Preview the security incident for the Splunk Enterprise Event Ingestion integration

  • Release version: Xanadu
  • Updated January 30, 2025
  • 2 minutes to read

    • After you complete the mapping step, preview the values that you mapped in a ServiceNow AI Platform® Security Incident Response (SIR) security incident. This preview step permits you to verify that you have mapped all the alert fields that you want displayed on the security incident.

    Before you begin

    Role required: sn_si.ingestion_profile_admin

    Note:
    Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

    About this task

    Preview a security incident and edit the mapping again as required to fix fields with errors or to populate any missing data. If the preview is not successfully completed, you cannot proceed to the scheduling step. Previews of SIR security incidents are not saved as actual incidents in the SIR product.

    Procedure

    1. If the security incident preview is not displayed, click Preview in the progress bar.
    2. Select the Alert Name and then select an item from the Sample Alert IDs list.
      Select alert choice list expanded.

      The security incident is displayed. Do not change any information in the fields. This view is a read-only view, and a record of this security incident is not saved.

    3. Review the field mapping of the alert values on the security incident.
      Error message on a security incident in the preview.

      The preceding image is an example of a preview with a mapping error. In this example, a field on the security incident does not exist for a value, or the field does not support the value that you mapped. An error message is displayed that indicates an input value was not found for the Configuration item field.

    4. To resolve this error, click Mapping in the progress bar.
    5. Edit the mapping to fix incorrect values or populate any missing data.
    6. Preview the mapping again and continue to fix any errors that are described in error messages.

      The following figure is an example of the Incident Details tab on the bottom half of a SIR security incident after all error messages are resolved. For this example, the Description and Work notes fields were mapped, and these fields are populated with the values from the value pairs pulled from the Splunk Enterprise console. The first Work notes field has no value. This field was left empty on the mapping grid during the mapping step. The additional Work Note fields that have values were added to the mapping grid during the mapping step.

      Work note and Description fields on the security incident preview.
    7. After you have fixed any errors and verified that the fields are the way you want them, choose one option to continue.
      OptionDescription
      Continue The Scheduling form is displayed for profiles with scheduled alerts.

      Scheduling is selected on the progress bar.
      Finish For profiles with configured for manual event forwarding, click Finish. There is no scheduling step for profiles with event data that are exported on-demand directly from the Splunk Enterprise console.
      Update Your data is saved, and you are returned to the Splunk Event Profiles list.
      Previous The Mapping step on the progress bar is displayed.
      Delete Delete this event profile and the Splunk Event Profiles list is displayed.

    What to do next

    If no error messages are displayed, and you are satisfied with the field mapping on the security incident, the next step is to Schedule and retrieve alerts for the Splunk Enterprise Event Ingestion integration.