Manual and Automated Sharing using flows
Summarize
Summary of Manual and Automated Sharing using flows
This guide explains how ServiceNow customers can configure both manual and automated intelligence sharing between Threat Intelligence Security Center (TISC) instances using flows. It covers the setup of inbound and outbound intelligence profiles, necessary roles, authentication, and exclusion rules to enable secure and efficient sharing of threat intelligence data in STIX 2.1 format.
Show less
Key Configuration Steps
- Assign Required Roles: Ensure appropriate roles are assigned:
- snsectisc.admin: For configuring and managing TISC settings.
- snsectisc.apipostintel: Assigned to a dedicated integration user for authenticating and posting intelligence via API.
- admin (system administrator): For creating the API ingestion user.
- Set up Target TISC Instance:
- Create a dedicated user with the
snsectisc.apipostintelrole to authenticate incoming intelligence data. - Create an Inbound Intelligence Profile in the target instance:
- Navigate to Workspaces > Threat Intelligence Security Center > Administration > Inbound Intel Sharing.
- Select Inbound Intel Sharing Profiles and create a new profile.
- Assign the dedicated authentication user and set the data format to STIX 2.1.
- Save and enable the profile to receive intelligence data.
- Use the “Copy Profile ID” button to obtain the profile ID needed for outbound configuration.
- Create a dedicated user with the
- Configure Source TISC Instance:
- Set global sharing rules such as Outbound Intel Data Exclusion Rules and Outbound Intel Sharing Controls according to your organization's requirements.
- Create an Outbound Intelligence Profile:
- Specify the API endpoint URL for the target instance’s intelligence sharing API.
- Enable authentication and enter the credentials of the dedicated target user.
- Configure request headers to include:
Profile-GUID: The inbound profile ID copied from the target instance.Shared-Intel-Format: Set to STIX 2.1.
- Save, validate the connection, and enable the profile to activate sharing.
Why This Matters
Configuring manual and automated sharing using flows enables seamless, secure exchange of threat intelligence between TISC instances. This ensures your organization can efficiently ingest and disseminate relevant threat data, leveraging standardized data formats (STIX 2.1) and robust authentication practices to maintain data integrity and security.
What to Expect
- Automated sharing of threat intelligence with precise control over what data is shared or excluded.
- Improved collaboration between security teams or different organizational units via synchronized threat intelligence.
- Enhanced security posture through timely, accurate intelligence sharing backed by ServiceNow’s integrated flows and API capabilities.
This section describes how to configure manual sharing via GUI and automated intelligence sharing between TISC instances. It outlines the setup of inbound and outbound intelligence profiles, required roles, authentication configuration, and exclusion rules in both the source and target instances.
Configuring the Target TISC Instance
Role required: sn_sec_tisc.admin
Prerequisites: Before you begin, ensure you have the appropriate roles assigned.
| Step | Action | Required Role |
|---|---|---|
| Create API ingestion user | Create a dedicated user and assign required role | admin (system administrator) |
| Configure and manage TISC settings | Perform remaining configuration steps | sn_sec_tisc.admin |
| Post intelligence via API | Authenticate and submit intelligence data | sn_sec_tisc.api_post_intel (assigned to the integration user) |
- Create a user with the role
sn_sec_tisc.api_post_intel:Create a dedicated user in the target TISC instance and assign them the
sn_sec_tisc.api_post_intelrole. This dedicated user is used to authenticate incoming intelligence data submitted to the instance. - Set up an Inbound Intelligence Profile:
- Navigate to .
- Select Inbound Intel Sharing Profiles.
- Create a new profile. For more information, see .
- In the User for authentication field, select the user created in the previous step.
- Set the Data format to STIX 2.1.
- Save and enable the profile to allow the target TISC instance to receive intelligence.
- Select the Copy Profile ID
to copy the profile ID.Note:You need the profile ID when configuring the outbound intelligence profile on the source TISC instance. For more information, see .
Configuring the Source TISC Instance
- Configure global sharing rules: Ensure the following are configured and published based on your requirements:
- Outbound Intel Data Exclusion Rules. For detailed procedure, see .
- Outbound Intel Sharing Controls. For detailed procedure, see .
- Create an Outbound Intelligence Profile:
- Create a new outbound profile to manage the data sharing process. For more details, see .
- Specify the API endpoint URL as:
.https://{instance name} /api/sn_sec_tisc/v1/tisc_intel_sharing_api/post_intel - Set the Authentication required to true.
- Enter the credentials of the user created in the target TISC instance (refer to the first step of the target setup) for the username and password.
- Configure Request Headers: In the Headers to be passed with request field, include the
following:
Profile-GUID: {Profile ID from the target TISC instance}Shared-Intel-Format: STIX 2.1 - Obtaining the Profile ID: The Profile ID required for the header can be found in the target TISC instance’s Inbound Intelligence Profile. Use the Copy Profile ID button to retrieve it. For more information, see .
- Save and enable the outbound profile.
After configuration:
- Save the profile.
- Validate the connection to confirm it is functioning correctly.
- Enable the profile to activate intelligence data sharing.