ServiceNow TISC Integration
The Censys for ServiceNow Threat Intelligence Security Center (TISC) integration adds the ability to automatically or manually enrich IP, web property, and certificate observables in ServiceNow with Censys Platform data. It also adds actions to initiate a Censys rescan of a host or web property and retrieve event history for an IP address. Additionally, it adds a dashboard that shows all Censys actions executed using the app.
If your organization has access to the Adversary Investigation module, you can use the related infrastructure action to execute a CensEye automated pivot job to find assets related to an IP, web property, or certificate.
This guide walks through how to set up and use the Censys for ServiceNow TISC.

An example IPv4 observable in ServiceNow TISC that has been enriched with Censys data.
NoteThis guide explains how to integrate the Censys Platform with ServiceNow TISC. Censys also has several Attack Surface Management (ASM) integrations with ServiceNow:
Prerequisites
- A ServiceNow cloud-deployed instance on version Xanadu, Yokohama, or Zurich.
- The ServiceNow instance must have the Threat Intelligence Security Center for Security Operations plugin installed.
- A ServiceNow admin user with access to your instance.
- Your Censys Platform organization ID.
- To obtain your organization ID:
-
Open the Platform web console and ensure that your organization account is selected. Go to Settings > Account Management > Personal Access Tokens.
-
The ID for your organization is shown in the "Current Organization" box. Click Copy to copy it to your clipboard.

-
- To obtain your organization ID:
- A Censys Platform Personal Access Token (PAT). Instructions on how to create and manage PATs are available in the API documentation.
User roles
The following ServiceNow roles can be used for this integration.
- sn_sec_tisc.admin (application admin is added in this role)
- sn_sec_tisc.analyst
- sn_sec_cmn.admin
Censys recommends that you assign these roles to ServiceNow users based on your needs or create new users with the roles. An example role configuration is provided below.
| Role | ServiceNow user roles |
|---|---|
| Censys application administrator | sn_sec_tisc.admin |
| Censys application user (such as a SOC analyst) | sn_sec_tisc.analyst, sn_sec_cmn.admin |
Installation and configuration
- Go to the ServiceNow Store page for the Censys for ServiceNow TISC integration. Click Get.
- Log in to the instance that you want to install the integration on.
- In ServiceNow, navigate to System Applications > All Available Applications > All.
- Click the Not Installed tab.
- Locate the Censys TISC integration, select it, and click Install.
- Refresh the ServiceNow dashboard.
- In ServiceNow, navigate to Security Operations > Integrations > Integration Configurations.
- On the tile for the Censys app, click Configure.
- On the Censys Configuration tab for the integration, enter the following:
- In the "Name" field, enter a name for your app, like "Censys."
- In the "API Key" field, enter your PAT.
- In the "Organization ID" field, enter your Censys organization ID.
- Click Submit.
Censys for ServiceNow TISC actions
The Censys for ServiceNow TISC integration adds the following actions.
| Action | Description |
|---|---|
| Censys Enrichment | This action enriches host, web property, or certificate observables in ServiceNow with Censys data. It can be run manually or automatically. |
| Censys Host History | Retrieves the event history for a host (IP address). Allows users to view historical scan data, track infrastructure changes over time, and identify when services were added, removed, or modified. |
| Censys Rescan | Use this action to rescan a host service or a web property. |
| Ad-Hoc IOC Lookup | Use this action to retrieve Censys data for a non-present host, web property, or certificate observable in ServiceNow. |
| Censys Related Infrastructure | This action initiates a CensEye job to discover related infrastructure for a given target (host, web property, or certificate). This action is only available to users with access to the Adversary Investigation module. |
Automatic enrichment
To configure automatic Censys enrichment for observables in ServiceNow, first enable the auto enrichment poller scheduled job and then configure automatic enrichment within the Censys app.
- In ServiceNow, go to System Definition > Scheduled Jobs.
- Search for and select "auto enrichment poller."
- On the configuration page:
- Check the box next to "Active."
- On the Schedule tab, set your desired frequency for automatic enrichment.
- On the Filter Conditions tab, set any desired filters.
- Click Update.
- Go to Censys TISC Integration > Auto Enrichment.
- Click New.
- Select your integration configuration and the enrichment type (host, web property, or certificate).
- On the "Schedule" tab, set your desired frequency for automatic enrichment.
- On the "Filter Condition" tab:
- In the field dropdown, select "Type".
- In the operator dropdown, select "is".
- In the value field, select a value based on the type of observable you want to enrich.
- Select "IP address (V4)" for IPv4 hosts.
- Select "IP address (V6)" for IPv6 hosts.
- Select "Domain Name" for web properties.
- Select "SHA256 hash" for certificates.
- Click Submit.
Manual enrichment
To manually enrich an observable that is present in ServiceNow TISC:
-
Navigate to the observable IP address, domain name, or SHA-256 hash in the Threat Intelligence Security Center's Threat Intel Library.
-
On the top right corner of the page, click Run Observable Enrichment.

-
Select the appropriate type of Censys enrichment and click Submit.
View enriched data on observables
To see the Censys enrichment on an observable:
- Navigate to the observable in the Threat Intelligence Security Center's Threat Intel Library.
- Click the Enrichment Results tab and select the entry for Censys enrichment of that observable.
- Click View HTML Raw Response.
A summary of important data about the observable is provided at the top of the window. Scroll down to the "Complete Raw JSON" or "Complete Data Table View" sections to see more information.
Run Censys Rescan on a host service or web property observable
To execute a rescan on a host service or web property observable:
-
Navigate to the observable in the Threat Intelligence Security Center's Threat Intel Library.
-
On the top right corner, click the three dot menu and select Censys Rescan.

-
Input the required parameters and click Submit.
After the rescan executes successfully, the resulting data will be available on the Enrichment Results tab.
Retrieve Censys host history for an observable
To retrieve the history for a host:
- Navigate to the observable in the Threat Intelligence Security Center's Threat Intel Library.
- On the top right corner, click the three dot menu and select Censys Host History.
- Input the required parameters and click Submit.
After the data is retrieved, it will be available on the Enrichment Results tab.
Ad-hoc IOC lookup
To retrieve the Censys data for an observable that is not present in TISC:
- In ServiceNow, go to Censys TISC Integration > Ad-Hoc IOC Lookup > Create New.
- Select your integration configuration and the type of asset to enrich.
- Input the required parameters and click Submit.
After the observable has been enriched, it will appear in your Threat Intel Library.
Related infrastructure
NoteThis action is only available to Censys users with access to the Adversary Investigation module.
Use the related infrastructure action to discover and map suspicious or malicious internet-facing assets that share parsed Censys data key-value pairs. This action leverages the CensEye automated pivoting tool.
Each row of the output table is a Censys data key-value pair or group of key-value pairs, the count of assets in the Censys Internet Map that share that pair or group, and a link to see all assets that feature the pair in the Censys Platform.
Use the Censys TISC dashboard
To use the dashboard, in ServiceNow, go to Censys TISC Integration > Dashboard.
The dashboard contains an overview of automatic and manual enrichment actions executed using the app.

