Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
Overview
A SOC escalation matrix defines how security incidents move through the organization based on severity, impact, and response requirements. Modern SOCs use context-driven escalation combining business risk, asset criticality, and data sensitivity rather than purely severity-based models. Organizations using AI and automation in their SOC cut detection-and-containment lifecycle to approximately 161 days, an 80-day improvement over the 241-day industry average.
When to Use
- When deploying or configuring building soc escalation matrix capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Familiarity with soc operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
SOC Tier Structure
Tier 1 - Alert Triage Analyst
- Monitors SIEM dashboards and alert queues
- Performs initial alert classification (true/false positive)
- Handles P3 and P4 incidents to resolution
- Escalates P1 and P2 incidents to Tier 2 within SLA
- Documents initial findings in ticketing system
Tier 2 - Incident Analyst
- Performs deep-dive investigation on escalated incidents
- Conducts root cause analysis and scoping
- Executes containment procedures
- Handles P2 incidents to resolution
- Escalates P1 incidents to Tier 3 or management
Tier 3 - Senior Analyst / Threat Hunter
- Handles P1 critical incidents and APT investigations
- Performs proactive threat hunting
- Develops detection rules and playbooks
- Conducts malware reverse engineering
- Leads incident response for major breaches
Management Escalation
- SOC Manager: Operational decisions, resource allocation
- CISO: Business impact decisions, executive communication
- Legal/PR: Data breach notification, media response
- External IR: Third-party incident response engagement
Severity Classification
P1 - Critical
| Attribute | Value |
|---|---|
| Impact | Active data breach, ransomware spreading, critical systems compromised |
| Business Impact | Revenue loss, regulatory exposure, customer data at risk |
| Initial Response | 15 minutes |
| Escalation to Tier 2 | Immediate |
| Escalation to Management | 30 minutes |
| Resolution Target | 4 hours |
| Communication | Every 30 minutes to stakeholders |
| Examples | Active ransomware, confirmed data exfiltration, domain admin compromise |
P2 - High
| Attribute | Value |
|---|---|
| Impact | Confirmed compromise, limited scope, no active exfiltration |
| Business Impact | Potential revenue impact, contained risk |
| Initial Response | 30 minutes |
| Escalation to Tier 2 | 30 minutes if unresolved |
| Escalation to Management | 2 hours |
| Resolution Target | 8 hours |
| Communication | Every 2 hours to SOC management |
| Examples | Compromised user account, malware on single endpoint, insider threat indicator |
P3 - Medium
| Attribute | Value |
|---|---|
| Impact | Suspicious activity requiring investigation |
| Business Impact | Low immediate risk |
| Initial Response | 4 hours |
| Escalation to Tier 2 | 8 hours if unresolved |
| Resolution Target | 24 hours |
| Communication | Daily status update |
| Examples | Policy violation, failed brute force, suspicious email report |
P4 - Low
| Attribute | Value |
|---|---|
| Impact | Informational alerts, routine security events |
| Business Impact | Minimal |
| Initial Response | 8 hours |
| Escalation | Only if pattern emerges |
| Resolution Target | 72 hours |
| Communication | Weekly summary |
| Examples | Vulnerability scan findings, expired certificates, policy exceptions |
Escalation Decision Matrix
Asset Criticality
Low Medium High Critical
Severity Low P4 P4 P3 P3
Medium P4 P3 P2 P2
High P3 P2 P2 P1
Critical P2 P1 P1 P1Context-Driven Escalation Triggers
Automatic Escalation (no analyst decision needed)
| Trigger | Action |
|---|---|
| Ransomware detected on any endpoint | P1 - Immediate Tier 3 + Management |
| Domain admin account compromise | P1 - Immediate Tier 3 + Management |
| Active data exfiltration to external IP | P1 - Immediate Tier 3 + Management |
| Critical infrastructure (DC, SCADA) alert | P1 - Immediate Tier 2 minimum |
| Executive account anomaly | P2 - Immediate Tier 2 |
| Multiple hosts with same malware | P1 - Immediate Tier 2 |
Time-Based Escalation
| Condition | Action |
|---|---|
| P2 unresolved after 4 hours | Escalate to Tier 3 |
| P3 unresolved after 12 hours | Escalate to Tier 2 |
| Any incident unresolved past SLA | Escalate to SOC Manager |
| P1 unresolved after 2 hours | Escalate to CISO |
Communication Templates
P1 Initial Notification
SUBJECT: [P1 CRITICAL] Security Incident - {Incident_ID}
Incident Summary:
- Type: {incident_type}
- Affected Systems: {systems}
- Affected Users: {users}
- Current Status: {status}
- Assigned To: {analyst}
Impact Assessment:
- Business Impact: {impact}
- Data at Risk: {data_risk}
- Containment Status: {containment}
Next Actions:
- {action_1}
- {action_2}
Next Update: {time} (30-minute intervals)
Bridge Line: {conference_details}Escalation Matrix Implementation
SOAR Integration
# XSOAR escalation playbook trigger
trigger:
condition: incident.severity == "critical" AND incident.asset_criticality == "high"
action:
- assign_tier: 3
- notify: [soc_manager, ciso]
- create_war_room: true
- start_bridge: true
- set_sla: 4h
auto_escalation_rules:
- name: P2 Time-Based Escalation
condition: incident.severity == "high" AND incident.age > 4h AND incident.status != "resolved"
action:
- escalate_tier: 3
- notify: soc_manager
- add_comment: "Auto-escalated due to SLA breach"References
Source materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.8 KB
API Reference: SOC Escalation Matrix
Priority Tiers
| Tier | Response SLA | Update SLA | Resolution SLA |
|---|---|---|---|
| P1 Critical | 15 min | 1 hour | 4 hours |
| P2 High | 30 min | 2 hours | 8 hours |
| P3 Medium | 1 hour | 4 hours | 24 hours |
| P4 Low | 4 hours | 8 hours | 72 hours |
Alert Categories
| Category | Default Priority | Auto-Escalate Triggers |
|---|---|---|
| Malware | P2 | ransomware, wiper, apt |
| Phishing | P3 | executive_target, credential_harvested |
| Unauthorized Access | P2 | admin_account, domain_controller |
| Data Exfiltration | P1 | pii, financial, classified |
| Insider Threat | P2 | privileged_user, data_staging |
Escalation Chain
P1: SOC Analyst → SOC Lead → IR Manager → CISO
P2: SOC Analyst → SOC Lead → IR Manager
P3: SOC Analyst → SOC Lead
P4: SOC AnalystNotification Channels
| Tier | Channels |
|---|---|
| P1 | Slack #critical-alerts, PagerDuty, Email CISO, SMS |
| P2 | Slack #soc-alerts, PagerDuty, Email IR Manager |
| P3 | Slack #soc-alerts, Email SOC Lead |
| P4 | Slack #soc-triage |
PagerDuty Incident API
POST https://events.pagerduty.com/v2/enqueue
{
"routing_key": "SERVICE_KEY",
"event_action": "trigger",
"payload": {
"summary": "P1 Alert: Data exfiltration detected",
"severity": "critical",
"source": "SOC SIEM"
}
}Slack Webhook Notification
POST https://hooks.slack.com/services/T.../B.../xxx
{
"channel": "#critical-alerts",
"text": "P1 Incident: ..."
}Auto-Escalation Rules
| Condition | Action |
|---|---|
| Response SLA exceeded | Escalate to next in chain |
| >= 3 correlated alerts | Increase priority by 1 |
| VIP user affected | Auto-escalate to P1 |
| Critical asset impacted | Increase priority by 1 |
standards.md1.1 KB
Standards - SOC Escalation Matrix
NIST SP 800-61 Rev 2 Incident Handling
- Defines incident categories and severity levels
- Recommends functional impact, information impact, and recoverability as factors
- Guides escalation based on incident classification
ITIL Incident Management
- P1-P4 priority classification framework
- Impact x Urgency = Priority matrix
- SLA management for each priority level
SOC-CMM (SOC Capability Maturity Model)
- Level 1: Ad-hoc escalation, no formal process
- Level 2: Defined escalation paths, documented SLAs
- Level 3: Automated escalation with SOAR integration
- Level 4: Context-driven escalation with risk scoring
- Level 5: AI-assisted prioritization and auto-escalation
Response Time Standards
| Priority | Industry Standard | Best Practice |
|---|---|---|
| P1 | 15 min response, 4h resolution | 5 min response, 2h containment |
| P2 | 30 min response, 8h resolution | 15 min response, 4h containment |
| P3 | 4h response, 24h resolution | 2h response, 12h resolution |
| P4 | 8h response, 72h resolution | 4h response, 48h resolution |
workflows.md0.9 KB
Workflows - SOC Escalation Matrix
Escalation Flow
Alert Generated
|
v
Tier 1 Triage (15 min)
|
+-- P4/P3: Handle to resolution
|
+-- P2: Escalate to Tier 2
| |
| +-- Resolved: Close
| +-- Unresolved (4h): Escalate to Tier 3
|
+-- P1: Immediate escalation
|
v
Tier 3 + Management Notified
|
v
War Room / Bridge Activated
|
v
Containment within SLA
|
v
Resolution + Post-Incident ReviewNotification Matrix
| Priority | Tier 1 | Tier 2 | Tier 3 | SOC Mgr | CISO | Legal |
|---|---|---|---|---|---|---|
| P1 | Aware | Aware | Lead | Notified | Notified | Standby |
| P2 | Aware | Lead | Consulted | Informed | - | - |
| P3 | Lead | Consulted | - | - | - | - |
| P4 | Lead | - | - | - | - | - |
Scripts 2
agent.py7.4 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""SOC Escalation Matrix Agent - Builds and validates SOC escalation paths and response workflows."""
import json
import logging
import argparse
from datetime import datetime
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
SEVERITY_TIERS = {
"P1": {"name": "Critical", "response_sla": 15, "update_sla": 60, "resolution_sla": 240,
"escalation_path": ["SOC Analyst", "SOC Lead", "IR Manager", "CISO"],
"notification": ["Slack #critical-alerts", "PagerDuty", "Email CISO", "SMS Exec Team"]},
"P2": {"name": "High", "response_sla": 30, "update_sla": 120, "resolution_sla": 480,
"escalation_path": ["SOC Analyst", "SOC Lead", "IR Manager"],
"notification": ["Slack #soc-alerts", "PagerDuty", "Email IR Manager"]},
"P3": {"name": "Medium", "response_sla": 60, "update_sla": 240, "resolution_sla": 1440,
"escalation_path": ["SOC Analyst", "SOC Lead"],
"notification": ["Slack #soc-alerts", "Email SOC Lead"]},
"P4": {"name": "Low", "response_sla": 240, "update_sla": 480, "resolution_sla": 4320,
"escalation_path": ["SOC Analyst"],
"notification": ["Slack #soc-triage"]},
}
ALERT_CATEGORIES = {
"malware": {"default_priority": "P2", "auto_escalate_if": ["ransomware", "wiper", "apt"]},
"phishing": {"default_priority": "P3", "auto_escalate_if": ["executive_target", "credential_harvested"]},
"unauthorized_access": {"default_priority": "P2", "auto_escalate_if": ["admin_account", "domain_controller"]},
"data_exfiltration": {"default_priority": "P1", "auto_escalate_if": ["pii", "financial", "classified"]},
"denial_of_service": {"default_priority": "P2", "auto_escalate_if": ["customer_facing", "revenue_impacting"]},
"insider_threat": {"default_priority": "P2", "auto_escalate_if": ["privileged_user", "data_staging"]},
"vulnerability_exploit": {"default_priority": "P2", "auto_escalate_if": ["zero_day", "active_exploitation"]},
}
def classify_alert(category, tags, affected_asset_criticality="medium"):
"""Classify alert priority based on category, tags, and asset criticality."""
cat_info = ALERT_CATEGORIES.get(category, {"default_priority": "P3", "auto_escalate_if": []})
priority = cat_info["default_priority"]
escalation_reasons = []
for tag in tags:
if tag in cat_info["auto_escalate_if"]:
escalation_reasons.append(f"Tag '{tag}' triggers auto-escalation")
if affected_asset_criticality == "critical":
escalation_reasons.append("Critical asset affected")
if escalation_reasons:
priority_num = int(priority[1])
new_priority = f"P{max(1, priority_num - 1)}"
if new_priority != priority:
escalation_reasons.append(f"Escalated from {priority} to {new_priority}")
priority = new_priority
return {"priority": priority, "category": category, "escalation_reasons": escalation_reasons,
"sla": SEVERITY_TIERS[priority]}
def build_escalation_matrix():
"""Build complete escalation matrix structure."""
matrix = {"tiers": {}, "categories": {}, "auto_escalation_rules": []}
for tier_id, tier_info in SEVERITY_TIERS.items():
matrix["tiers"][tier_id] = {
"name": tier_info["name"],
"response_sla_minutes": tier_info["response_sla"],
"update_sla_minutes": tier_info["update_sla"],
"resolution_sla_minutes": tier_info["resolution_sla"],
"escalation_chain": tier_info["escalation_path"],
"notification_channels": tier_info["notification"],
}
for cat_name, cat_info in ALERT_CATEGORIES.items():
matrix["categories"][cat_name] = {
"default_priority": cat_info["default_priority"],
"auto_escalation_triggers": cat_info["auto_escalate_if"],
}
matrix["auto_escalation_rules"] = [
{"rule": "SLA breach: response", "action": "Escalate to next tier in chain", "condition": "Response SLA exceeded"},
{"rule": "SLA breach: update", "action": "Notify SOC Lead", "condition": "Update SLA exceeded"},
{"rule": "SLA breach: resolution", "action": "Escalate to IR Manager", "condition": "Resolution SLA exceeded"},
{"rule": "Multiple related alerts", "action": "Escalate priority by 1", "condition": ">= 3 correlated alerts"},
{"rule": "VIP user affected", "action": "Auto-escalate to P1", "condition": "Executive or board member"},
]
return matrix
def validate_escalation_matrix(matrix):
"""Validate the escalation matrix for completeness and consistency."""
issues = []
for tier_id, tier in matrix["tiers"].items():
if not tier.get("escalation_chain"):
issues.append({"tier": tier_id, "issue": "Empty escalation chain", "severity": "critical"})
if tier.get("response_sla_minutes", 0) >= tier.get("update_sla_minutes", 0):
issues.append({"tier": tier_id, "issue": "Response SLA >= Update SLA", "severity": "warning"})
if not tier.get("notification_channels"):
issues.append({"tier": tier_id, "issue": "No notification channels", "severity": "high"})
for cat, info in matrix["categories"].items():
if info["default_priority"] not in matrix["tiers"]:
issues.append({"category": cat, "issue": f"Invalid priority {info['default_priority']}", "severity": "critical"})
valid = not any(i["severity"] == "critical" for i in issues)
return {"valid": valid, "issues": issues, "tier_count": len(matrix["tiers"]),
"category_count": len(matrix["categories"])}
def simulate_alerts(matrix, alerts):
"""Simulate alert classification through the escalation matrix."""
results = []
for alert in alerts:
classification = classify_alert(alert.get("category", ""), alert.get("tags", []),
alert.get("asset_criticality", "medium"))
results.append({"alert": alert, "classification": classification})
return results
def generate_report(matrix, validation, simulation_results=None):
"""Generate escalation matrix report."""
report = {
"timestamp": datetime.utcnow().isoformat(),
"escalation_matrix": matrix,
"validation": validation,
"simulation_results": simulation_results or [],
}
status = "VALID" if validation["valid"] else "INVALID"
print(f"ESCALATION MATRIX: {status}, {validation['tier_count']} tiers, "
f"{validation['category_count']} categories, {len(validation['issues'])} issues")
return report
def main():
parser = argparse.ArgumentParser(description="SOC Escalation Matrix Builder")
parser.add_argument("--validate", action="store_true", help="Validate matrix")
parser.add_argument("--simulate", help="JSON file with test alerts for simulation")
parser.add_argument("--output", default="escalation_matrix_report.json")
args = parser.parse_args()
matrix = build_escalation_matrix()
validation = validate_escalation_matrix(matrix)
simulation_results = None
if args.simulate:
with open(args.simulate) as f:
alerts = json.load(f)
simulation_results = simulate_alerts(matrix, alerts)
report = generate_report(matrix, validation, simulation_results)
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
logger.info("Report saved to %s", args.output)
if __name__ == "__main__":
main()
process.py8.0 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
SOC Escalation Matrix Builder and Simulator
Builds escalation matrices, simulates incident routing,
and tracks SLA compliance for SOC operations.
"""
import json
from datetime import datetime, timedelta
SEVERITY_CONFIG = {
"P1": {
"name": "Critical",
"initial_response_min": 15,
"escalation_to_tier2_min": 0,
"escalation_to_tier3_min": 0,
"escalation_to_mgmt_min": 30,
"resolution_target_hours": 4,
"update_interval_min": 30,
"assigned_tier": 3,
},
"P2": {
"name": "High",
"initial_response_min": 30,
"escalation_to_tier2_min": 30,
"escalation_to_tier3_min": 240,
"escalation_to_mgmt_min": 120,
"resolution_target_hours": 8,
"update_interval_min": 120,
"assigned_tier": 2,
},
"P3": {
"name": "Medium",
"initial_response_min": 240,
"escalation_to_tier2_min": 480,
"escalation_to_tier3_min": None,
"escalation_to_mgmt_min": None,
"resolution_target_hours": 24,
"update_interval_min": 1440,
"assigned_tier": 1,
},
"P4": {
"name": "Low",
"initial_response_min": 480,
"escalation_to_tier2_min": None,
"escalation_to_tier3_min": None,
"escalation_to_mgmt_min": None,
"resolution_target_hours": 72,
"update_interval_min": 10080,
"assigned_tier": 1,
},
}
ASSET_CRITICALITY_MAP = {
("critical", "critical"): "P1",
("critical", "high"): "P1",
("critical", "medium"): "P1",
("critical", "low"): "P2",
("high", "critical"): "P1",
("high", "high"): "P2",
("high", "medium"): "P2",
("high", "low"): "P3",
("medium", "critical"): "P2",
("medium", "high"): "P2",
("medium", "medium"): "P3",
("medium", "low"): "P4",
("low", "critical"): "P3",
("low", "high"): "P3",
("low", "medium"): "P4",
("low", "low"): "P4",
}
AUTO_ESCALATION_TRIGGERS = {
"ransomware_detected": "P1",
"domain_admin_compromise": "P1",
"active_data_exfiltration": "P1",
"multiple_hosts_malware": "P1",
"critical_infrastructure_alert": "P1",
"executive_account_anomaly": "P2",
"insider_threat_indicator": "P2",
"brute_force_success": "P2",
}
class Incident:
"""Represents a security incident with escalation tracking."""
def __init__(self, incident_id: str, title: str, severity_score: str,
asset_criticality: str, incident_type: str):
self.incident_id = incident_id
self.title = title
self.incident_type = incident_type
self.created = datetime.utcnow()
# Calculate priority
if incident_type in AUTO_ESCALATION_TRIGGERS:
self.priority = AUTO_ESCALATION_TRIGGERS[incident_type]
else:
self.priority = ASSET_CRITICALITY_MAP.get(
(severity_score, asset_criticality), "P3"
)
self.config = SEVERITY_CONFIG[self.priority]
self.current_tier = self.config["assigned_tier"]
self.status = "open"
self.escalation_history = []
self.resolved_at = None
def check_sla_compliance(self) -> dict:
now = datetime.utcnow()
elapsed_min = (now - self.created).total_seconds() / 60
response_sla_met = elapsed_min <= self.config["initial_response_min"] or self.status != "open"
resolution_target_min = self.config["resolution_target_hours"] * 60
if self.resolved_at:
resolution_min = (self.resolved_at - self.created).total_seconds() / 60
resolution_sla_met = resolution_min <= resolution_target_min
else:
resolution_sla_met = elapsed_min <= resolution_target_min
return {
"incident_id": self.incident_id,
"priority": self.priority,
"elapsed_minutes": round(elapsed_min, 1),
"response_sla_met": response_sla_met,
"resolution_sla_met": resolution_sla_met,
"response_sla_min": self.config["initial_response_min"],
"resolution_sla_min": resolution_target_min,
"needs_escalation": not resolution_sla_met and self.status == "open",
}
def escalate(self, to_tier: int, reason: str):
self.escalation_history.append({
"from_tier": self.current_tier,
"to_tier": to_tier,
"reason": reason,
"timestamp": datetime.utcnow().isoformat(),
})
self.current_tier = to_tier
def resolve(self):
self.status = "resolved"
self.resolved_at = datetime.utcnow()
class EscalationMatrix:
"""Manages the SOC escalation matrix and tracks incidents."""
def __init__(self):
self.incidents = []
def create_incident(self, incident_id: str, title: str, severity: str,
asset_criticality: str, incident_type: str) -> Incident:
incident = Incident(incident_id, title, severity, asset_criticality, incident_type)
self.incidents.append(incident)
return incident
def get_sla_report(self) -> dict:
report = {"total": len(self.incidents), "by_priority": {}, "sla_breaches": 0}
for priority in ["P1", "P2", "P3", "P4"]:
priority_incidents = [i for i in self.incidents if i.priority == priority]
breaches = sum(1 for i in priority_incidents if not i.check_sla_compliance()["resolution_sla_met"])
report["by_priority"][priority] = {
"count": len(priority_incidents),
"resolved": sum(1 for i in priority_incidents if i.status == "resolved"),
"open": sum(1 for i in priority_incidents if i.status == "open"),
"sla_breaches": breaches,
}
report["sla_breaches"] += breaches
return report
def get_escalation_summary(self) -> dict:
total_escalations = sum(len(i.escalation_history) for i in self.incidents)
tier_distribution = {1: 0, 2: 0, 3: 0}
for i in self.incidents:
if i.current_tier in tier_distribution:
tier_distribution[i.current_tier] += 1
return {
"total_incidents": len(self.incidents),
"total_escalations": total_escalations,
"current_tier_distribution": tier_distribution,
}
if __name__ == "__main__":
matrix = EscalationMatrix()
inc1 = matrix.create_incident("INC-001", "Ransomware on Finance Server", "critical", "critical", "ransomware_detected")
inc2 = matrix.create_incident("INC-002", "Failed Brute Force on VPN", "medium", "high", "brute_force_attempt")
inc3 = matrix.create_incident("INC-003", "Suspicious PowerShell on Workstation", "high", "medium", "suspicious_execution")
inc4 = matrix.create_incident("INC-004", "Expired SSL Certificate", "low", "low", "certificate_expiry")
inc5 = matrix.create_incident("INC-005", "Executive Email Compromise Attempt", "high", "critical", "executive_account_anomaly")
# Simulate escalations
inc1.escalate(3, "Ransomware auto-escalation to Tier 3")
inc3.escalate(2, "Analyst escalation - needs deeper investigation")
inc4.resolve()
print("=" * 70)
print("SOC ESCALATION MATRIX REPORT")
print("=" * 70)
for inc in matrix.incidents:
sla = inc.check_sla_compliance()
print(f"\n[{inc.priority}] {inc.incident_id}: {inc.title}")
print(f" Status: {inc.status} | Tier: {inc.current_tier} | Type: {inc.incident_type}")
print(f" Response SLA: {'MET' if sla['response_sla_met'] else 'BREACHED'} ({sla['response_sla_min']}min)")
print(f" Resolution SLA: {'MET' if sla['resolution_sla_met'] else 'AT RISK'} ({sla['resolution_sla_min']}min)")
if inc.escalation_history:
print(f" Escalations: {len(inc.escalation_history)}")
print(f"\n{'=' * 70}")
print("SLA COMPLIANCE REPORT")
print("=" * 70)
report = matrix.get_sla_report()
for priority, data in report["by_priority"].items():
if data["count"] > 0:
print(f" {priority}: {data['count']} incidents, {data['resolved']} resolved, {data['sla_breaches']} SLA breaches")
Assets 1
template.mdtext/markdown · 0.9 KBKeep exploring