Filter alarms for LogRhythm

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Setting filtering criteria for alarms after you have mapped fields helps you determine which alarms should be ingested into the SIR application. Filtering alarms helps you significantly reduce the number of alarms you ingest when the alarm profile is activated.

    Before you begin

    Role required: sn_si.admin

    About this task

    Use the filtering conditions at the bottom of the mapping form to filter out specific alarms or limit ingestion to only alarms that meet certain field-level criteria. Filtering significantly reduces the number of alarms you ingest once the alarm profile is activated. Use filtering to ingest a manageable quantity of alarms that your Security Operations Center (SOC) staff can support.
    Note:
    The following example shows a default filter setting in which Alarm status-does-not-contain-Closed is the default setting. This filter only pulls active alarms, and this setting reduces the number of pulled alarms. The following steps illustrate how to add another useful filter which includes only alarms with the highest severity or priority values.

    Procedure

    1. To edit the filtering criteria, select the Filter based on conditions check box.
      Filter based on conditions check box selected and highlighted.
    2. To the right of the Filter conditions field, click OR or AND.
    3. In the new line that is displayed, select the filtering conditions from the choice lists.

      The following image shows an additional filter added to the criteria in which risk-based priority (RBP max) is greater than 50. With this filter setting, only LogRhythm alarms with a risk-based priority value that is greater than 50 are pulled.

      Add a new filter condition to ingest alarms with a risk-based priority greater than 50.
    4. After you have verified that all critical LogRhythm alarm fields are mapped to the ServiceNow AI Platform security incident, and you have set filtering criteria to limit alarm ingestion, choose one to continue the configuration.
      OptionDescription
      Continue or Preview The Preview form of the security incident with your mapping configuration is displayed.

      Preview is selected on the progress bar. The next step is to view the security incident with your mapped alarms.
      Update Save your data and return to the Alarm Profiles list.
      Previous The alarm profile record is displayed.
      Delete Delete this alarm profile and the Alarm Profiles list is displayed.

    What to do next

    The next step is to preview your mapped fields on the security incident. See Previewing the security incident with mapped LogRhythm alarm values.