Previewing the security incident with mapped LogRhythm alarm values
After you have completed the mapping step, preview the values that you mapped to the fields on the security incident. This preview step permits you to verify that you have mapped all the critical LogRhythm alarm fields you want displayed on the security incident.
Role required: sn_si.admin.
Security incident
If the security incident preview is not displayed, click Preview in the progress bar.
An example of the preview for the entire ServiceNow AI Platform security incident is displayed in the two following figures. This example of the preview of the security incident is populated with the LogRhythm alarms fields mapped from sample alarm 13663.
In the following figure, the Configuration item, Affected user, Priority, Assignment Group, and Short description fields of the security incident are populated.
On the lower half of the security incident form, the Description field is populated. Under the Related Items section, the Configuration item, Observable, and Work note fields are populated with values. If multiple values for these fields are mapped, each value is displayed on the security incident, because each of these fields can accept more than one value.
Error conditions in preview
The following warning messages may be displayed when previewing the security incident. If a sample alarm does not pass the filtering criteria, the entire security incident is not populated.
Input value not found
If the alarm ID is included within the filtering conditions, a warning message may still be displayed if specific input values are not found for certain mapped fields. For the sake of the following example, in the preview of the record, assume that there is no value in the Assigned to field, although it was mapped.
For this type of message, in the Mapping record, verify that the input value is correct. In this case, the person in the Assigned to field in security incident is incorrect in the ServiceNow AI Platform instance. When this alarm is ingested and it creates a security incident with this condition, fields with this input value (Abel Tuter) are left blank in the security incident.
The remaining messages in blue are informational, and they indicate that these fields have no value to display in the preview. This preview permits the security incident administrator configuring the alarm profile to verify that these fields should have no value at the initial creation stage, because in certain cases, security incident fields may be populated later automatically. Other mapping errors are also displayed.
After you are satisfied with the mapping and the security incident preview, choose one to continue the configuration.
| Option | Description |
|---|---|
| Click Continue or Scheduling in the progress bar. | Advance to the Scheduling & Alarm Retrieval form.
Scheduling & Alarm Retrieval is selected on the progress bar. The next step is to schedule alarm retrieval. |
| Click Previous. | Return to the alarm profile and continue mapping. |
| Enter another alarm ID in the Sample Alarm ID choice list at the top of the preview form. | The Sample Alarm ID choice list is displayed for every alarm ID
you have entered. You can select up to five alarms. This option permits you to preview another LogRhythm alarm ID on a security incident. |
After you preview the security incident and are satisfied with the results, the next step is to Schedule and retrieve LogRhythm alarms.