Working with Reports in TISC

  • Release version: Zurich
  • Updated November 24, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Working with Reports in TISC

    The Reports module in the Threat Intelligence Library section of TISC allows ServiceNow customers to create, manage, and publish structured reports using threat intelligence data. Reports are divided into two main categories: Case Reports and Intelligence Reports, each designed to meet different analytical needs while supporting features like previewing, publishing, sharing via email, and downloading.

    Show full answer Show less

    Case Reports

    Case Reports provide detailed information related to individual cases, using designated templates that automatically pull data from case fields, related records, and intelligence. Access to these reports is tightly controlled—only users or groups with explicit permission to access the case can view or interact with the associated reports. These reports maintain the same structure and capabilities as existing CTI case reporting and appear in both the All Reports and Case Reports views within the Threat Intelligence Library. This ensures secure and structured reporting tailored for case-level investigations.

    Intelligence Reports

    Intelligence Reports offer a flexible way to generate structured reports using any threat intelligence data from the library, independent of specific cases. Analysts can customize these reports using templates, record selection tools, slash commands, and table insertion options. Unlike Case Reports, Intelligence Reports exclude case-specific data and instead allow dynamic content insertion through slash commands.

    • Slash Commands: Enable quick insertion of dynamic data such as total record counts from supported tables, specific record fields, or system users directly into the report.
    • Supported Tables: Include various intelligence-related tables like Observable, Indicator, Attack Pattern, Campaign, Malware, Threat Actor, Vulnerability, and many others, allowing comprehensive data inclusion.
    • Record and User Selection: Slash commands facilitate browsing and selecting specific records or system users to incorporate into the report content.

    Intelligence Reports are available in both the All Reports and Intelligence Reports views, providing analysts with a powerful tool to generate tailored, comprehensive threat intelligence reports.

    Using the Reports Module

    • View All Reports: Access a complete list of all reports.
    • View Case Reports: Filter to see reports tied to specific cases.
    • View Intelligence Reports: Filter to view intelligence-based reports independent of cases.
    • View My Reports: Quickly locate reports created by the logged-in user.

    Practical Benefits for ServiceNow Customers

    This reporting functionality enables analysts to efficiently generate and share structured, secure, and customizable threat intelligence reports, enhancing collaboration and decision-making. Controlled access to case reports ensures sensitive information is protected, while intelligence reports provide flexibility for broader intelligence sharing and analysis. Slash commands and templates streamline report creation, improving productivity and accuracy in threat intelligence reporting.

    The Reports module in the Threat Intelligence Library section enables you to create, manage, and publish reports that use any intelligence available in the Threat Intelligence Library.

    Reports in the threat intelligence library are categorized into case reports and intelligence reports.

    They support key capabilities such as previewing, publishing, sharing via email, and downloading. These reports provide analysts with a structured and shareable format for threat intelligence reporting.

    Case Reports

    Case Reports contain information specific to an individual case. Using the case designated templates, analysts can generate reports that automatically pull data from the fields, related records, and intelligence within the selected case.

    Access to the Case Reports is strictly controlled. Only users or groups with permission to access the case can view or interact with its reports. Without the appropriate permissions, the report and its contents are not accessible.

    Case Reports follow the same structure and capabilities as the existing CTI case reporting. For more information, see About Report Templates in TISC. These case reports appear in All Reports and Case Reports views of the threat intelligence library Reports module providing a structured and secure result for case level investigations.

    Intelligence Reports

    Intelligence Reports provide a flexible way to generate structured reports using any available threat intelligence from the Threat Intelligence Library. Using templates of the Intelligence Report category, analysts can create reports that incorporate data from library lists and specific intelligence objects without depending on a case.

    Unlike Case Reports, Intelligence Reports do not display case-specific fields or records. Instead, analysts can use record selection tools, slash commands, and table insertion options to customize the content of the report.

    Slash commands in the threat intelligence report allow you to quickly insert dynamic content such as record counts, specific records, or system users into a report.

    The following describes the usage of slash commands available within the Intelligence Report Editor.
    Slash Command Usage Wokflow Supported Tables
    Mention Count When you select this option, you can choose a table from the Supported Tables list to add the total record count to the report.
    1. Select Mention Count from the slash command menu.
    2. Choose a table from the supported table list.
    3. The application inserts the total records count for the selected table into the report.
    • Observable
    • Indicator
    • Attack Pattern
    • Campaign
    • Course of Action
    • Identity
    • Infrastructure
    • Intrusion Set
    • Location
    • Malware
    • Malware Analysis
    • Marking Definition
    • Object Sighting
    • Observed Data
    • Threat Actor
    • Threat Event
    • Threat Grouping
    • Threat Note
    • Threat Opinion
    • Threat Report
    • Tool
    • Vulnerability
    • Data Component
    • Data Source
    Select a Record

    When you navigate to an observable and type “/”, an option to select a corresponding fields appears. This allows you to browse and search the available fields for that record. Selecting a field automatically inserts its value into your input.

    The following is the screen shot that illustrates the navigation of selecting a record(s) using slash command.

    		 You can select a table from the provided Supported Tables list, and once selected, a drop down menu will display all the available records in that table, allowing you to choose the desired record.
    1. Select Mention Count from the slash command menu.
    2. Choose a table from the supported table list.
    3. The application inserts the total record count for the selected table into the report.
    Select a User By selecting this option, you can choose any individual from the list of system users to include in the report.
    1. Select Select a User from the slash command menu.
    2. Choose a user from the system user list.
    3. The selected user is inserted into the report.
    		 NA
    Figure 1. Record selection using Slash Command
    Record selection using slash command

    Reports include pre-defined templates, tables offering a comprehensive view of relevant intelligence.

    Intelligence Reports appear in the All Reports and Intelligence Reports views of the threat intelligence library Reports module.