Skill

triaging-incidents

Creating, triaging, updating, and analyzing ServiceNow incidents. Assess severity, check affected CIs, find related incidents, and recommend assignments. Use when the user mentions incidents, INC numbers, outages, service disruptions, ticket creation, triage, priority, severity, ITSM operations, SLA breaches, assignment groups, "what's on fire," or "open P1 incidents."

Popularity

Stars

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/servicenow:triaging-incidents

User invocable

Model invocable

Inline context

Default effort

Tool Access

This skill is limited to the following tools:

mcp__plugin_servicenow_servicenow__list_recordsmcp__plugin_servicenow_servicenow__get_recordmcp__plugin_servicenow_servicenow__create_recordmcp__plugin_servicenow_servicenow__update_recordmcp__plugin_servicenow_servicenow__list_cimcp__plugin_servicenow_servicenow__get_cimcp__plugin_servicenow_servicenow__get_ci_relationshipsmcp__plugin_servicenow_servicenow__get_table_schema

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Create, triage, investigate, and analyze incidents. See `references/incident-fields.md` for the priority matrix, states, categories, and encoded query patterns.

Supporting Files

references/incident-fields.md

SKILL.md

166 lines · ~1.8k tokens

Stats

LanguagePython

Stars10

Forks6

MaintenanceExcellent

Last CommitMar 24, 2026

Actions

View Source View Plugin View on GitHub View README

Stats

Actions

Triaging ServiceNow Incidents

Create, triage, investigate, and analyze incidents. See references/incident-fields.md for the priority matrix, states, categories, and encoded query patterns.

Workflows

1. List Recent Incidents

Get a summary of recent incidents by priority, state, or assignment group.

Progress checklist (copy into your response):

- [ ] Query incidents with filters
- [ ] Summarize by priority and state
- [ ] Highlight critical/P1 incidents

List recent incidents (last 24 hours, open):

list_records(table_name="incident", query="active=true^sys_created_on>=javascript:gs.daysAgoStart(1)", fields="number,short_description,priority,state,assignment_group,assigned_to,sys_created_on", limit=20, order_by="-priority")

For a specific assignment group:

list_records(table_name="incident", query="active=true^assignment_groupLIKE<group_name>", fields="number,short_description,priority,state,assigned_to", limit=20)

Summarize: total count, breakdown by priority (P1/P2/P3/P4), breakdown by state, highlight any P1/P2 incidents.

2. Triage a New Incident

Assess impact and urgency, then suggest priority, category, and assignment group.

Progress checklist:

- [ ] Get incident details
- [ ] Assess impact and urgency
- [ ] Check affected CI and its dependencies
- [ ] Suggest priority, category, assignment group
- [ ] Recommend next steps

Get the incident details:

get_record(table_name="incident", sys_id="<incident_sys_id>")

If a CI is attached, check its relationships to assess blast radius:

get_ci(sys_id="<cmdb_ci_sys_id>")
get_ci_relationships(sys_id="<cmdb_ci_sys_id>")

Look for similar recent incidents (same CI or category):

list_records(table_name="incident", query="cmdb_ci=<ci_sys_id>^sys_created_on>=javascript:gs.daysAgoStart(30)", fields="number,short_description,state,priority", limit=10)

Recommend triage decisions:
- Priority: Based on impact x urgency matrix (see references/incident-fields.md)
- Category: Based on the affected CI class and description keywords
- Assignment group: Based on CI ownership or category routing rules
Present recommendations with reasoning.

3. Investigate an Incident

Deep-dive into an existing incident — full context, related CIs, similar incidents.

Progress checklist:

- [ ] Get full incident details
- [ ] Get affected CI details and relationships
- [ ] Find similar recent incidents
- [ ] Check for related problems or changes
- [ ] Summarize findings and recommend actions

Get the full incident record:

get_record(table_name="incident", sys_id="<incident_sys_id>")

If a CI is attached, get its details and dependency chain:

get_ci(sys_id="<cmdb_ci_sys_id>")
get_ci_relationships(sys_id="<cmdb_ci_sys_id>")

Find similar recent incidents:

list_records(table_name="incident", query="categoryLIKE<category>^sys_created_on>=javascript:gs.daysAgoStart(30)", fields="number,short_description,state,priority,resolution_notes", limit=10)

Check for related problems:

list_records(table_name="problem", query="cmdb_ci=<ci_sys_id>^active=true", fields="number,short_description,state", limit=5)

Check for recent changes on the same CI:

list_records(table_name="change_request", query="cmdb_ci=<ci_sys_id>^sys_created_on>=javascript:gs.daysAgoStart(7)", fields="number,short_description,state,type", limit=5)

Summarize: incident context, CI dependency impact, related incidents/problems/changes, recommended actions.

4. Create an Incident

Create a new incident with validated fields and appropriate defaults.

Progress checklist:

- [ ] Validate required fields are provided
- [ ] Suggest category from description
- [ ] Set appropriate defaults (state, priority)
- [ ] Create the incident
- [ ] Confirm creation with INC number

Validate required fields: short_description is mandatory. Confirm caller_id is provided.
Suggest category based on description keywords (see references/incident-fields.md).
Set defaults for missing fields:
- state: 1 (New)
- impact: 3 (Low) unless specified
- urgency: 3 (Low) unless specified
- priority is auto-calculated from impact x urgency

Create the incident:

create_record(table_name="incident", data={"short_description": "...", "description": "...", "caller_id": "...", "category": "...", "impact": "3", "urgency": "3", "cmdb_ci": "..."})

Confirm creation: return the INC number, priority, and link.

5. Bulk Analysis

Analyze incident trends — top categories, repeat offenders, SLA status.

Progress checklist:

- [ ] Pull recent incidents (7-30 day window)
- [ ] Group by category
- [ ] Identify repeat CIs (frequent flyers)
- [ ] Check SLA breaches
- [ ] Present trends and recommendations

Pull recent incidents:

list_records(table_name="incident", query="sys_created_on>=javascript:gs.daysAgoStart(30)^active=true", fields="number,category,cmdb_ci,priority,state,assignment_group,sla_due", limit=100, order_by="-sys_created_on")

Group by category — which categories generate the most incidents?

Identify repeat CIs — which CIs appear in multiple incidents?

list_records(table_name="incident", query="cmdb_ci=<frequent_ci_sys_id>^sys_created_on>=javascript:gs.daysAgoStart(30)", fields="number,short_description,priority,state", limit=20)

Check for SLA breaches:

list_records(table_name="incident", query="active=true^sla_due<javascript:gs.daysAgoEnd(0)", fields="number,short_description,priority,sla_due,assignment_group", limit=20)

Present: top incident categories, repeat-offender CIs, SLA breach count, recommendations for reducing incident volume.

Tips

The priority matrix is impact x urgency — see references/incident-fields.md for the full mapping.
Use active=true to filter out resolved/closed incidents. Closed incidents have state=7.
SLA fields (sla_due, made_sla) track whether response/resolution targets are met.
Assignment groups can be looked up: list_records(table_name="sys_user_group", query="nameLIKE<keyword>", fields="name,sys_id").
See references/incident-fields.md for encoded query patterns and field reference.

triaging-incidents

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

triaging-incidents

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

Triaging ServiceNow Incidents

Workflows

1. List Recent Incidents

2. Triage a New Incident

3. Investigate an Incident

4. Create an Incident

5. Bulk Analysis

Tips

Similar Skills

Triaging ServiceNow Incidents

Workflows

1. List Recent Incidents

2. Triage a New Incident

3. Investigate an Incident

4. Create an Incident

5. Bulk Analysis

Tips

Similar Skills