Trusted Security Circles threat data sharing

Observables are artifacts found on a network or operating system that are likely to indicate an intrusion. Typical observables are IP addresses, MD5 hashes of malware files, URLs, or domain names. Users in a trusted circle can share observables to other users in the same circle of trust. When you share an observable, all local sightings of that observable are shared.

There are several options available for sharing observables, including:

When observables are shared, the tags associated with the observables are not shared to the trusted circle. So, for example, if a member shares observables that are tagged as Blacklist, they are not necessarily blacklisted on the instances of the shared members. Records that are tagged with Block from Sharing, however, are excluded.

Additionally, whenever observables are shared, a notification is sent to all members in the circle to whom the observables are shared.
Note: Before sharing threat data, please review the Trusted Security Circles and Threat Intelligence sharing guidelines, below.

Share Sightings Search results

You can share local sightings details or results that are associated with a particular search with your Trusted Security Circle.

Before you begin

Role required: sn_si.analyst

About this task

Sharing can be automated using the following Security Incident Response Properties.
  • Automatically share the results of a sightings search to the default ServiceNow trusted circle
  • Include observables with no local sightings when automatically sharing sightings search results
  • Respond with local sightings whenever a threat share is received from a trusted circle


  1. Navigate to a security incident.
  2. Click the Show IoC related list and select the Sightings Search Results tab to view the list of sightings searches.
  3. Click on a sightings search result.
    Share Sightings Search link
  4. On the Sightings Search Result form, click the Share sighting search result related link.
    The Sighting Search Result Share dialog box appears.
    Sightings Search Result Share dialog box
  5. Enter a Name for this observable share record.
  6. Enter a Description of the observables to share.
  7. Choose Circles to share the observables with.
  8. Click Submit.
    The observable(s) are shared with the specified Trusted Circle.

Share observables from Threat Intelligence

Observables can be shared from Threat Intelligence to members in your trusted circle.

Before you begin

Threat Intelligence must be activated.

Role required: sn_ti.analyst


  1. Navigate to Threat Intelligence > Ioc Repository > Observables.
  2. Select the check boxes for observables you want to share to your trusted security circle.
  3. From the Actions on selected rows drop-down list, select Share observable.
    The Observable Share dialog box appears.
    Share Observable dialog box
  4. Enter a Name for this threat share record.
  5. Enter a Description of the observables to share.
  6. Choose Circles to share the observables with.
  7. Click Submit.
    The observable(s) are shared with the specified Trusted Circle.