name: triage-alerts description: Triages a batch of alerts by severity and urgency, producing a prioritized action plan. argument-hint: "[alert-data-source]"

Triage Alerts Skill

When to Use

Use /triage-alerts when you need to:

• Process a large batch of incoming alerts and determine response priority
• Create an incident response checklist with SLA-driven deadlines
• Distribute alerts across team members based on severity and availability
• Track escalation paths for critical events
• Organize alert response workload by urgency and impact

This skill is especially useful during security incidents, monitoring system maintenance, or routine alert reviews.

Triage Rules

The skill applies strict SLA-based triage rules to classify alerts into action buckets:

Critical Severity

• Response Time: Must be triaged and acknowledged within 1 minute
• Action: Immediate escalation to security team lead and on-call personnel
• Handling: Drop everything and respond; activate incident response protocols
• Notification: Page + Email + SMS to escalation list

Error Severity

• Response Time: Must be reviewed and acknowledged within 15 minutes
• Action: Assign to primary responder; investigate root cause
• Handling: High priority; address before routine work
• Notification: Email + In-app alert to assigned team

Warning Severity

• Response Time: Must be processed within 1 hour
• Action: Log for trend analysis; investigate if correlated with other alerts
• Handling: Normal priority; part of standard monitoring workflow
• Notification: In-app alert; included in daily report

Info Severity

• Response Time: Can be batched and reviewed in daily/weekly reports
• Action: Archive or group into trend analysis; no immediate action needed
• Handling: Low priority; batch process for efficiency
• Notification: Include in summary reports only

Output Format

The skill produces a prioritized action plan with the following structure:

TRIAGE REPORT: [timestamp]
Generated by: triage-alerts

EXECUTIVE SUMMARY
─────────────────
Total Alerts: [count]
Critical: [count]  Error: [count]  Warning: [count]  Info: [count]
Overall Risk Level: [Critical|High|Medium|Low]

PRIORITY 1: CRITICAL ALERTS (Response SLA: 1 minute)
──────────────────────────────────────────────────────
[For each critical alert]
  ID: [alert-id]
  Name: [alert-name]
  Description: [description]
  Location: [location] (Lat: [lat], Long: [long])
  Source: [source]
  Created: [timestamp]
  Recommended Action: [action]
  Escalation Path: [team-lead] → [on-call] → [external-partner]
  SLA Deadline: [datetime]

PRIORITY 2: ERROR ALERTS (Response SLA: 15 minutes)
────────────────────────────────────────────────────
[For each error alert]
  ID: [alert-id]
  Name: [alert-name]
  Status: [Active|Acknowledged|Resolved]
  Assigned To: [team-member]
  Recommended Action: [action]
  SLA Deadline: [datetime]

PRIORITY 3: WARNING ALERTS (Response SLA: 1 hour)
──────────────────────────────────────────────────
[Grouped by location or source]
  Count: [number]
  Examples: [list of alert IDs]
  Pattern: [description of commonality]
  Recommended Action: [action]

PRIORITY 4: INFO ALERTS (Batch Processing)
───────────────────────────────────────────
  Count: [number]
  Batch Processing: Daily review recommended
  Archive Action: [Auto-archive after 30 days unless correlated]

RECOMMENDATIONS
───────────────
1. [Action with highest impact]
2. [Action with medium impact]
3. [Follow-up action for trend analysis]

ESCALATION PATHS
────────────────
Critical → [Security Team Lead] → [Director] → [External SOC if required]
Error    → [Primary Responder] → [Team Lead] → [Manager if unresolved in 1 hour]
Warning  → [Monitoring Team] → [Trend Analysis Queue]
Info     → [Daily Report Queue]

Usage Examples

Triage recent alert logs

/triage-alerts from recent logs

Triage only critical severity alerts

/triage-alerts Critical alerts only

Triage alerts from a specific source

/triage-alerts from Camera source

Triage alerts from a geographic area

/triage-alerts from location Building-A

Triage and generate incident response plan

/triage-alerts with incident-response-plan

Triage with 2-hour SLA override (emergency response)

/triage-alerts with emergency-sla

SLA Tracking

The skill automatically:

• Calculates time remaining until SLA deadline for each priority level
• Flags alerts that have exceeded SLA thresholds
• Suggests escalation when SLA is breached
• Generates compliance reports for audit purposes

Integration Points

• Alert Management System: Reads from alert database
• Incident Response System: Triggers incident workflows for Critical alerts
• Notification System: Sends appropriate notifications per SLA
• Reporting System: Generates historical triage reports
• Team Communication: Posts summaries to Slack/Teams channels