0
4.0.1
Zurich, Yokohama, Xanadu, Washington DC, Vancouver, Utah
Threat Intelligence Security Center (TISC) is a comprehensive platform designed to bolster organization's cybersecurity posture by providing advanced threat intelligence capabilities. Built to address the evolving landscape of cyber threats, the TIP empowers security teams with actionable insights to proactively detect, mitigate, and respond to potential security incidents.
- Curated catalog of popular OSINT Threat feed sources.
- Integration of premium feeds to enhance threat intelligence.
- Capability to automatically identify and extract all observables from the uploaded files.
- Granular expiration policies
- Data aggregation from diverse feeds, including STIX, MISP, JSON and more.
- Enrichment capabilities, for the removal of false positives, confidence/scoring of indicators, validation of indicators, and the addition of contextual information.
- Correlation rules for automatically establishing relationships between observables.
- Customizable threat score calculator for nuanced threat assessment.
- Integration of internal intelligence encompassing VR, SIR, Assets, Services, and CMDB.
- User-specific dashboards tailored for Threat Intel personas.
- Graphical visualization tools for comprehending Threat Intel data.
- Dedicated Threat Intel Analyst Workspace for streamlined operations.
- Threat hunting with case/task management functionalities and interactive investigation canvas
- Automated MITRE ATT&CK Technique extraction and rollup.
- Enable seamless integration with SIR and facilitate smooth data migration from Threat Intelligence within SIR to the Threat Intelligence Security Center.
- Establish notification rules to trigger alerts based on threat intelligence.
- Define data retention and cleanup policies.
- Generate and share status reports and investigation summaries using Case reports' rich text editor experience and customizable report templates.
- Domain separation support for MSSP use cases.
- Integrate with security tools using TISC API.
- Point integrations with security tools and sample flows for automated actions
- Webhook support for real-time, trigger-based notifications
- Data migration utility for migration from SIR Threat Intelligence module to TISC
New:
- Threat Intelligence External Sharing:
- The general availability of external sharing capabilities enables secure and seamless dissemination of threat intelligence both on-demand and automatically, utilizing standardized formats such as STIX 2.1 and MISP through template-based interfaces.
- Supported sharing modes now include TISC-to-external agencies (CISA, ISAC, etc.), external product integrations (SIEMs, EDR, etc.), TAXII-based sharing between TISC instances across parent and subsidiary organizations, as well as inbound intelligence from external entities.
- Enhancements to user experience, processing, and performance incorporate additional UI actions, options for sharing MITRE techniques as labels or tags, configuration controls for lossless data transfer between TISC instances, and expanded capabilities for reviewing and tracking shared intelligence.
- Intelligence Reports:
- A dedicated reporting section has been introduced in the Threat Intelligence Library, allowing users to generate reports outside of case management with any available intelligence, supported by several base templates. Case-level visibility restrictions are now enforced within the reporting module for case reports to strengthen access control.
- Library searches have been improved to include reports, returning results that match report descriptions and content.
- RPZ API for Sinkhole Integration:
- An API has been developed to facilitate the export of threat intelligence in RPZ format for DNS sinkhole deployments, supporting domains, IPv4 and IPv6 addresses, and CIDR ranges.
Enhancements :
- Investigation Canvas & Relationship Graph:
- Internal intelligence records, including security incidents and vulnerabilities, may now be added as nodes to the Investigation Canvas and Relationship Graph.
- Timeline capabilities have been incorporated into the Investigation Canvas, enabling temporal analysis with flexible event-type configurations.
- User experience has been further enhanced with multi-node actions, bulk operation support, and clear differentiation in activity stream updates between canvas-only node removals and library deletions.
- MITRE Framework Improvements:
- The user experience has been refined through additional confirmation prompts, enhanced context for node selection (type and value), and default display of all MITRE techniques.
- Filters applied on the MITRE card now persist through canvas pop-outs.
- Data Collection Enhancements:
- New configuration options enable direct integration with MISP servers via API, facilitating dynamic event ingestion with advanced filtration.
- Enhanced parsing logic supports additional entity types from MISP.
- Deduplication and aggregation improvements ensure that the latest records precede prior entries in CrowdStrike Feed integrations; new filters under additional settings offer greater control over ingested data.
- The Import Intelligence feature now accommodates STIX objects and relationships, and directly imports intelligence exported from other TISC instances.
- The advanced field mapper for TEXT, CSV, and JSON feeds now allows multiple field mappings and scripted transformations (e.g., mapping several source fields to 'additional context'). Raw sample data is displayed, preserving delimiters and special characters, and regular expressions can now be used for delimiter selection.
- Additional Minor Enhancements:
- Observable Fetch API supports filtering by tags and taxonomies.
- Automated flow actions are available for taxonomy assignment to library records.
- Manual record deletion now removes the selected library record, its sources, and related entities from the Threat Intelligence Library
Fixed:
- Addressed an issue where UUIDs were generated instead of observable values during TISC-to-TISC sharing.
- Implemented batch processing to substantially increase scheduled job performance and reduce completion times.
- Optimized the URL Observables with Same Domain correlation rule for improved execution speed and memory efficiency.
- Resolved excessive relationship loading and memory usage during high-volume ingestion deduplication.
- Fixed a UI issue affecting comment border visibility in the TISC Workspace Activity Stream.
- Corrected the behavior of the Name and Aliases fields to ensure complete data retention for entity records such as threat actors.
- Remedied improper enforcement of Query Range ACL on the Email Log list in the Administration section.
- Updated ingestion logic to create distinct kill chains per MITRE source, eliminating duplicate phase names within a single chain.
- Rectified mismatched counts between processed observables and those shared during automated high-risk IOC sharing flows.
- Amended the default setting for the Exploit Status field from Exploit Available to None.
- Issues with tag application in the case detail view.
- An issue that was preventing observables from being sent from SIR to TISC.
Dependencies:
- Security Case Management common workspace components
- Threat intelligence support common
- Security support common
- Reporting common
- Seismic Component for ServiceNow(sn_node_map)