Preview security incident

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 6분

    • After you complete the mapping step, preview the values that you mapped in a ServiceNow AI Platform® Security Incident Response (SIR) security incident. This preview step permits you to verify that you have mapped all the notable fields that you want displayed on the security incident.

    시작하기 전에

    Role required: sn_si.ingestion_profile_admin

    주:
    Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

    이 태스크 정보

    Preview a security incident and edit the mapping again as required to fix fields with errors or to populate any missing data. If the preview is not successfully completed, you cannot proceed to the scheduling step. Previews of SIR security incidents are not saved as actual incidents in the SIR product.

    프로시저

    1. If the security incident preview is not displayed, select Preview in the progress bar.
    2. From the Event Name choice list, select an item if multiple Events were used.
    3. Select event IDs from the Sample Notable Event IDs choice list.
    4. From the Sample Notable Event IDs choice list, select an item.

      Select event choice list expanded.

      The security incident is displayed. Do not change any information in the fields. This view is a read-only view, and a record of this security incident is not saved.

    5. Review the field mapping of the notable event values on the security incident.

      Error message on a security incident in the preview.

      The preceding image is an example of a preview with a mapping error. In this example, a field value from the notable event does not have an acceptable value for the reference field on the SIR incident form. An error message is displayed that indicates an input value was not found for Priority field. As a result, this mapped field value will not appear on the SIR security incident form without further modification.

    6. To resolve this error, select Mapping in the progress bar.
    7. Edit the mapping to fix incorrect values or populate any missing data.
    8. Preview the mapping again and continue to fix any errors that are described in error messages.

      The following figure is an example of the Incident Details tab on the bottom half of a SIR security incident after all error messages are resolved. For this example, the Description and Work notes fields were mapped, and these fields are populated with the values from the value pairs pulled from the Splunk Enterprise Security notable event samples. The first Work notes field has no value. This field was left blank on the mapping grid during the mapping step. The additional Work Note fields that have values were added to the mapping section.


      Work note and Description fields on the security incident preview
      주:
      The Profile Preview section displays related items for Unmatched Affected User and Unmatched Configuration Item when matching CMDB or identity records are not found. After ingestion, Security Incident records show Unmatched CI in the Configuration Items related list and Unmatched Affected Users in a dedicated related list, ensuring complete visibility of affected entities throughout the incident life-cycle.
    9. After you have fixed any errors and verified that the fields are the way you want them, choose one option to continue.
      OptionDescription
      Continue The Scheduling form is displayed for profiles with scheduled notable events.

      Scheduling is selected on the progress bar.
      Finish For profiles with configured for manual event forwarding, click Finish. There is no scheduling step for profiles with event data that are exported on-demand directly from the Splunk Enterprise Security console.
      Update Your data is saved, and you are returned to the Splunk Event Profiles list.
      Previous The Mapping step on the progress bar is displayed.
      Delete Delete this event profile and the Splunk Event Profiles list is displayed.

    다음에 수행할 작업

    If no error messages are displayed, and you are satisfied with the field mapping on the security incident, the next step is to Schedule and retrieve alerts for the Splunk Enterprise Event Ingestion integration.