1  �

 2  ��i��
���Udd
lm
Z

ddlmZ
eddddgd�
gd�
d	gd
 3  �
gd�
d�
�
 4  eddddgd�
gd�
dgd�
gd�
d�
�
 5  eddddgd�
gd�
dgd�
gd�
d �
�
 6  d!�Zd"ed#<d'd$�Zd(d%�Zy&))�)
�annotations)
�IncidentRequestz
INC-EDGE-2048zRotterdam Edge Fabric - Plant 4zIndustrial Automation�critical)z9TLS certificate expiry < 36h on edge-gw-17 and edge-gw-18z@Southbound OPC-UA packet loss sustained at 18-24% for 11 minutesz-Historian ingestion lag breached 4 minute SLOz.PLC heartbeat jitter exceeded baseline by 320%)z�2026-03-21T19:02:11Z edge-gw-17 envoy[883]: upstream connect error or disconnect/reset before headers. reset reason: tls cert expired soonzp2026-03-21T19:03:08Z edge-gw-18 cert-agent: renewal attempt failed: ACME directory timeout via proxy egress-fw-2ze2026-03-21T19:04:41Z plant-switch-3 netmon: packet_loss=22.8% vlan=442 path=edge-gw-17->plc-segment-azn2026-03-21T19:05:12Z historian-sync: backlog=78412 writes delayed due to intermittent gateway acknowledgementsz�Two redundant edge gateways front 84 PLCs and forward telemetry to the regional historian over a constrained MPLS path through egress-fw-2.)z
 7  edge-gw-17z
 8  edge-gw-18zegress-fw-2zplant-switch-3zregional-historian-eu-westzPLC segment A (84 controllers))z,Fail over traffic between redundant gatewaysz)Restart local certificate renewal sidecarz'Open network incident with WAN providerz)Pause non-essential telemetry replicationz/Escalate to OT platform and network engineeringzmReturn concise executive-safe JSON for OT leadership. Do not invent actions outside the allowed_actions list.)
 9  �incident_id�site�
business_unit�severity�alerts�logs�topology_summary�known_assets�allowed_actions�output_schema_instructionszINC-SOC-9917zUS-East Corporate CloudzSecurity Operations)zHPrivileged IAM token used from impossible-travel source within 6 minuteszCEDR lateral movement analytic triggered across 3 Windows jump hostsz@Kerberos service ticket request volume spiked 14x above baselinez2MFA fatigue report opened by finance administrator)zr2026-03-21T18:47:06Z iam-audit: principal=svc-fin-admin action=GenerateAccessToken src_ip=185.91.214.33 geo=Warsawz|2026-03-21T18:50:44Z ad-dc-02 security: EventID=4769 unusually high TGS requests account=svc-fin-admin client=jump-us-east-3zq2026-03-21T18:51:19Z edr jump-us-east-2: remote service creation detected parent=psexec.exe target=jump-us-east-3zb2026-03-21T18:53:02Z mfa-portal: user=jane.holt approved=0 denied=9 report='repeated push prompts'zwFinance admin tooling is segmented behind three Windows jump hosts, federated IAM, and a hybrid Active Directory trust.)z
svc-fin-adminzjump-us-east-2zjump-us-east-3zad-dc-02zfinance-admin-portalziam-federation-prod)z%Disable compromised service principalz,Isolate affected jump hosts from the networkzForce credential rotationz%Invalidate active sessions and tokensz:Escalate to SOC incident response and identity engineeringzcAssume this may be an active intrusion. Keep language board-safe and avoid speculative attribution.zINC-SUP-4473zGlobal SaaS Control PlanezPremium Customer Support�high)z4Premium tenant SLA burn rate exceeded 3.4x thresholdzATelemetry anomaly detected in workflow orchestration success ratez;Customer escalation opened for delayed case synchronizationz>Support queue backlog for platinum tier crossed 210 open items)zU2026-03-21T17:15:10Z workflow-api: tenant=blueharbor status=202 sync_job lag=00:18:14zo2026-03-21T17:16:28Z telemetry-analyzer: anomaly score=0.93 service=orchestration-router metric=completion_ratez�2026-03-21T17:18:09Z support-escalation: account=BlueHarbor contact='VP Operations' issue='case sync delay causing missed callbacks'zN2026-03-21T17:20:55Z queue-manager: platinum_backlog=217 regional_skew=us-eastz�Premium support case synchronization depends on the orchestration router, event bus, and CRM sync workers in us-east with follow-on replication to regional queues.)zworkflow-apizorchestration-routerzcrm-sync-worker-us-eastzevent-bus-premiumzsupport-queue-us-eastzBlueHarbor premium tenant)zThrottle low-priority sync jobszScale CRM sync workersz Reroute premium queue processingz$Issue customer communications updatez'Escalate to support engineering and SREzPFocus on SLA recovery and customer impact containment. Keep the summary concise.)�
10  industrial�soc�supportzdict[str, IncidentRequest]�	SCENARIOSc

��	t|S#t$r5}
d
jtt�
�
}t	d|�d|���
|
�d}
~
w
wxYw
)Nz, zUnknown scenario 'z'. Expected one of: )r�KeyError�join�sorted�
11  ValueError)�name�exc�valids   �app/incident_samples.py�get_incidentr�sT��Z
�������Z
��	�	�&��+�,���-�d�V�3G��w�O�P�VY�Y��Z
�s��	A	�0A�A	c
� �t
t�
S)
N)rr��r�scenario_namesr"�s
���)��r!N)r�str�returnr)r$z	list[str])�
12  __future__r�app.schemasrr�__annotations__rr"r r!r�<module>r(
s��


�"�'�"�#�
.�-��
13  �
14  �

J
�
15  �
16  �

0�K
(�R
�"�
&�+��
17  �
18  �

3�
19  �
20  �

'�K
(�R
�"�
(�0��
21  �
22  �

]
�
23  �
24  �
_
�K
'�g{
)�	�%�{

�|
Z
�

r!