Explore

  • Release version: Zurich
  • Updated April 7, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Security Center (TISC)

    The Threat Intelligence Security Center (TISC) in ServiceNow Zurich Release is a comprehensive platform designed to enhance collaboration between threat intelligence teams. It enables collection, processing, analysis, and sharing of threat intelligence data from multiple sources in a centralized workspace. TISC supports administration, data enrichment, and actionable insights to improve security operations and threat response.

    Show full answer Show less

    Key Features

    • Curated Catalog of OSINT Threat Feeds: Access to a wide range of popular open-source threat intelligence feeds for broad threat coverage.
    • Premium Feed Integration: Enhances threat intelligence quality by incorporating premium, paid feeds.
    • Automated Observable Extraction: Automatically extracts common observable types from uploaded files, streamlining data ingestion.
    • Diverse Data Aggregation: Supports various threat data formats such as STIX, MISP, and JSON for seamless feed consolidation.
    • Enrichment & Validation: Enriches data by removing false positives, assigning confidence scores, validating indicators, and adding context for improved accuracy.
    • Integration Capabilities: Includes enrichment tools like Threat Lookup, Sighting Search, and Observable Enrichment. Supports integration with CrowdStrike Falcon EDR for continuous monitoring and real-time alerts, as well as orchestration with SIEMs, EDRs, and firewalls.
    • Correlation Rules Engine: Automatically links intelligence records to reveal deeper threat patterns.
    • Customizable Threat Scoring: Allows fine-tuning of threat scores for nuanced assessments.
    • Internal Intelligence Integration: Incorporates data from Vulnerability Response, Security Incident Response, and Configuration Management Database (CMDB).
    • User-Specific Dashboards: Provides tailored visualizations based on user roles to enhance usability and relevance.
    • Graphical Visualization Tools: Offers relationship graphs and interactive investigation canvases for easier analysis of complex threat data.
    • Dedicated Analyst Workspace: Streamlined environment focused on threat investigation and analysis with minimal distractions.
    • Threat Case Management: Supports task tracking and case workflows for investigative processes.
    • MITRE ATT&CK Integration: Links case records with MITRE ATT&CK framework data for improved kill chain analysis.
    • Seamless SIR Integration: Ensures interoperability and data migration between Security Incident Response and TISC.
    • Notification & Alert Rules: Configures triggers to notify teams based on threat intelligence updates.
    • Data Retention & Cleanup: Defines policies to manage data lifecycle, ensuring compliance and optimal performance.
    • Reporting & Collaboration: Generates detailed reports and investigation summaries using customizable templates and rich-text editing.
    • Domain Separation for MSSPs: Enables secure multitenant support for Managed Security Service Providers to segregate customer data.
    • Extensive API Integration: Provides APIs for seamless connectivity with other security tools and platforms.

    Intended Users

    • Administrator: Responsible for initial setup, ongoing configuration, data source management, and overall system administration.
    • Threat Intelligence Analyst: Conducts research and analysis, imports intelligence data, collaborates with teams, and manages the intelligence library using TISC tools.

    Key Terminology and Workspace

    The TISC home page serves as the landing dashboard, offering summaries of feed status, trending threats, and intelligence sharing activity. This centralized view helps users quickly visualize and prioritize threat intelligence data relevant to their roles.

    Threat Intelligence Security Center (TISC) enables you to collaborate with the threat intelligence teams and has multiple capabilities to collect and process various threat intelligence feeds and a workspace to analyze, collaborate, action, and share the necessary information.

    Watch an overview about the Threat Intelligence Security Center application.

    Threat Intelligence Security Center is enhanced with capabilities to manage data collection, data processing such as DE-duplication, normalization and aggregation, analysis of threat intelligence, dissemination of threat intelligence, and also workspace that provides the administration tasks.

    Key features

    The following are the Threat Intelligence Security Center (TISC) key features that are explained in detail in the further sections:
    • Curated Catalog of OSINT Threat Feeds: Provides access to a broad selection of popular open-source threat intelligence feeds, confirming wide coverage.
    • Premium Feed Integration: Enhances the quality of threat intelligence by integrating premium feeds.
    • Automated Observable Extraction: Automatically identifies and extracts the commonly used observable types from uploaded files, streamlining the threat data ingestion process.
    • Diverse Data Aggregation: Supports multiple data formats including STIX, MISP, JSON, and others, enabling seamless feed consolidation.
    • Enrichment Capabilities & Validation: Provides enrichment and validation capabilities by removing false positives, assigning confidence scores, validating indicators, and adding contextual information to improve data quality.
      The TISC integration capabilities:
      • Enrichment integrations includes Threat Lookup, Sighting Search and Observable Enrichment.
        • Enriches observables with threat intelligence, performs sighting searches and threat look ups to determine maliciousness of an observable.
        • Supports CrowdStrike Falcon EDR with continuous monitoring and real-time alerting.
      • Security Tool integrations for orchestration such as SIEMs, EDR and Firewalls.
    • Correlation Rules Engine: Automatically establishes relationships between intelligence records, enabling deeper insight into threat patterns.
    • Customizable Threat Scoring: Enables fine-tuning of threat scores for more nuanced and accurate threat assessment.
    • Internal Intelligence integration: Enables integration of internal intelligence sources, including Vulnerability Response (VR), Security Incident Response (SIR), and Configuration Management Database (CMDB).
    • User-Specific Dashboards: Tailors visualizations and data views according to Threat Intelligence personas, improving user experience and relevance.
    • Graphical Visualization Tools: Facilitates understanding of complex threat intelligence data through intuitive graphical visualizations such as relationship graphs and interactive investigation canvases to simplify threat intelligence analysis.
    • Dedicated Analyst Workspace: Provides a dedicated, streamlined Threat Intelligence Analyst workspace that enables threat intelligence analysts to focus on investigation and analysis with minimal distractions.
    • Threat Case Management: Supports investigative workflows with task tracking and case handling.
    • MITRE ATT&CK Integration: Enables users to link case records with MITRE ATT&CK framework data for enhanced kill chain analysis.
    • Seamless SIR Integration: Ensures smooth data migration and interoperability between Security Incident Response and Threat Intelligence Security Center applications.
    • Notification & Alert Rules: Establishes trigger alerts to notify teams based on evolving threat intelligence.
    • Data Retention & Cleanup Policies: Enables organizations to define data management rules to maintain application performance and compliance.
    • Reporting & Collaboration: Generates comprehensive status reports and investigation summaries using rich-text editors and customizable templates.
    • Domain Separation for MSSPs: Supports multitenant environments, enabling Managed Security Service Providers (MSSPs) to segregate customer data securely.
    • Extensive API integration: Offers TISC API for seamless connectivity with other security tools and platforms.

    Threat Intelligence Security Center users

    User Description
    Administrator Administers and configures the initial setup and ongoing maintenance of the Threat Intelligence Security Center, including configuring data sources and managing intelligence settings.
    Analyst Threat Intelligence Analysts are responsible for conducting analysis and research tasks requested by the team. They can import ad hoc intelligence to support their work and use the system’s tools for analysis, collaboration, and managing the intelligence library.