Previewing the security incident with mapped LogRhythm alarm values

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Previewing the security incident with mapped LogRhythm alarm values

    This process allows ServiceNow security incident administrators to preview how LogRhythm alarm data maps to fields within a security incident record in the ServiceNow AI Platform. Previewing ensures that all critical alarm fields are correctly mapped and displayed before proceeding with alarm scheduling and retrieval.

    Show full answer Show less

    How It Works

    • After completing the mapping of LogRhythm alarm fields to security incident fields, administrators can preview the populated incident record.
    • The preview displays mapped values such as Configuration Item, Affected User, Priority, Assignment Group, Short Description, Description, and Related Items like Observables and Work Notes.
    • Fields that accept multiple values will show all mapped entries.

    Error Conditions and Warnings

    • If a sample alarm fails filtering criteria, the security incident preview will not populate.
    • Warnings such as "Input value not found" indicate specific mapped input values do not exist or are incorrect (e.g., an invalid Assigned to user). These fields will appear blank in the created incident.
    • Informational messages in the preview highlight fields that are intentionally empty at creation but may populate later automatically.
    • Administrators should verify mapping correctness to avoid incomplete or incorrect incident data.

    Next Steps

    • After verifying the preview, administrators can either continue to the Scheduling & Alarm Retrieval step to set up periodic alarm retrieval or return to adjust mappings.
    • The preview interface allows selecting up to five different sample alarm IDs to validate multiple alarm mappings.

    After you have completed the mapping step, preview the values that you mapped to the fields on the security incident. This preview step permits you to verify that you have mapped all the critical LogRhythm alarm fields you want displayed on the security incident.

    Role required: sn_si.admin.

    Security incident

    If the security incident preview is not displayed, click Preview in the progress bar.

    An example of the preview for the entire ServiceNow AI Platform security incident is displayed in the two following figures. This example of the preview of the security incident is populated with the LogRhythm alarms fields mapped from sample alarm 13663.

    In the following figure, the Configuration item, Affected user, Priority, Assignment Group, and Short description fields of the security incident are populated.

    Figure 1. Upper half of the security incident
    Upper half of the security incident in Preview.

    On the lower half of the security incident form, the Description field is populated. Under the Related Items section, the Configuration item, Observable, and Work note fields are populated with values. If multiple values for these fields are mapped, each value is displayed on the security incident, because each of these fields can accept more than one value.

    Error conditions in preview

    The following warning messages may be displayed when previewing the security incident. If a sample alarm does not pass the filtering criteria, the entire security incident is not populated.

    Input value not found

    If the alarm ID is included within the filtering conditions, a warning message may still be displayed if specific input values are not found for certain mapped fields. For the sake of the following example, in the preview of the record, assume that there is no value in the Assigned to field, although it was mapped.

    For this type of message, in the Mapping record, verify that the input value is correct. In this case, the person in the Assigned to field in security incident is incorrect in the ServiceNow AI Platform instance. When this alarm is ingested and it creates a security incident with this condition, fields with this input value (Abel Tuter) are left blank in the security incident.

    The remaining messages in blue are informational, and they indicate that these fields have no value to display in the preview. This preview permits the security incident administrator configuring the alarm profile to verify that these fields should have no value at the initial creation stage, because in certain cases, security incident fields may be populated later automatically. Other mapping errors are also displayed.

    After you are satisfied with the mapping and the security incident preview, choose one to continue the configuration.

    Option Description
    Click Continue or Scheduling in the progress bar. Advance to the Scheduling & Alarm Retrieval form.

    Scheduling & Alarm Retrieval is selected on the progress bar. The next step is to schedule alarm retrieval.
    Click Previous. Return to the alarm profile and continue mapping.
    Enter another alarm ID in the Sample Alarm ID choice list at the top of the preview form. The Sample Alarm ID choice list is displayed for every alarm ID you have entered. You can select up to five alarms.

    This option permits you to preview another LogRhythm alarm ID on a security incident.

    After you preview the security incident and are satisfied with the results, the next step is to Schedule and retrieve LogRhythm alarms.