Threat Intelligence Feeds

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Feeds

    Threat Intelligence Feeds in ServiceNow enable customers to add, edit, or remove various external threat intelligence data sources to enhance their security operations. These feeds are accessible via the Threat Intel Catalog under the Integrations section within the Threat Intelligence Security Center workspace. The catalog presents available feeds as tiles with filtering, searching, and navigation capabilities to manage feed configurations effectively.

    Show full answer Show less

    Key Features

    • Feed Management: Manage feeds by enabling, disabling, or drafting them. View feeds as cards or lists and refresh or sort based on criteria like last modified date or name.
    • Filtering and Searching: Filter feeds by state (enabled, disabled, draft) and by source or feed type including Open Source, Premium Source, CSV, JSON, MISP, RSS, STIX, and custom feeds. Search feeds by name or description within the catalog.
    • Feed Types Supported:
      • TAXII Feeds: STIX/TAXII collection format.
      • STIX HTTPS: Feeds in STIX format accessible via REST API over HTTPS.
      • MISP: Feeds formatted for MISP.
      • Text, CSV, JSON: Hosted files with extraction of URLs, domains, file names, hashes, and IP addresses.
      • RSS: RSS format feeds stored as RSS Feed Records.
      • Custom: Feeds configured with custom parsers extracting key observables.
    • Field Mapping: Customize how feed data fields map to observables to ensure proper interpretation of threat intelligence data.
    • Duplication: Create exact copies of existing threat feeds, including all associated data like indicators and actors, to streamline feed management.
    • STIX and TAXII Support: Native understanding and support for Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII) protocols, facilitating standardized CTI exchange.

    Key Outcomes

    By leveraging Threat Intelligence Feeds, ServiceNow customers can integrate diverse and rich external threat data into their security workflows. This improves threat detection, analysis, and response capabilities by providing structured and actionable intelligence from multiple sources. The ability to filter, search, and customize feeds ensures customers can tailor their threat intelligence to their organization's needs, enhancing overall security posture.

    Use Threat Intelligence Feeds to add, edit, or remove Threat Intelligence feed data source.

    The data source feeds are available from the Threat Intel Catalog under Integrations section.

    The catalog for threat intelligence feeds is built to show the available feed data sources in the form of tiles and has the ability to filter, search, and navigate to the details of the source configuration and perform various actions.

    All Feeds

    The base system includes a series of cards for each of the feeds that you can enable and use.

    The Feeds can be viewed by navigating to Workspaces > Threat Intelligence Security Center > Integrations > Threat Intel Feeds > All Feeds.

    Threat Intelligence Feeds

    Actions on the All Feeds view

    The All Feeds section enables you to perform the following actions.
    Table 1. Actions on All Integrations view
    Action Description
    All Use this drop-down menu to filter feeds based on their current state. You can filter based on the following states:
    • All: Displays all the feeds on the page. This is the default option.
    • Enabled: Displays all the feeds that are in an enabled state.
    • Disabled: Displays all the feeds that are in a disabled state.
    • Draft: Displays all the feeds that are in a draft state.
    Card view Use this action to view all the feeds in the form of cards.
    List view Use this action to view all the feeds in the form of a list view.
    Refresh Use this action to refresh the page.
    Sort Use this action to sort all the integrations based on the following:
    • Last Modified (recent)
    • Last Modified (oldest)
    • Name (A-Z)
    • Name (Z-A)
    All items Use this action to filter and list the threat intelligence feed tiles by source type or feed type.
    Source Type:
    • Open Source
    • Other Source
    • Premium Source
    Feed Type:
    • CSV
    • Custom Feed
    • JSON
    • MISP
    • RSS
    • STIX HTTPs
    • Text
    Search in catalog Use this action to search for feeds based on the name and description within the catalog.

    Types of Threat Intel Feeds

    The following are the types of threat intelligence feeds which can be configured and enabled:
    Table 2. Threat Intelligence Feeds
    Type Description
    TAXII Feeds Feeds that are available as STIX/TAXII Collections format.
    STIX HTTPS Threat Intelligence feeds in STIX format that can be accessed through REST APIs on HTTPS protocol.
    MISP Feeds that are in the MISP Format Feeds.
    Text Feeds that are available as hosted files in text format.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.
    CSV Feeds that are available as hosted files in CSV format.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.
    JSON Feeds that are available as hosted files in JSON format.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.
    RSS Feeds that are available in RSS format. The application will store the data as RSS Feed Records.
    Custom Feeds that are configured using custom parsers.
    Note:
    Only URLs, domains, file names, hashes, and IP addresses are extracted.

    For the next steps in the procedure, refer to the respective section for configuring a each specific feed type. Threat Intelligence Feeds.