Previewing the security incident with mapped LogRhythm alarm values

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Previewing the security incident with mapped LogRhythm alarm values

    This process allows ServiceNow security incident administrators to preview how LogRhythm alarm fields map onto a security incident record within the ServiceNow AI Platform. The preview step is essential for verifying that all critical alarm data is correctly mapped and displayed before finalizing the configuration.

    Show full answer Show less

    Previewing Security Incident Fields

    After completing the mapping of LogRhythm alarm fields to the security incident, administrators can:

    • View the populated fields such as Configuration item, Affected user, Priority, Assignment Group, and Short description in the upper half of the incident form.
    • See additional fields like Description, Configuration item, Observable, and Work note in the lower half, including multiple values where applicable.

    This preview uses sample alarm data to ensure the mapped values appear as expected on the security incident record.

    Error Conditions and Warnings

    During preview, warning messages may appear for issues such as:

    • Input value not found: Occurs if mapped values do not exist in the ServiceNow instance, e.g., an invalid Assigned to user. Such fields will appear blank in the incident.
    • Informational messages indicate fields with no values at preview time, which may be populated later automatically.

    Administrators should verify mappings and correct any input value errors before proceeding.

    Next Steps After Preview

    Once satisfied with the preview, administrators can:

    • Click Continue or Scheduling in the progress bar to proceed to scheduling alarm retrieval.
    • Use Previous to return to the alarm profile and adjust mappings.
    • Select different sample alarm IDs (up to five) to preview multiple alarms and ensure consistent mapping.

    Previewing ensures accurate and complete mapping of LogRhythm alarm data to security incidents, enabling effective incident management within ServiceNow.

    After you have completed the mapping step, preview the values that you mapped to the fields on the security incident. This preview step permits you to verify that you have mapped all the critical LogRhythm alarm fields you want displayed on the security incident.

    Role required: sn_si.admin.

    Security incident

    If the security incident preview is not displayed, click Preview in the progress bar.

    An example of the preview for the entire ServiceNow AI Platform security incident is displayed in the two following figures. This example of the preview of the security incident is populated with the LogRhythm alarms fields mapped from sample alarm 13663.

    In the following figure, the Configuration item, Affected user, Priority, Assignment Group, and Short description fields of the security incident are populated.

    Figure 1. Upper half of the security incident
    Upper half of the security incident in Preview.

    On the lower half of the security incident form, the Description field is populated. Under the Related Items section, the Configuration item, Observable, and Work note fields are populated with values. If multiple values for these fields are mapped, each value is displayed on the security incident, because each of these fields can accept more than one value.

    Error conditions in preview

    The following warning messages may be displayed when previewing the security incident. If a sample alarm does not pass the filtering criteria, the entire security incident is not populated.

    Input value not found

    If the alarm ID is included within the filtering conditions, a warning message may still be displayed if specific input values are not found for certain mapped fields. For the sake of the following example, in the preview of the record, assume that there is no value in the Assigned to field, although it was mapped.

    For this type of message, in the Mapping record, verify that the input value is correct. In this case, the person in the Assigned to field in security incident is incorrect in the ServiceNow AI Platform instance. When this alarm is ingested and it creates a security incident with this condition, fields with this input value (Abel Tuter) are left blank in the security incident.

    The remaining messages in blue are informational, and they indicate that these fields have no value to display in the preview. This preview permits the security incident administrator configuring the alarm profile to verify that these fields should have no value at the initial creation stage, because in certain cases, security incident fields may be populated later automatically. Other mapping errors are also displayed.

    After you are satisfied with the mapping and the security incident preview, choose one to continue the configuration.

    Option Description
    Click Continue or Scheduling in the progress bar. Advance to the Scheduling & Alarm Retrieval form.

    Scheduling & Alarm Retrieval is selected on the progress bar. The next step is to schedule alarm retrieval.
    Click Previous. Return to the alarm profile and continue mapping.
    Enter another alarm ID in the Sample Alarm ID choice list at the top of the preview form. The Sample Alarm ID choice list is displayed for every alarm ID you have entered. You can select up to five alarms.

    This option permits you to preview another LogRhythm alarm ID on a security incident.

    After you preview the security incident and are satisfied with the results, the next step is to Schedule and retrieve LogRhythm alarms.