---
name: triage-alerts
description: Triages a batch of alerts by severity and urgency, producing a prioritized action plan.
argument-hint: "[alert-data-source]"
---

# Triage Alerts Skill

## When to Use

Use `/triage-alerts` when you need to:
- Process a large batch of incoming alerts and determine response priority
- Create an incident response checklist with SLA-driven deadlines
- Distribute alerts across team members based on severity and availability
- Track escalation paths for critical events
- Organize alert response workload by urgency and impact

This skill is especially useful during security incidents, monitoring system maintenance, or routine alert reviews.

## Triage Rules

The skill applies strict SLA-based triage rules to classify alerts into action buckets:

### Critical Severity
- **Response Time**: Must be triaged and acknowledged within **1 minute**
- **Action**: Immediate escalation to security team lead and on-call personnel
- **Handling**: Drop everything and respond; activate incident response protocols
- **Notification**: Page + Email + SMS to escalation list

### Error Severity
- **Response Time**: Must be reviewed and acknowledged within **15 minutes**
- **Action**: Assign to primary responder; investigate root cause
- **Handling**: High priority; address before routine work
- **Notification**: Email + In-app alert to assigned team

### Warning Severity
- **Response Time**: Must be processed within **1 hour**
- **Action**: Log for trend analysis; investigate if correlated with other alerts
- **Handling**: Normal priority; part of standard monitoring workflow
- **Notification**: In-app alert; included in daily report

### Info Severity
- **Response Time**: Can be batched and reviewed in daily/weekly reports
- **Action**: Archive or group into trend analysis; no immediate action needed
- **Handling**: Low priority; batch process for efficiency
- **Notification**: Include in summary reports only

## Output Format

The skill produces a prioritized action plan with the following structure:

```
TRIAGE REPORT: [timestamp]
Generated by: triage-alerts

EXECUTIVE SUMMARY
─────────────────
Total Alerts: [count]
Critical: [count]  Error: [count]  Warning: [count]  Info: [count]
Overall Risk Level: [Critical|High|Medium|Low]

PRIORITY 1: CRITICAL ALERTS (Response SLA: 1 minute)
──────────────────────────────────────────────────────
[For each critical alert]
  ID: [alert-id]
  Name: [alert-name]
  Description: [description]
  Location: [location] (Lat: [lat], Long: [long])
  Source: [source]
  Created: [timestamp]
  Recommended Action: [action]
  Escalation Path: [team-lead] → [on-call] → [external-partner]
  SLA Deadline: [datetime]

PRIORITY 2: ERROR ALERTS (Response SLA: 15 minutes)
────────────────────────────────────────────────────
[For each error alert]
  ID: [alert-id]
  Name: [alert-name]
  Status: [Active|Acknowledged|Resolved]
  Assigned To: [team-member]
  Recommended Action: [action]
  SLA Deadline: [datetime]

PRIORITY 3: WARNING ALERTS (Response SLA: 1 hour)
──────────────────────────────────────────────────
[Grouped by location or source]
  Count: [number]
  Examples: [list of alert IDs]
  Pattern: [description of commonality]
  Recommended Action: [action]

PRIORITY 4: INFO ALERTS (Batch Processing)
───────────────────────────────────────────
  Count: [number]
  Batch Processing: Daily review recommended
  Archive Action: [Auto-archive after 30 days unless correlated]

RECOMMENDATIONS
───────────────
1. [Action with highest impact]
2. [Action with medium impact]
3. [Follow-up action for trend analysis]

ESCALATION PATHS
────────────────
Critical → [Security Team Lead] → [Director] → [External SOC if required]
Error    → [Primary Responder] → [Team Lead] → [Manager if unresolved in 1 hour]
Warning  → [Monitoring Team] → [Trend Analysis Queue]
Info     → [Daily Report Queue]
```

## Usage Examples

### Triage recent alert logs
```
/triage-alerts from recent logs
```

### Triage only critical severity alerts
```
/triage-alerts Critical alerts only
```

### Triage alerts from a specific source
```
/triage-alerts from Camera source
```

### Triage alerts from a geographic area
```
/triage-alerts from location Building-A
```

### Triage and generate incident response plan
```
/triage-alerts with incident-response-plan
```

### Triage with 2-hour SLA override (emergency response)
```
/triage-alerts with emergency-sla
```

## SLA Tracking

The skill automatically:
- Calculates time remaining until SLA deadline for each priority level
- Flags alerts that have exceeded SLA thresholds
- Suggests escalation when SLA is breached
- Generates compliance reports for audit purposes

## Integration Points

- **Alert Management System**: Reads from alert database
- **Incident Response System**: Triggers incident workflows for Critical alerts
- **Notification System**: Sends appropriate notifications per SLA
- **Reporting System**: Generates historical triage reports
- **Team Communication**: Posts summaries to Slack/Teams channels