This appears to be something configured with-in our instance. I was trying it on a Personal Developer Instance and it seems to work OOB. I created an Alert ( one for each level - Minor, Major, Critical) and when i clicked the 'Open Security Incident" button, each Security Incident had the correct level applied ( minor was Low, Major was Medium, and Critical was High). Is there anyway to read all the process hit (Alert management, or business rules) to see what is different from our production instances versus the PDI?

Hi Kyles - I did a detailed analysis and here are the issues and path forward for you

Issues: 

1. Your 'Create Task Legacy' flow is not setting the severity for Security Incidents

2. The 'Copy Value' action seems to be missing the output variable. 

Path forward:

1. For your scenario, 'create Incident' subflow seems to be better suited. You can copy that modify per your need or in your existing flow, have a step to update the newly created security incident with severity value from the 'Copy Value' action step

2. 'Copy value' action step (this step will just return the data, you would need to use the return data to set values in your SIR records),

a. have a function something like below to have the mapping.

b. Set the value within the code

c. also add the same variable name as one of the 'output variable' 

var getSIIncidentSev = function(){
var siincidentSeverity;
if(inputs.severity == 1)
siincidentSeverity = 1;
else if (inputs.severity == 2)
siincidentSeverity = 2;
else if (inputs.severity == 3)
siincidentSeverity = 3;
else if(inputs.severity == 4 || inputs.severity == 5 || inputs.severity == 6)
//Kyles to determine, if the alert is 'warning', 'clear', 'ok' --> should you need a mapping
//siincidentSeverity = 3;

return siincidentSeverity;
}

outputs.secincidentseverity=getSIIncidentSev();

**Mark the responses as 'accepted answer' / 'helpful' based on the impact. 

Ashutosh and Balaji,

Thank you both for taking the time to help me with this.

Ashutosh, On my Personal Developer Instance I tested again to make sure the Severity from the Alert moves to the Security Incident when i click the "Create Security Incident" button. It in fact does on each of the 3 levels (Minor, Major, Critical). There is a built-in Alert Management rule called 'Create security incidents for critical alerts' and has an order of 90. The Alert filter conditions are Classification is Security and Severity is Critical OR Task is empty or Acknowledge is false. I had to add the Classification field to the Alert form so I was able to set it to Security. By doing nothing more than setting the Severity to Critical and Classification to Security and adding a description, it automatically created a Security Incident. However the Security Incident severity was set to 2-medium. Do you experience the same result? 

Balaji, I will try to build the subflow out with a function to set the severity levels of the Copy Value.

Is there a way to see what the button actions (subflows or UI actions) are for the 'Create Security Incident' button?

Kyle