each type of created entity.Data type: Object |
| result.createdEntitiesCount.indicators | Count of created indicators. Data type: Number |
| result.createdEntitiesCount.objects | Count of created objects. Data type: Number |
| result.createdEntitiesCount.observables | Count of created observables. Data type: Number |
| result.receivedIntelligenceRecord | Identification number of the created inbound intelligence record. Data type: String Table: Inbound Intelligence [sn_sec_tisc_inbound_intelligence] Column: Number |
cURL request
This example creates records for an indicator, object (malware), and observable (domain name) based on data in STIX 2.1 format.
curl "https://instancename.service-now.com/api/sn_sec_tisc/v1/tisc_intel_sharing_api/post_intel" \
--request POST \
--header 'Shared-Intel-Format: STIX 2.1' \
--header 'Profile-GUID: a87febc22b80b210ceeaf5486e91bfdb' \
--header 'Content-Type: application/json' \
--user 'username:password' \
--data '{
"type": "bundle",
"objects": [
{
"id": "domain-name--4b5f73f2-1bf2-5250-8926-55f0604bcb0c",
"type": "domain-name",
"defanged": false,
"value": "testdomain.com",
"object_marking_refs": [
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
]
},
{
"id": "indicator--64c35f36-1b32-4250-8926-55f0604bcbaf",
"type": "indicator",
"spec_version": "2.1",
"revoked": false,
"confidence": 74,
"object_marking_refs": [
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
],
"pattern": "[ domain-name:value = 'testdomain.com' ]",
"name": "Test Indicator",
"description": "References to this domain are indicative of the presence of the Test malware in the environment",
"valid_from": "2011-02-11T00:00:00.000Z",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "exploit"
}
]
},
{
"id": "malware--1ec31776-1b7a-4610-8f18-cb31604bcb36",
"type": "malware",
"spec_version": "2.1",
"revoked": false,
"confidence": 60,
"object_marking_refs": [
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
],
"name": "Test Malware",
"description": "Once infected with this malware, a host becomes part of the Test Botnet",
"is_family": false,
"last_seen": "2023-06-26T08:04:17.000Z",
"aliases": [
"Alias1"
],
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "control"
}
],
"capabilities": [
"anti-vm"
]
}
]
}'Response body.
{
"result": {
"receivedIntelligenceRecord": "IBTI0001001",
"createdEntitiesCount": {
"observables": 1.0,
"indicators": 1.0,
"objects": 1.0
}
}
}cURL request
This example creates records for objects and observables based on data in MISP format.
curl "https://instancename.service-now.com/api/sn_sec_tisc/v1/tisc_intel_sharing_api/post_intel" \
--request POST \
--header 'Shared-Intel-Format: MISP' \
--header 'Profile-GUID: a87febc22b80b210ceeaf5486e91bfdb' \
--header 'Content-Type: application/json' \
--user 'username:password' \
--data '[
{
"Event": {
"id": "134",
"orgc_id": "3",
"org_id": "1",
"date": "2016-03-28",
"threat_level_id": "3",
"info": "OSINT - TREASUREHUNT: A CUSTOM POS MALWARE TOOL",
"published": true,
"uuid": "56f92df0-24f0-4c6e-a297-6f2402de0b81",
"attribute_count": "54",
"analysis": "2",
"timestamp": "1459171202",
"distribution": "3",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "1727129707",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"protected": null,
"event_creator_email": "user.name@email.com",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "ed6dd3f3-f4a9-4109-974c-4b8da8795b96",
"local": true
},
"Orgc": {
"id": "3",
"name": "EXAMPLE",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
"local": false
},
"Attribute": [
{
"id": "17426",
"type": "link",
"category": "External analysis",
"to_ids": false,
"uuid": "56f92e2a-1be0-4a3a-a3b6-3f2a02de0b81",
"event_id": "134",
"distribution": "5",
"timestamp": "1459170858",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "https://www.example.html",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "17429",
"type": "md5",
"category": "Payload delivery",
"to_ids": true,
"uuid": "56f92ea5-2d50-4fc9-92ef-6f2302de0b81",
"event_id": "134",
"distribution": "5",
"timestamp": "1459170981",
"comment": "TREASUREHUNT 0.1",
"value": "cec2810556c63e9c225afb6a5ca58bc1",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "17430",
"type": "md5",
"category": "Payload delivery",
"to_ids": true,
"uuid": "56f92ea6-2890-41b3-8059-6f2302de0b81",
"event_id": "134",
"distribution": "5",
"timestamp": "1459170982",
"comment": "TREASUREHUNT 0.1",
"value": "cb75de605c171e36c8a593e337275d8f",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "17431",
"type": "md5",
"category": "Payload delivery",
"to_ids": true,
"uuid": "56f92ea6-009c-4348-a0b2-6f2302de0b81",
"event_id": "134",
"distribution": "5",
"timestamp": "1459170982",
"comment": "TREASUREHUNT 0.1",
"value": "6a9348f582b2e121a5d9bff1e8f0935f",
"Galaxy": [],
"ShadowAttribute": []
}
],
"Tag": [
{
"id": "35",
"name": "tlp:white",
"colour": "#ffffff",
"exportable": true
}
]
}
},
{
"Event": {
"id": "646",
"orgc_id": "3",
"org_id": "1",
"date": "2017-03-10",
"threat_level_id": "2",
"info": "OSINT - Wikileaks Vault7 JQJSNICKER code leak",
"published": true,
"uuid": "58c2fcf1-283c-45fa-b289-45ae02de0b81",
"attribute_count": "14",
"analysis": "2",
"timestamp": "1489174168",
"distribution": "3",
"event_creator_email": "user.name@example.com",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "ed6dd3f3-f4a9-4109-974c-4b8da8795b96",
"local": true
},
"Orgc": {
"id": "3",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f",
"local": false
},
"Attribute": [
{
"id": "140266",
"type": "link",
"category": "External analysis",
"to_ids": false,
"uuid": "58c2fd63-b1a4-4f74-aa79-41a602de0b81",
"value": "http://example.com/",
"Tag": [
{
"id": "35",
"name": "tlp:white",
"colour": "#ffffff"
}
]
},
{
"id": "140268",
"type": "filename|sha1",
"category": "Payload delivery",
"to_ids": true,
"uuid": "58c2fdc4-e6d8-4f6e-9eb5-4dbb02de0b81",
"comment": "JQJSNICKER",
"value": "Installer.dll.embedded.core.dll.file|02aa4d3712f324aa4b125056b52a5200691eb62b"
},
{
"id": "140269",
"type": "filename|sha256",
"category": "Payload delivery",
"to_ids": true,
"uuid": "58c2fdc6-5064-49be-b39a-429402de0b81",
"comment": "JQJSNICKER",
"value": "Installer.dll.embedded.core.dll.file|ea042bd3a7df11273e233c423e9740e6b51001911139855ef39501472a1e5fb0"
}
],
"Tag": [
{
"id": "35",
"name": "tlp:white",
"colour": "#ffffff"
}
]
}
}
]'Response body.
{
"result": {
"receivedIntelligenceRecord": "IBTI0001005",
"createdEntitiesCount": {
"observables": 9,
"indicators": 0,
"objects": 2
}
}
}