Threat Intelligence Security Center release notes

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read

    • The ServiceNow® Threat Intelligence Security Center application empowers your organization to connect security and IT teams so you can respond faster and more efficiently to threats. Threat Intelligence Security Center was enhanced and updated in the Yokohama release.

    Threat Intelligence Security Center highlights for the Yokohama release

    • Integrate with Microsoft Defender to enable Cyber Threat Intelligence (CTI) analysts to automatically push malicious or suspicious IP addresses, domains, file hashes, and URLs from TISC to Microsoft Defender.
    • Added creation of security incident directly from a TISC case with an option to associate observable artifacts to the security incident.
    • Enhanced support to export observables, indicators, and cases from the list views in STIX 2.1 JSON, CSV, and Excel formats.
    • Added settings to ingest indicators of interest based on associations to threat actors, threat reports, or malware families, including an option to include indicators deleted on CrowdStrike.
    • Improved Threat Intelligence Feed configuration functionality to create a duplicate copy of the existing feed.

    See Threat Intelligence Security Center for more information.

    Important:
    Threat Intelligence Security Center is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Yokohama release

    Microsoft Defender for EDR Integration
    Integration with the Microsoft Defender for EDR allows Cyber Threat Intelligence (CTI) analysts to automatically push malicious or suspicious IP addresses, domains, file hashes, and URLs to Microsoft Defender for continuous monitoring and real-time alerting.
    Create a security incident from a TISC case
    Create security incidents and associate observables to the security incidents from a TISC case.
    Duplicate threat intelligence feeds
    Duplicate threat intelligence feeds to create an exact copy of the existing feed.

    Changed in this release

    Courses of Action
    Renamed Course of Actions to Courses of Action.
    Create Inbound Data Exclusion Rules
    Renamed Inbound Filtering Rules to Inbound Data Exclusion Rules.

    Activation information

    Install Threat Intelligence Security Center by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Security Operations common functionality
    The Security Support Common plugin is activated when any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated.

    Related ServiceNow applications and features

    Threat Intelligence
    The ServiceNow Threat Intelligence application displays indicators of compromise (IoC) and enables you to enrich security incidents with threat intelligence data.