TISC Enrichment Integrations

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of TISC Enrichment Integrations

    The Threat Intelligence Security Center (TISC) base system does not come with pre-configured integrations. ServiceNow customers must install and configure third-party enrichment integrations to enhance observables, perform sighting searches, or conduct threat lookups. This capability enables automatic gathering of additional threat intelligence context from external security vendors.

    Show full answer Show less

    Integration Management

    Each integration is a separate application that must be installed before configuration. Once installed, integrations appear as cards within the TISC workspace under Workspaces > Threat Intelligence Security Center > Integrations > Enrichment Integrations > All Integrations. Integration cards are visible only if at least one integration of that enrichment type is installed (Observable Enrichment, Sighting Search, or Threat Lookup).

    The All Integrations view allows customers to:

    • Filter integrations by status: All, Enabled, Disabled, or Draft
    • Toggle between card and list views
    • Refresh the integration list
    • Sort integrations by last modified date or name
    • Search integrations by name or description

    Configuring New Enrichments

    Customers can configure new enrichments either from the All Integrations view or from specific enrichment sections. The process involves:

    1. Selecting the enrichment type: Observable Enrichment, Sighting Search, or Threat Lookup
    2. Choosing the desired integration from available options
    3. Filling out the integration form which includes:
      • Name: A unique identifier for the enrichment integration
      • Vendor Name: Automatically pre-filled based on the selected integration
      • Integration Type: Pre-filled based on the selected enrichment type
      • Description: A unique description for the integration
      • Integration Configuration: Vendor-specific details such as API keys, client IDs, usernames, passwords, etc.
    4. Saving the configuration as either a draft or final configuration
    5. Enabling the integration to activate enrichment functionality

    Draft mode allows saving incomplete configurations and prevents enabling until fully completed.

    Enrichment integrations can also be enabled, disabled, or deleted through the Actions menu on integration tiles.

    Functional Capabilities

    • Observable Enrichment: Automatically enrich observables with threat intelligence to assess potential security threats.
    • Sighting Search: Utilize TISC and Elastic Search integrations to find sightings related to observables.
    • Threat Lookup: Use VirusTotal and CrowdStrike Falcon to scan recognized observables for malware and retrieve intelligence results.

    Why It Matters

    Configuring these integrations enables ServiceNow customers to enhance their threat intelligence data with external vendor insights, improving the accuracy and speed of threat detection and response within the Security Operations environment.

    The Threat Intelligence Security Center base system does not include any pre-configured integrations. This section provides instructions for configuring both ServiceNow and third-party integrations.

    Important:

    Make sure that you’ve installed the required third-party app integrations. You can see the observables, sighting search, and threat lookup details only for the third-party apps that are installed.

    All Integration Configurations

    All the integrations are separate applications that needs to be installed. TISC supports integrations with third party vendors. Any installed integrations can be configured here.

    This section displays cards for each of the configured integration implementations that you can activate and use.

    Each enrichment type’s section would be visible only if at least one of the corresponding integration for that enrichment type is installed. For example, the Threat Lookup section would be visible under Enrichment Integrations only if at least one Threat Lookup integration is installed.

    The configured integration cards can be viewed by navigating to Workspaces > Threat Intelligence Security Center > Integrations > Enrichment Integrations > All Integrations.

    Threat Intelligence integrations

    Actions on the All Integrations view

    The All Integration view enables you to perform the following actions.
    Table 1. Actions on All Integrations view
    Action Description
    All Use this dropdown menu to filter integrations based on their current state. You can filter based on the following states:
    • All: Displays all the integrations on the page. This is the default option.
    • Enabled: Displays all the integrations that are in an enabled state.
    • Disabled: Displays all the integrations that are in a disabled state.
    • Draft: Displays all the integrations that are in a draft state.
    Card view Use this action to view all the integrations in the form of cards.
    List view Use this action to view all the integrations in the form of lists.
    Refresh Use this action to refresh the All Integrations page.
    Sort Use this action to sort all the integrations based on the following:
    • Last Modified (recent)
    • Last Modified (oldest)
    • Name (A-Z)
    • Name (Z-A)
    Search in catalog Use this action to search for configured integrations based on name and description within the catalog.

    Configure new enrichment from All Integrations view

    You can configure new enrichments from the All Integrations view or directly from the Observable Enrichment, Sighting Search, or Threat Lookup sections respectively. To configure the new enrichment from all the All Integrations view, perform the following steps.
    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Click the Integrations icon, and select the All Integrations section.

      Configure new enrichment from All Integrations view

    3. Click the Configure new enrichment action.

      The Configure new enrichment pop-up appears with three enrichment types, which are Observable Enrichment, Sighting Search, or Threat Lookup. You need to choose which type of enrichment you want to configure.

      Configure the enrichment type

    4. Select an enrichment type, and click Next.

      This takes you to the pop-up that displays the available integrations. You need to choose the integration you want to configure.

    5. Select an integration from the list of available integrations, and click Select.

      This takes you to the Create New Enrichment Integration page of the selected integration. This page is pre-filled with details of the selected integration by default. For example, WHOIS integration.

    6. On the Create New Integration form, fill the fields.
      Table 2. Configure the new enrichment integration form
      Field Description
      Name Enter a name for the new enrichment integration. For example, WHOIS1.
      Vendor Name Name of the vendor. The details of the selected vendor are pre-filled by default. For example, WHOIS.
      Integration Type Type of integration that you selected. For example, Observable Enrichment. The details of the selected integration type are pre-filled by default.
      The following Integration Types are supported:
      • Observable Enrichment
      • Sighting Search
      • Threat Lookup
      Description Enter a unique description for the new enrichment integration.
    7. In the Integration Configuration section, configure the integration details based on your requirements.

      The Integration Configuration section includes configuration details like API key, API Client ID or secret, username, password, and so on, which you need to fill in. These configuration details vary for different integrations.

    8. Click the Save action to store and create the enrichment integration configuration.

      The provided details are validated, and by default the enrichment integration's status is disabled.

    9. (Optional) Click the Save as Draft action to only store the integration configurations as draft. Users cannot enable an integration when it is saved in draft

      If you're not sure about the configuration details, you can use the Save as Draft option. After you get the configuration details, you can fill the remaining information in the draft version and create it.

    10. To enable the enrichment integration, click Enable.

      The enrichment integration is enabled successfully.

    11. You can also enable, disable, or delete a particular enrichment integration by using the Actions menu of the required integration tile on the Catalog page or the Enrichment Integrations page.