Set Threat Intelligence Security Center properties

  • Release version: Yokohama
  • Updated April 21, 2026
  • 7 minutes to read

    • Review the components installed with Threat Intelligence Security Center to understand the roles, properties, and other elements added to your instance.

    Before you begin

    Role required: sn_sec_tisc.admin

    Note:
    Only users with the administrator [sn_sec_tisc.admin] role can modify them.

    Procedure

    1. Navigate All > Threat Intelligence Security Center > Properties.
    2. Configure the following properties, as needed.
      Property Description
      Properties for Threat Intelligence Security Center
      This will disable all the correlation rules. If we just need to disable selected correlation rules, use "active" field on correlation rule instead.

      sn_sec_tisc.disable_correlation_rules
      • Type: true | false
      • Default value: false
      This property is used to enable/disable processing of aggregates in threat score calculator feature.

      sn_sec_tisc.aggregates_for_calculator
      • Type: true | false
      • Default value: true
      The number of rows of raw data that will be saved when a Sighting Search is performed. Range 0 - 100

      sn_sec_tisc.sighting_search_raw_data_rows
      • Type: integer
      • Default value: 50
      Associate Sighting Search results with CIs in the CMDB.

      sn_sec_tisc.associate_ci_with_sighting_search
      • Type: true | false
      • Default value: true
      This will control whether URLs from lists will be defanged or not

      sn_sec_tisc.sn_sec_tisc_case.defang_record_list_urls
      • Type: true | false
      • Default value: false
      This property will enable the MITRE™ Technique(s), to be rolled up to case(s) from the associated objects or security incidents automatically.

      sn_sec_tisc.auto_rollup_mitre_data
      • Type: true | false
      • Default value: true
      If true, shows all tactics (including the tactics which doesn't have any techniques associated to the case) for the MITRE™ lists rendered in the report.

      sn_sec_tisc.show_all_tactics_reporting
      • Type: true | false
      • Default value: true
      Sys ID of the email client template for the Case (sn_sec_tisc_case) table which will be used in share report.

      sn_sec_tisc.reporting_email_template_sn_sec_tisc_case
      • Type: string
      • Default value: b55e22c54324021060eee0ea78b8f2df
      Default TLP level is applied when creating a new record. If not set manually on the form, this value will be used.

      sn_sec_tisc.tlp_default_value
      • Type: choice list
      • Default value: 955c9e5543d35110baf06e434ab8f2fb
      Logging level-debug,info,warn,error

      sn_sec_tisc.logging.verbosity
      • Type: choice list
      • Default value: info
      Properties for Threat Intelligence Feeds
      Maximum time in seconds an outbound HTTP connection waits to fetch TAXII collection data

      sn_sec_tisc.taxii.http.max_timeout
      • Type: integer
      • Default value: 300
      Maximum number of objects retrieved in one REST call from a TAXII server (Applicable only for TAXII versions 2.0 and 2.1)

      sn_sec_tisc.taxii.max_page_size
      • Type: integer
      • Default value: 5000
      Maximum number of retries for a failed TAXII 2. X REST call

      sn_sec_tisc.taxii2.retry_count
      • Type: integer
      • Default value: 3
      Maximum number of objects retrieved in one REST call from Cyware TAXII server

      sn_sec_tisc.cyware_taxii.max_page_size
      • Type: integer
      • Default value: 1000
      Note:
      Specifies the page size used when fetching data from TAXII collections related to the Cyware TAXII Feed.

      For all other TAXII collections, the page size retrieved from the TAXII collection defaults to the value defined in the corresponding property: [sn_sec_tisc.taxii.max_page_size].
      Number of records to fetch at a time from CrowdStrike. Higher the number, more the memory would consumed for processing the payload.

      sn_sec_tisc.crowdstrike_api_limit
      • Type: integer
      • Default value: 1000
      Denotes the number of indicators to be pulled in a single API call.
      Note:
      This is applicable only when the integration doesn't find the necessary present in the system.

      sn_sec_tisc.crowdstrike_indicator_batch_size
      • Type: integer
      • Default value: 1000
      Denotes the number of actors to be pulled in a single API call.
      Note:
      This is applicable only when the integration doesn't find the necessary present in the system.

      sn_sec_tisc.crowdstrike_actor_batch_size
      • Type: integer
      • Default value: 1000
      Denotes the number of reports to be pulled in a single API call.
      Note:
      This is applicable only when the integration doesn't find the necessary present in the system.

      sn_sec_tisc.crowdstrike_report_batch_size
      • Type: integer
      • Default value: 50
      The allowed total of offset and limit from CrowdStrike API.

      sn_sec_tisc.crowdstrike_offset_limit_total
      • Type: integer
      • Default value: 50000
      Properties for REST APIs
      Defines the maximum page size (max number of observables returned as part of the response) for Observables Fetch API. Not recommended to increase to high value as it may affect API response time.

      sn_sec_tisc.api_maximum_page_size_limit
      • Type: integer
      • Default value: 1000
      Defines the maximum number of observables that can be sent in the request body for Observables Add API. Not recommended to increase to high value as it may affect API response time.

      sn_sec_tisc.add_obs_api_max_records
      • Type: integer
      • Default value: 100
      Properties for Webhooks
      Maximum number of events to send as part of one webhook request. The batch size will be limited to 2000 even if a higher value is set in this property.

      sn_sec_tisc.webhook_max_event_batch_size
      • Type: integer
      • Default value: 100
      Number of times a failed request should be retried before marking it as error and moving on to next batch of events. The retry count will be limited to 10 even if a higher number is set in this property.

      sn_sec_tisc.webhook_retry_count
      • Type: integer
      • Default value: 100
      Number of seconds to wait before re-attempting a failed batch. This will exponentially increase based on the retry count. For eg, if retry_count is 3 and retry_interval is 30, retries are fired after 30, 60 and 120s. The initial retry interval will be limited to 300 seconds even if a higher value is set in this property.

      sn_sec_tisc.webhook_retry_interval
      • Type: integer
      • Default value: 30
      Ignore webhook events triggered by threat score re-apply

      sn_sec_tisc.webhook_ignore_threat_score_reapply
      • Type: true | false
      • Default value: true
      Properties for Investigation Canvas
      Setting the value to true adds new nodes to the top left corner; false adds them to the center of the canvas.

      sn_sec_tisc.canvas_suspend_reLayout
      • Type: true | false
      • Default value: true
      Properties for export in CTI formats
      Maximum number of rows that can be exported to a STIX 2.1 file

      sn_sec_tisc.stix_export_limit
      • Type: integer
      • Default value: 10000
      Include Journal type fields in export file.

      sn_sec_tisc.export_journal_fields
      • Type: true | false
      • Default value: true
      Properties for Threat Intelligence Sharing
      Enables or disables case sensitive for applying redaction for shared intel.

      (By default, the value will be false implying that the redaction will be case insensitive.)

      Note:
      Changing the value of this property from false to true or true to false will DELETE all the data from redaction category as well as values table.

      sn_sec_tisc.case_sensitive_for_redaction
      • Type: true | false
      • Default value: false
      Maximum number of rows allowed in the redaction upload file.

      sn_sec_tisc.max_redaction_rows_import
      • Type: integer
      • Default value: 10000
      Title of outbound TAXII server

      sn_sec_tisc.taxii_server_discovery_api_title
      • Type: string
      • Default value: ServiceNow TAXII Server
      Description of outbound TAXII server

      sn_sec_tisc.taxii_server_discovery_api_description
      • Type: string
      • Default value: Discovery endpoint for sharing cyberthreat intelligence via TAXII
      Title of outbound TAXII server default API root

      sn_sec_tisc.taxii_server_api_root_title
      • Type: string
      • Default value: ServiceNow TAXII Server
      Description of outbound TAXII server default API root

      sn_sec_tisc.taxii_server_api_root_description
      • Type: string
      • Default value: SAPI root endpoint for sharing cyberthreat intelligence via TAXII
      Default page size of TAXII Server API response

      sn_sec_tisc.taxii_server_api_response_page_limit
      • Type: integer
      • Default value: 100
      Maximum number of records that can be added to a outbound TAXII server collection

      sn_sec_tisc.taxii_server_collection_record_limit
      • Type: integer
      • Default value: 10000
      The maximum number of entities that can be added to a TAXII collection in a single "Add to TAXII Collection" request. The system enforces a hard limit of 10,000 entities per request, regardless of any higher configured value.

      sn_sec_tisc.add_to_taxii_collection_entity_threshold
      • Type: integer
      • Default value: 1000
      Properties for Tagging Rules
      Enables or disables case sensitive matching of keywords or regex n tagging rules (By default this is unselected (No) meaning matches are case-sensitive).

      sn_sec_tisc.case_sensitive_for_tagging_rules
      • Type: true | false
      • Default value: false
    3. Select Save to apply the changes made to the properties.

    What to do next

    Refer to the scheduled jobs described in the following table:
    Job Description
    Aggregate Indicator Source Records Aggregates Indicator source records.
    Aggregate Object Source Records Aggregates Object source records.
    Aggregate Observable Source Records Aggregates Observable source records.
    Cleanup of Stale Imports Cleans up stale import job records.
    Cleanup of unused new nodes of canvas Cleans up unused new nodes of canvas.
    Cleanup Secure File Download Records Cleans up secure file download records.
    De-duplicate Indicator Source Records Deduplicates Indicator source records.
    De-duplicate Object Source Records Deduplicates Object source records.
    De-duplicate Observable Source Records Deduplicates Observable source records.
    Inactivate Expired Indicators Inactivates expired indicator records.
    Inactivate Expired Objects Inactivates expired object records.
    Inactivate Expired Observables Inactivates expired observable records
    Migrate Data from TI to TISC Processes pending migration job run records
    Populate aggregated records for indicator source records Identifies parent aggregated record for newly created indicator source records
    Populate aggregated records for object source records Identifies parent aggregated record for newly created object source records.
    Populate aggregated records for observable source records Identifies parent aggregated record for newly created observable source records.
    Populate TISC Reference in TI Populates reference of TISC aggregated observable in TI observable record.
    Process Approved Imports Processes approved import jobs.
    Process Imported MISP Dsm Queue Records Processed staged MISP feed ingestion queue records.
    Process Imported MISP Indicator Import Queue Records Processes staged MISP data ingested from import intelligence
    Process Imported STIX Import Queue Records Processes staged STIX data ingested from import intelligence
    Process Imported STIX Import Queue Records - Ingestion Processes staged STIX data ingested from threat feeds.
    Process Pending Case Artifacts Migration Migrates case artifacts from Threat intelligence application to Threat Intelligence security center.
    Process pending threat source ingestion Queue Records Processes pending source ingestion queue records.
    Process Queued Entities For Threat Score Calculator processes pending threat calculator queue entries
    Process Queued MISP Dsm Queue Records Processes queued MISP data ingested from threat feed
    Process Queued MISP Indicator Import Queue Records Processes queued MISP data ingested from import intelligence
    Process Queued STIX Import Queue Records - Ingestion Processes queued STIX data ingested from threat feeds.
    Process Queued STIX Indicator Import Queue Records Processes queued STIX data ingested from import intelligence
    Process Webhook Queue Processes pending webhook queue records.
    Re-Aggregate Source Records Re-aggregates source records for which aggregated records are deleted.
    Remove filtered source record Cleans up filtered source records
    Resume CrowdStrike Integration Process Checker / Reprocess CrowdStrike Source Records Resumes CrowdStrike feed integration runs waiting for rate limit / Reprocess source records for aggregating relationships
    Sync False Positive Observables Count Synchronizes observable false positive counts with flase positive counts per source
    TISC Create Webhook Batches Created batches for queued webhook queue entries for processing
    TISC Fire Webhooks Executes pending webhook batches
    Updating Relationship Archived Column Updates relationship source and target records archival status