Set up Threat Intelligence Security Center

  • Release version: Zurich
  • Updated August 21, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Set up Threat Intelligence Security Center

    The Threat Intelligence Security Center (TISC) is a ServiceNow application that requires downloading from the ServiceNow Store before use. It provides a centralized platform for ingesting, enriching, analyzing, and managing threat intelligence data to enhance your organization's security operations.

    Show full answer Show less

    Roles and Responsibilities

    TISC defines specific user roles to manage and interact with the application effectively:

    • Threat Intelligence Administrator (snsectisc.admin): Responsible for configuring data sources, enrichment integrations, data import approval roles, threat score calculations, taxonomies, and relevant MITRE ATT&CK repositories. This role also assigns the Threat Intelligence Analyst role as needed.
    • Threat Intelligence Analyst (snsectisc.analyst): Focuses on viewing data overviews, importing intelligence, searching and managing ingested threat data, performing enrichment actions on observables, and creating and managing cases using the Threat Analyst Workbench.

    Configuration and Setup

    To ensure a smooth integration and effective use of TISC, administrators must:

    • Install the TISC application from the ServiceNow Store and assign the snsectisc.admin role.
    • Configure data sources to ingest threat intelligence feeds.
    • Set up enrichment integrations to enhance observable data.
    • Define data import approval roles for controlled data ingestion.
    • Create and configure threat score calculators to automate threat scoring.
    • Establish taxonomies and taxonomy values for consistent classification.
    • Configure the MITRE ATT&CK repository tailored to organizational needs.

    Granular Role Permissions

    Specific roles with scripting access support advanced configurations and customizations:

    • snsectisc.integrationwrite: Access to enrichment integration tables.
    • snsectisc.ruleswrite: Access to threat score calculator rule tables.

    Dependency Plugins

    TISC requires several supporting plugins and core ServiceNow applications to be installed and activated before configuration. These include:

    • Security Case Management and common workspace components
    • Threat Intelligence Support Common
    • Column Level Encryption
    • Large JSON and XML Payload Builder API
    • Security Support Core and Orchestration
    • Node Map Experience Component
    • Reporting and Rich Text Editor Components for Security Operations
    • Security Integration Framework and Security Support Common

    Verifying the installation and activation of these plugins ensures full functionality and integration capabilities of the Threat Intelligence Security Center.

    Before you use the Threat Intelligence Security Center, you must download it from the ServiceNow Store.

    Roles installed

    Review the following information and verify that you’ve completed all the tasks for a smooth integration. The following is the list of different user persona defined to access and work with the application:
    • Threat Intelligence Analyst (sn_sec_tisc.analyst)
    • Threat Intelligence Administrator (sn_sec_tisc.admin)
    Table 1. Entitlements applicable for TISC Roles
    Setup Description
    Assign and verify the required ServiceNow AI Platform and Threat Intelligence Security Center roles. The following roles are required for configuration and verification of the expected results:
    • As an admin, you must install the TISC application from the ServiceNow Store and assign the role as sn_sec_tisc.admin.
    • This sn_sec_tisc.admin role performs the following tasks:
      • Configures the Data Sources to ingest the data. For more information, see Threat Intelligence Feeds.
      • Configured the integrations required for Enriching Observable data in TISC. For more information, see TISC Enrichment Integrations.
      • Configures Data Import Approval Roles for importing data using Import Assistant. For more information, see Working with Data Imports.
      • Configures Threat Score Calculator using required criteria for automatic calculation of Threat Score of observables. For more information, see Define Threat Score Calculator.
      • Configures required Taxonomies and Taxonomy Values. For more information, see Creating Taxonomies.
      • Configure the MITRE ATT&CK repository relevant to your organization. For more information, see MITRE-ATT&CK Repository.
      Note:
      As a sn_sec_tisc.admin, you can also assign the sn_sec_tisc.analyst role.
    • The sn_sec_tisc.analyst role performs the following tasks:
      • Views the overview of data in the system using the application home page. For more information, see Home page in TISC Workspace.
      • Import data into system using Import Intelligence button in Threat Library Page. For more information, see Threat Intelligence Security Center Library.
        • Searches across the data present in the application using search provided in Threat Library page.
        • Manages the data ingested from various sources in Threat Library.
        • Performs various Enrichment actions on Observables.
        • Creates and Manages Cases. For more information, see Creating cases using Threat Analyst Workbench.

    Granular roles in TISC with scripting access

    The following roles provide scripting access to the listed tables:
    Role Table
    sn_sec_tisc.integration_write sn_sec_tisc_enrichment_integration
    sn_sec_tisc.rules_write sn_sec_tisc_threat_score_calculator_rule

    Dependency Plugins

    Plugin Description
    These following applications are required for installation of this application:
    • Security Case Management common workspace components [com.snc.escm.ws_commons]
    • Threat Intelligence Support Common [com.snc.threat]
    • Column Level Encryption (com.glide.encryption)
    • Large JSON and XML Payload Builder API (com.glide.streaming_builder)
    • Security Support Core (com.snc.security_support.core)
    • Node map Experience Component (sn_node_map)
    • Reporting UI Component for Workspace(sn_sec_reporting)
    • Rich Text Editor Component for Security Operations (sn_escm_rte)
    • Security Integration Framework(sn_sec_int)
    • Security Support Common(sn_sec_cmn)
    • Security Support Orchestration(sn_sec_cmn_orch)
    		 Verify that the ServiceNow core applications that are required to support the integration are installed and activated before you configure this integration.