soc operations

Building SOC Escalation Matrix

Build a structured SOC escalation matrix defining severity tiers, response SLAs, escalation paths, and notification procedures for security incidents.

escalationincident-managementseverityslasoctiered-soctriage
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

A SOC escalation matrix defines how security incidents move through the organization based on severity, impact, and response requirements. Modern SOCs use context-driven escalation combining business risk, asset criticality, and data sensitivity rather than purely severity-based models. Organizations using AI and automation in their SOC cut detection-and-containment lifecycle to approximately 161 days, an 80-day improvement over the 241-day industry average.

When to Use

  • When deploying or configuring building soc escalation matrix capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with soc operations concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

SOC Tier Structure

Tier 1 - Alert Triage Analyst

  • Monitors SIEM dashboards and alert queues
  • Performs initial alert classification (true/false positive)
  • Handles P3 and P4 incidents to resolution
  • Escalates P1 and P2 incidents to Tier 2 within SLA
  • Documents initial findings in ticketing system

Tier 2 - Incident Analyst

  • Performs deep-dive investigation on escalated incidents
  • Conducts root cause analysis and scoping
  • Executes containment procedures
  • Handles P2 incidents to resolution
  • Escalates P1 incidents to Tier 3 or management

Tier 3 - Senior Analyst / Threat Hunter

  • Handles P1 critical incidents and APT investigations
  • Performs proactive threat hunting
  • Develops detection rules and playbooks
  • Conducts malware reverse engineering
  • Leads incident response for major breaches

Management Escalation

  • SOC Manager: Operational decisions, resource allocation
  • CISO: Business impact decisions, executive communication
  • Legal/PR: Data breach notification, media response
  • External IR: Third-party incident response engagement

Severity Classification

P1 - Critical

Attribute Value
Impact Active data breach, ransomware spreading, critical systems compromised
Business Impact Revenue loss, regulatory exposure, customer data at risk
Initial Response 15 minutes
Escalation to Tier 2 Immediate
Escalation to Management 30 minutes
Resolution Target 4 hours
Communication Every 30 minutes to stakeholders
Examples Active ransomware, confirmed data exfiltration, domain admin compromise

P2 - High

Attribute Value
Impact Confirmed compromise, limited scope, no active exfiltration
Business Impact Potential revenue impact, contained risk
Initial Response 30 minutes
Escalation to Tier 2 30 minutes if unresolved
Escalation to Management 2 hours
Resolution Target 8 hours
Communication Every 2 hours to SOC management
Examples Compromised user account, malware on single endpoint, insider threat indicator

P3 - Medium

Attribute Value
Impact Suspicious activity requiring investigation
Business Impact Low immediate risk
Initial Response 4 hours
Escalation to Tier 2 8 hours if unresolved
Resolution Target 24 hours
Communication Daily status update
Examples Policy violation, failed brute force, suspicious email report

P4 - Low

Attribute Value
Impact Informational alerts, routine security events
Business Impact Minimal
Initial Response 8 hours
Escalation Only if pattern emerges
Resolution Target 72 hours
Communication Weekly summary
Examples Vulnerability scan findings, expired certificates, policy exceptions

Escalation Decision Matrix

                    Asset Criticality
                    Low        Medium      High        Critical
Severity  Low      P4         P4          P3          P3
          Medium   P4         P3          P2          P2
          High     P3         P2          P2          P1
          Critical P2         P1          P1          P1

Context-Driven Escalation Triggers

Automatic Escalation (no analyst decision needed)

Trigger Action
Ransomware detected on any endpoint P1 - Immediate Tier 3 + Management
Domain admin account compromise P1 - Immediate Tier 3 + Management
Active data exfiltration to external IP P1 - Immediate Tier 3 + Management
Critical infrastructure (DC, SCADA) alert P1 - Immediate Tier 2 minimum
Executive account anomaly P2 - Immediate Tier 2
Multiple hosts with same malware P1 - Immediate Tier 2

Time-Based Escalation

Condition Action
P2 unresolved after 4 hours Escalate to Tier 3
P3 unresolved after 12 hours Escalate to Tier 2
Any incident unresolved past SLA Escalate to SOC Manager
P1 unresolved after 2 hours Escalate to CISO

Communication Templates

P1 Initial Notification

SUBJECT: [P1 CRITICAL] Security Incident - {Incident_ID}
 
Incident Summary:
- Type: {incident_type}
- Affected Systems: {systems}
- Affected Users: {users}
- Current Status: {status}
- Assigned To: {analyst}
 
Impact Assessment:
- Business Impact: {impact}
- Data at Risk: {data_risk}
- Containment Status: {containment}
 
Next Actions:
- {action_1}
- {action_2}
 
Next Update: {time} (30-minute intervals)
Bridge Line: {conference_details}

Escalation Matrix Implementation

SOAR Integration

# XSOAR escalation playbook trigger
trigger:
  condition: incident.severity == "critical" AND incident.asset_criticality == "high"
  action:
    - assign_tier: 3
    - notify: [soc_manager, ciso]
    - create_war_room: true
    - start_bridge: true
    - set_sla: 4h
 
auto_escalation_rules:
  - name: P2 Time-Based Escalation
    condition: incident.severity == "high" AND incident.age > 4h AND incident.status != "resolved"
    action:
      - escalate_tier: 3
      - notify: soc_manager
      - add_comment: "Auto-escalated due to SLA breach"

References

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md1.8 KB

API Reference: SOC Escalation Matrix

Priority Tiers

Tier Response SLA Update SLA Resolution SLA
P1 Critical 15 min 1 hour 4 hours
P2 High 30 min 2 hours 8 hours
P3 Medium 1 hour 4 hours 24 hours
P4 Low 4 hours 8 hours 72 hours

Alert Categories

Category Default Priority Auto-Escalate Triggers
Malware P2 ransomware, wiper, apt
Phishing P3 executive_target, credential_harvested
Unauthorized Access P2 admin_account, domain_controller
Data Exfiltration P1 pii, financial, classified
Insider Threat P2 privileged_user, data_staging

Escalation Chain

P1: SOC Analyst → SOC Lead → IR Manager → CISO
P2: SOC Analyst → SOC Lead → IR Manager
P3: SOC Analyst → SOC Lead
P4: SOC Analyst

Notification Channels

Tier Channels
P1 Slack #critical-alerts, PagerDuty, Email CISO, SMS
P2 Slack #soc-alerts, PagerDuty, Email IR Manager
P3 Slack #soc-alerts, Email SOC Lead
P4 Slack #soc-triage

PagerDuty Incident API

POST https://events.pagerduty.com/v2/enqueue
{
  "routing_key": "SERVICE_KEY",
  "event_action": "trigger",
  "payload": {
    "summary": "P1 Alert: Data exfiltration detected",
    "severity": "critical",
    "source": "SOC SIEM"
  }
}

Slack Webhook Notification

POST https://hooks.slack.com/services/T.../B.../xxx
{
  "channel": "#critical-alerts",
  "text": "P1 Incident: ..."
}

Auto-Escalation Rules

Condition Action
Response SLA exceeded Escalate to next in chain
>= 3 correlated alerts Increase priority by 1
VIP user affected Auto-escalate to P1
Critical asset impacted Increase priority by 1
standards.md1.1 KB

Standards - SOC Escalation Matrix

NIST SP 800-61 Rev 2 Incident Handling

  • Defines incident categories and severity levels
  • Recommends functional impact, information impact, and recoverability as factors
  • Guides escalation based on incident classification

ITIL Incident Management

  • P1-P4 priority classification framework
  • Impact x Urgency = Priority matrix
  • SLA management for each priority level

SOC-CMM (SOC Capability Maturity Model)

  • Level 1: Ad-hoc escalation, no formal process
  • Level 2: Defined escalation paths, documented SLAs
  • Level 3: Automated escalation with SOAR integration
  • Level 4: Context-driven escalation with risk scoring
  • Level 5: AI-assisted prioritization and auto-escalation

Response Time Standards

Priority Industry Standard Best Practice
P1 15 min response, 4h resolution 5 min response, 2h containment
P2 30 min response, 8h resolution 15 min response, 4h containment
P3 4h response, 24h resolution 2h response, 12h resolution
P4 8h response, 72h resolution 4h response, 48h resolution
workflows.md0.9 KB

Workflows - SOC Escalation Matrix

Escalation Flow

Alert Generated
    |
    v
Tier 1 Triage (15 min)
    |
    +-- P4/P3: Handle to resolution
    |
    +-- P2: Escalate to Tier 2
    |       |
    |       +-- Resolved: Close
    |       +-- Unresolved (4h): Escalate to Tier 3
    |
    +-- P1: Immediate escalation
            |
            v
        Tier 3 + Management Notified
            |
            v
        War Room / Bridge Activated
            |
            v
        Containment within SLA
            |
            v
        Resolution + Post-Incident Review

Notification Matrix

Priority Tier 1 Tier 2 Tier 3 SOC Mgr CISO Legal
P1 Aware Aware Lead Notified Notified Standby
P2 Aware Lead Consulted Informed - -
P3 Lead Consulted - - - -
P4 Lead - - - - -

Scripts 2

agent.py7.4 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""SOC Escalation Matrix Agent - Builds and validates SOC escalation paths and response workflows."""

import json
import logging
import argparse
from datetime import datetime

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)

SEVERITY_TIERS = {
    "P1": {"name": "Critical", "response_sla": 15, "update_sla": 60, "resolution_sla": 240,
            "escalation_path": ["SOC Analyst", "SOC Lead", "IR Manager", "CISO"],
            "notification": ["Slack #critical-alerts", "PagerDuty", "Email CISO", "SMS Exec Team"]},
    "P2": {"name": "High", "response_sla": 30, "update_sla": 120, "resolution_sla": 480,
            "escalation_path": ["SOC Analyst", "SOC Lead", "IR Manager"],
            "notification": ["Slack #soc-alerts", "PagerDuty", "Email IR Manager"]},
    "P3": {"name": "Medium", "response_sla": 60, "update_sla": 240, "resolution_sla": 1440,
            "escalation_path": ["SOC Analyst", "SOC Lead"],
            "notification": ["Slack #soc-alerts", "Email SOC Lead"]},
    "P4": {"name": "Low", "response_sla": 240, "update_sla": 480, "resolution_sla": 4320,
            "escalation_path": ["SOC Analyst"],
            "notification": ["Slack #soc-triage"]},
}

ALERT_CATEGORIES = {
    "malware": {"default_priority": "P2", "auto_escalate_if": ["ransomware", "wiper", "apt"]},
    "phishing": {"default_priority": "P3", "auto_escalate_if": ["executive_target", "credential_harvested"]},
    "unauthorized_access": {"default_priority": "P2", "auto_escalate_if": ["admin_account", "domain_controller"]},
    "data_exfiltration": {"default_priority": "P1", "auto_escalate_if": ["pii", "financial", "classified"]},
    "denial_of_service": {"default_priority": "P2", "auto_escalate_if": ["customer_facing", "revenue_impacting"]},
    "insider_threat": {"default_priority": "P2", "auto_escalate_if": ["privileged_user", "data_staging"]},
    "vulnerability_exploit": {"default_priority": "P2", "auto_escalate_if": ["zero_day", "active_exploitation"]},
}


def classify_alert(category, tags, affected_asset_criticality="medium"):
    """Classify alert priority based on category, tags, and asset criticality."""
    cat_info = ALERT_CATEGORIES.get(category, {"default_priority": "P3", "auto_escalate_if": []})
    priority = cat_info["default_priority"]
    escalation_reasons = []
    for tag in tags:
        if tag in cat_info["auto_escalate_if"]:
            escalation_reasons.append(f"Tag '{tag}' triggers auto-escalation")
    if affected_asset_criticality == "critical":
        escalation_reasons.append("Critical asset affected")
    if escalation_reasons:
        priority_num = int(priority[1])
        new_priority = f"P{max(1, priority_num - 1)}"
        if new_priority != priority:
            escalation_reasons.append(f"Escalated from {priority} to {new_priority}")
            priority = new_priority
    return {"priority": priority, "category": category, "escalation_reasons": escalation_reasons,
            "sla": SEVERITY_TIERS[priority]}


def build_escalation_matrix():
    """Build complete escalation matrix structure."""
    matrix = {"tiers": {}, "categories": {}, "auto_escalation_rules": []}
    for tier_id, tier_info in SEVERITY_TIERS.items():
        matrix["tiers"][tier_id] = {
            "name": tier_info["name"],
            "response_sla_minutes": tier_info["response_sla"],
            "update_sla_minutes": tier_info["update_sla"],
            "resolution_sla_minutes": tier_info["resolution_sla"],
            "escalation_chain": tier_info["escalation_path"],
            "notification_channels": tier_info["notification"],
        }
    for cat_name, cat_info in ALERT_CATEGORIES.items():
        matrix["categories"][cat_name] = {
            "default_priority": cat_info["default_priority"],
            "auto_escalation_triggers": cat_info["auto_escalate_if"],
        }
    matrix["auto_escalation_rules"] = [
        {"rule": "SLA breach: response", "action": "Escalate to next tier in chain", "condition": "Response SLA exceeded"},
        {"rule": "SLA breach: update", "action": "Notify SOC Lead", "condition": "Update SLA exceeded"},
        {"rule": "SLA breach: resolution", "action": "Escalate to IR Manager", "condition": "Resolution SLA exceeded"},
        {"rule": "Multiple related alerts", "action": "Escalate priority by 1", "condition": ">= 3 correlated alerts"},
        {"rule": "VIP user affected", "action": "Auto-escalate to P1", "condition": "Executive or board member"},
    ]
    return matrix


def validate_escalation_matrix(matrix):
    """Validate the escalation matrix for completeness and consistency."""
    issues = []
    for tier_id, tier in matrix["tiers"].items():
        if not tier.get("escalation_chain"):
            issues.append({"tier": tier_id, "issue": "Empty escalation chain", "severity": "critical"})
        if tier.get("response_sla_minutes", 0) >= tier.get("update_sla_minutes", 0):
            issues.append({"tier": tier_id, "issue": "Response SLA >= Update SLA", "severity": "warning"})
        if not tier.get("notification_channels"):
            issues.append({"tier": tier_id, "issue": "No notification channels", "severity": "high"})
    for cat, info in matrix["categories"].items():
        if info["default_priority"] not in matrix["tiers"]:
            issues.append({"category": cat, "issue": f"Invalid priority {info['default_priority']}", "severity": "critical"})
    valid = not any(i["severity"] == "critical" for i in issues)
    return {"valid": valid, "issues": issues, "tier_count": len(matrix["tiers"]),
            "category_count": len(matrix["categories"])}


def simulate_alerts(matrix, alerts):
    """Simulate alert classification through the escalation matrix."""
    results = []
    for alert in alerts:
        classification = classify_alert(alert.get("category", ""), alert.get("tags", []),
                                        alert.get("asset_criticality", "medium"))
        results.append({"alert": alert, "classification": classification})
    return results


def generate_report(matrix, validation, simulation_results=None):
    """Generate escalation matrix report."""
    report = {
        "timestamp": datetime.utcnow().isoformat(),
        "escalation_matrix": matrix,
        "validation": validation,
        "simulation_results": simulation_results or [],
    }
    status = "VALID" if validation["valid"] else "INVALID"
    print(f"ESCALATION MATRIX: {status}, {validation['tier_count']} tiers, "
          f"{validation['category_count']} categories, {len(validation['issues'])} issues")
    return report


def main():
    parser = argparse.ArgumentParser(description="SOC Escalation Matrix Builder")
    parser.add_argument("--validate", action="store_true", help="Validate matrix")
    parser.add_argument("--simulate", help="JSON file with test alerts for simulation")
    parser.add_argument("--output", default="escalation_matrix_report.json")
    args = parser.parse_args()

    matrix = build_escalation_matrix()
    validation = validate_escalation_matrix(matrix)
    simulation_results = None
    if args.simulate:
        with open(args.simulate) as f:
            alerts = json.load(f)
        simulation_results = simulate_alerts(matrix, alerts)

    report = generate_report(matrix, validation, simulation_results)
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2)
    logger.info("Report saved to %s", args.output)


if __name__ == "__main__":
    main()
process.py8.0 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
SOC Escalation Matrix Builder and Simulator

Builds escalation matrices, simulates incident routing,
and tracks SLA compliance for SOC operations.
"""

import json
from datetime import datetime, timedelta


SEVERITY_CONFIG = {
    "P1": {
        "name": "Critical",
        "initial_response_min": 15,
        "escalation_to_tier2_min": 0,
        "escalation_to_tier3_min": 0,
        "escalation_to_mgmt_min": 30,
        "resolution_target_hours": 4,
        "update_interval_min": 30,
        "assigned_tier": 3,
    },
    "P2": {
        "name": "High",
        "initial_response_min": 30,
        "escalation_to_tier2_min": 30,
        "escalation_to_tier3_min": 240,
        "escalation_to_mgmt_min": 120,
        "resolution_target_hours": 8,
        "update_interval_min": 120,
        "assigned_tier": 2,
    },
    "P3": {
        "name": "Medium",
        "initial_response_min": 240,
        "escalation_to_tier2_min": 480,
        "escalation_to_tier3_min": None,
        "escalation_to_mgmt_min": None,
        "resolution_target_hours": 24,
        "update_interval_min": 1440,
        "assigned_tier": 1,
    },
    "P4": {
        "name": "Low",
        "initial_response_min": 480,
        "escalation_to_tier2_min": None,
        "escalation_to_tier3_min": None,
        "escalation_to_mgmt_min": None,
        "resolution_target_hours": 72,
        "update_interval_min": 10080,
        "assigned_tier": 1,
    },
}

ASSET_CRITICALITY_MAP = {
    ("critical", "critical"): "P1",
    ("critical", "high"): "P1",
    ("critical", "medium"): "P1",
    ("critical", "low"): "P2",
    ("high", "critical"): "P1",
    ("high", "high"): "P2",
    ("high", "medium"): "P2",
    ("high", "low"): "P3",
    ("medium", "critical"): "P2",
    ("medium", "high"): "P2",
    ("medium", "medium"): "P3",
    ("medium", "low"): "P4",
    ("low", "critical"): "P3",
    ("low", "high"): "P3",
    ("low", "medium"): "P4",
    ("low", "low"): "P4",
}

AUTO_ESCALATION_TRIGGERS = {
    "ransomware_detected": "P1",
    "domain_admin_compromise": "P1",
    "active_data_exfiltration": "P1",
    "multiple_hosts_malware": "P1",
    "critical_infrastructure_alert": "P1",
    "executive_account_anomaly": "P2",
    "insider_threat_indicator": "P2",
    "brute_force_success": "P2",
}


class Incident:
    """Represents a security incident with escalation tracking."""

    def __init__(self, incident_id: str, title: str, severity_score: str,
                 asset_criticality: str, incident_type: str):
        self.incident_id = incident_id
        self.title = title
        self.incident_type = incident_type
        self.created = datetime.utcnow()

        # Calculate priority
        if incident_type in AUTO_ESCALATION_TRIGGERS:
            self.priority = AUTO_ESCALATION_TRIGGERS[incident_type]
        else:
            self.priority = ASSET_CRITICALITY_MAP.get(
                (severity_score, asset_criticality), "P3"
            )

        self.config = SEVERITY_CONFIG[self.priority]
        self.current_tier = self.config["assigned_tier"]
        self.status = "open"
        self.escalation_history = []
        self.resolved_at = None

    def check_sla_compliance(self) -> dict:
        now = datetime.utcnow()
        elapsed_min = (now - self.created).total_seconds() / 60

        response_sla_met = elapsed_min <= self.config["initial_response_min"] or self.status != "open"
        resolution_target_min = self.config["resolution_target_hours"] * 60

        if self.resolved_at:
            resolution_min = (self.resolved_at - self.created).total_seconds() / 60
            resolution_sla_met = resolution_min <= resolution_target_min
        else:
            resolution_sla_met = elapsed_min <= resolution_target_min

        return {
            "incident_id": self.incident_id,
            "priority": self.priority,
            "elapsed_minutes": round(elapsed_min, 1),
            "response_sla_met": response_sla_met,
            "resolution_sla_met": resolution_sla_met,
            "response_sla_min": self.config["initial_response_min"],
            "resolution_sla_min": resolution_target_min,
            "needs_escalation": not resolution_sla_met and self.status == "open",
        }

    def escalate(self, to_tier: int, reason: str):
        self.escalation_history.append({
            "from_tier": self.current_tier,
            "to_tier": to_tier,
            "reason": reason,
            "timestamp": datetime.utcnow().isoformat(),
        })
        self.current_tier = to_tier

    def resolve(self):
        self.status = "resolved"
        self.resolved_at = datetime.utcnow()


class EscalationMatrix:
    """Manages the SOC escalation matrix and tracks incidents."""

    def __init__(self):
        self.incidents = []

    def create_incident(self, incident_id: str, title: str, severity: str,
                        asset_criticality: str, incident_type: str) -> Incident:
        incident = Incident(incident_id, title, severity, asset_criticality, incident_type)
        self.incidents.append(incident)
        return incident

    def get_sla_report(self) -> dict:
        report = {"total": len(self.incidents), "by_priority": {}, "sla_breaches": 0}
        for priority in ["P1", "P2", "P3", "P4"]:
            priority_incidents = [i for i in self.incidents if i.priority == priority]
            breaches = sum(1 for i in priority_incidents if not i.check_sla_compliance()["resolution_sla_met"])
            report["by_priority"][priority] = {
                "count": len(priority_incidents),
                "resolved": sum(1 for i in priority_incidents if i.status == "resolved"),
                "open": sum(1 for i in priority_incidents if i.status == "open"),
                "sla_breaches": breaches,
            }
            report["sla_breaches"] += breaches
        return report

    def get_escalation_summary(self) -> dict:
        total_escalations = sum(len(i.escalation_history) for i in self.incidents)
        tier_distribution = {1: 0, 2: 0, 3: 0}
        for i in self.incidents:
            if i.current_tier in tier_distribution:
                tier_distribution[i.current_tier] += 1
        return {
            "total_incidents": len(self.incidents),
            "total_escalations": total_escalations,
            "current_tier_distribution": tier_distribution,
        }


if __name__ == "__main__":
    matrix = EscalationMatrix()

    inc1 = matrix.create_incident("INC-001", "Ransomware on Finance Server", "critical", "critical", "ransomware_detected")
    inc2 = matrix.create_incident("INC-002", "Failed Brute Force on VPN", "medium", "high", "brute_force_attempt")
    inc3 = matrix.create_incident("INC-003", "Suspicious PowerShell on Workstation", "high", "medium", "suspicious_execution")
    inc4 = matrix.create_incident("INC-004", "Expired SSL Certificate", "low", "low", "certificate_expiry")
    inc5 = matrix.create_incident("INC-005", "Executive Email Compromise Attempt", "high", "critical", "executive_account_anomaly")

    # Simulate escalations
    inc1.escalate(3, "Ransomware auto-escalation to Tier 3")
    inc3.escalate(2, "Analyst escalation - needs deeper investigation")
    inc4.resolve()

    print("=" * 70)
    print("SOC ESCALATION MATRIX REPORT")
    print("=" * 70)

    for inc in matrix.incidents:
        sla = inc.check_sla_compliance()
        print(f"\n[{inc.priority}] {inc.incident_id}: {inc.title}")
        print(f"  Status: {inc.status} | Tier: {inc.current_tier} | Type: {inc.incident_type}")
        print(f"  Response SLA: {'MET' if sla['response_sla_met'] else 'BREACHED'} ({sla['response_sla_min']}min)")
        print(f"  Resolution SLA: {'MET' if sla['resolution_sla_met'] else 'AT RISK'} ({sla['resolution_sla_min']}min)")
        if inc.escalation_history:
            print(f"  Escalations: {len(inc.escalation_history)}")

    print(f"\n{'=' * 70}")
    print("SLA COMPLIANCE REPORT")
    print("=" * 70)
    report = matrix.get_sla_report()
    for priority, data in report["by_priority"].items():
        if data["count"] > 0:
            print(f"  {priority}: {data['count']} incidents, {data['resolved']} resolved, {data['sla_breaches']} SLA breaches")

Assets 1

template.mdtext/markdown · 0.9 KB
Keep exploring