Intelligent incident triage, prioritization, and assignment based on impact, urgency, and content analysis
This skill provides a structured approach to triaging ServiceNow incidents. It helps you:
When to use: When incidents need to be reviewed, prioritized, and assigned to the appropriate team.
itil or incident_managerQuery for active incidents that are unassigned or in "New" state.
Using MCP (Claude Code/Desktop):
Tool: SN-NL-Search
Parameters:
table_name: incident
query: "active high priority incidents where assigned to is empty"
fields: number,short_description,description,impact,urgency,category,priority
limit: 20
Using REST API:
GET /api/now/table/incident?sysparm_query=active=true^assigned_toISEMPTY^ORstate=1&sysparm_fields=sys_id,number,short_description,description,impact,urgency,category,priority&sysparm_limit=20
For each incident, analyze the content to determine:
Category Identification - Look for keywords:
Priority Validation - Verify Impact/Urgency matrix:
| Impact ↓ / Urgency → | High (1) | Medium (2) | Low (3) |
|---|---|---|---|
| High (1) | P1 | P2 | P3 |
| Medium (2) | P2 | P3 | P4 |
| Low (3) | P3 | P4 | P5 |
Map categories to assignment groups (customize for your organization):
| Category | Assignment Group | Notes |
|---|---|---|
| Network | Network Operations | Infrastructure team |
| Hardware | Desktop Support | On-site support |
| Software | Application Support | App-specific teams |
| Messaging Team | Exchange/O365 | |
| Security | Security Operations | Immediate attention |
| SAP/ERP | ERP Support | Business applications |
| Unknown | Service Desk L2 | General escalation |
Find assignment group sys_id:
Tool: SN-Query-Table
Parameters:
table_name: sys_user_group
query: name=Network Operations
fields: sys_id,name
limit: 1
Using MCP:
Tool: SN-Assign-Incident
Parameters:
sys_id: [incident_sys_id]
assignment_group: Network Operations
work_notes: "Triage: Assigned to Network Operations based on keyword analysis (VPN connectivity issue). Priority validated as P2 per impact/urgency matrix."
Using REST API:
PATCH /api/now/table/incident/{sys_id}
Content-Type: application/json
{
"assignment_group": "[group_sys_id]",
"work_notes": "Triage: Assigned to Network Operations..."
}
Add comprehensive work notes explaining the triage decision:
Tool: SN-Add-Work-Notes
Parameters:
sys_id: [incident_sys_id]
work_notes: |
=== TRIAGE ANALYSIS ===
Analyst: [Your name or AI Triage]
Time: [Current timestamp]
Category: Network
Keywords detected: VPN, connectivity
Priority Assessment:
- Impact: 2 (Medium) - Single user affected
- Urgency: 1 (High) - User cannot work
- Calculated Priority: P2
Assignment: Network Operations
Rationale: VPN connectivity issues are handled by Network Ops per routing rules
Next Steps: Network team to investigate VPN tunnel status
| Tool | When to Use |
|---|---|
SN-NL-Search | Natural language queries for incidents |
SN-Query-Table | Structured queries for groups, users |
SN-Assign-Incident | Assign with group and work notes |
SN-Update-Record | Update priority, category, other fields |
SN-Add-Work-Notes | Document triage decisions |
| Endpoint | Method | Purpose |
|---|---|---|
/api/now/table/incident | GET | Query incidents |
/api/now/table/incident/{sys_id} | PATCH | Update incident |
/api/now/table/sys_user_group | GET | Find assignment groups |
Cause: Query too restrictive or no unassigned incidents exist Solution: Broaden the query or check different states
Cause: Group name doesn't match exactly
Solution: Query sys_user_group with LIKE operator: nameLIKENetwork
Cause: Missing itil role or incident is in read-only state
Solution: Verify roles; check if incident is closed or cancelled
Input: Incident INC0012345 - "Cannot connect to VPN from home"
Analysis:
Action:
Tool: SN-Assign-Incident
Parameters:
sys_id: abc123...
assignment_group: Network Operations
work_notes: "Triage: VPN connectivity issue assigned to Network Ops. P2 priority."
Input: Incident INC0012346 - "Suspicious email with attachment clicked"
Analysis:
Action:
itsm/incident-lifecycle - Full incident managementitsm/major-incident - Major incident handlingitsm/problem-analysis - Finding root causessecurity/incident-response - Security-specific triage