Previewing the security incident with mapped LogRhythm alarm values

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Previewing the Security Incident with Mapped LogRhythm Alarm Values

    This guide outlines the procedure for previewing values mapped from LogRhythm alarms to security incidents in ServiceNow. It allows administrators to verify that critical alarm fields are correctly displayed in the security incident before finalizing the configuration.

    Show full answer Show less

    Key Features

    • Preview Functionality: After mapping, administrators can click "Preview" to display the security incident and review mapped fields such as Configuration item, Affected user, Priority, Assignment Group, and Short description.
    • Error Handling: The preview may show warning messages if certain input values are missing or alarms do not meet filtering criteria, helping administrators identify mapping errors.
    • Multiple Values Display: If multiple values are mapped for any field, all values will be displayed on the security incident.
    • Next Steps: Once satisfied with the preview, administrators can advance to the Scheduling & Alarm Retrieval stage or return to adjust the mapping.

    Key Outcomes

    By effectively using the preview feature, ServiceNow customers can ensure that their security incidents are accurately populated with relevant LogRhythm alarm data, minimizing errors and enhancing incident management efficiency. This leads to improved visibility and response times during security incidents.

    After you have completed the mapping step, preview the values that you mapped to the fields on the security incident. This preview step permits you to verify that you have mapped all the critical LogRhythm alarm fields you want displayed on the security incident.

    Role required: sn_si.admin.

    Security incident

    If the security incident preview is not displayed, click Preview in the progress bar.

    An example of the preview for the entire ServiceNow AI Platform security incident is displayed in the two following figures. This example of the preview of the security incident is populated with the LogRhythm alarms fields mapped from sample alarm 13663.

    In the following figure, the Configuration item, Affected user, Priority, Assignment Group, and Short description fields of the security incident are populated.

    Figure 1. Upper half of the security incident
    Upper half of the security incident in Preview.

    On the lower half of the security incident form, the Description field is populated. Under the Related Items section, the Configuration item, Observable, and Work note fields are populated with values. If multiple values for these fields are mapped, each value is displayed on the security incident, because each of these fields can accept more than one value.

    Error conditions in preview

    The following warning messages may be displayed when previewing the security incident. If a sample alarm does not pass the filtering criteria, the entire security incident is not populated.

    Input value not found

    If the alarm ID is included within the filtering conditions, a warning message may still be displayed if specific input values are not found for certain mapped fields. For the sake of the following example, in the preview of the record, assume that there is no value in the Assigned to field, although it was mapped.

    For this type of message, in the Mapping record, verify that the input value is correct. In this case, the person in the Assigned to field in security incident is incorrect in the ServiceNow AI Platform instance. When this alarm is ingested and it creates a security incident with this condition, fields with this input value (Abel Tuter) are left blank in the security incident.

    The remaining messages in blue are informational, and they indicate that these fields have no value to display in the preview. This preview permits the security incident administrator configuring the alarm profile to verify that these fields should have no value at the initial creation stage, because in certain cases, security incident fields may be populated later automatically. Other mapping errors are also displayed.

    After you are satisfied with the mapping and the security incident preview, choose one to continue the configuration.

    Option Description
    Click Continue or Scheduling in the progress bar. Advance to the Scheduling & Alarm Retrieval form.

    Scheduling & Alarm Retrieval is selected on the progress bar. The next step is to schedule alarm retrieval.
    Click Previous. Return to the alarm profile and continue mapping.
    Enter another alarm ID in the Sample Alarm ID choice list at the top of the preview form. The Sample Alarm ID choice list is displayed for every alarm ID you have entered. You can select up to five alarms.

    This option permits you to preview another LogRhythm alarm ID on a security incident.

    After you preview the security incident and are satisfied with the results, the next step is to Schedule and retrieve LogRhythm alarms.