Recorded Future for ServiceNow Threat Intelligence Security Center (TISC) - Getting Started

Updated November 04, 2025 11:11

Introduction

The Recorded Future integration with ServiceNow Threat Intelligence Security Center (TISC) enables organizations to leverage real-time threat intelligence and enhance their security operations. This integration consists of two main components:

Feeds: Automatically ingest threat intelligence feeds into TISC.
Enrichment: Enhance observables with contextual threat intelligence.

This guide outlines the prerequisites, installation, and configuration steps for both components.

Prerequisites

ServiceNow TISC: Ensure your ServiceNow environment includes Threat Intelligence Security Center.
User Roles:
- sn_sec_tisc.admin: Required for configuration.
- sn_sec_tisc.analyst: Required for running enrichment tasks.
Recorded Future API Key: Obtain from your Recorded Future account.

Installation Steps

1. Feeds Component Installation

Navigate to the Integrations section within Threat Intelligence Security Center.
Go to TAXII Feeds under Threat Intel Feeds -> STIX TAXII -> Taxi Feeds.
Click the Configure new source button in the top right.
Fill out any mandatory fields and the following in the Configuration Details section:
- TAXII Version: 2.1
- Configuration Type: Enter Discovery Service URL
- URL: https://api.recordedfuture.com/taxii2
- Authentication: Basic
- Username: api (This parameter is unused and can be set to anything)
- Password: (Your API key)
Click the Save button to save the configuration.
Click the Validate Connection button to validate the connection.
Click the Get TAXII Collections button to fetch all available collections from this source.
Go to TAXII Collections under Threat Intel Feeds -> STIX TAXII -> TAXII Collections to configure and enable the individual collections.

Refer to the attached TISC - RF STIX TAXII Feed.pdf for detailed setup instructions.

2. Enrichment Component Installation

Search for Recorded Future for TISC in the ServiceNow store and install the application.
Navigate to the Integrations section within Threat Intelligence Security Center.
Go to Observable Enrichment under Enrichment Integrations -> Observable Enrichment.
Click Configure New Enrichment and select TISC Enrichment.
Fill out the mandatory fields:
- Name: (Your preferred name)
- API Token: (Your API key)
Click the Save button to save the configuration.

Refer to the attached Application Installation and Configuration Guide - Recorded Future for TISC.pdf for more details.

For further assistance, contact Recorded Future Support at support@recordedfuture.com.

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.

Articles in this section