L1 // HOW IT WORKS

TRIAGE CONSOLE WALKTHROUGH

← OPEN CONSOLE

A full walkthrough of the Engineer Triage Console — how signals enter, how Copilot processes them, and how a tech moves a ticket from queue to resolved without logging into a single tool.

$ ~/krawczyk.city/platform/l1 copilot docs --page howto --section walkthrough
01 // DIAGRAM

Signal Flow — Source to Resolution

📡 RMM NinjaRMM
🛡️ EDR SentinelOne
🔎 SIEM Azure Sentinel
🧾 PSA ConnectWise
🤖
COPILOT ENGINE
Signal Aggregation + AI Analysis
Ingests all tool signals, correlates context, scores severity, and drafts a recommended action before it ever reaches the engineer.
AUTO
SURFACES TO ENGINEER
👤
L1 // YOU ARE HERE
Engineer Triage Console
Engineer reviews Copilot's recommendation, approves or modifies it, and fires the action. No direct tool access. One click dispatches intent downstream.
HUMAN GATE
INTENT DISPATCH
🧠
L2 // CONTROL PLANE
AI Decision Logic + Workflow Engine
Receives the dispatched intent, selects the correct runbook or automation, and routes the task to the right integration layer.
AUTO
TASK ROUTING
🔌
L3 // ORCHESTRATION
API Integrations + RMM + Ticketing
Translates the routed task into tool-specific API calls. Manages sequencing and error handling across NinjaRMM, ConnectWise, Intune, Mimecast, and more.
AUTO
EXECUTION DISPATCH
💻
L4 // EXECUTION
PowerShell + Azure + Security Tools
Scripts run, policies apply, devices remediate, evidence is captured. Results bubble back up and the ticket closes with a full audit trail.
AUTO
02 // WALKTHROUGH

Step-by-Step — What the Engineer Actually Does

01
SIGNALS IN // BACKGROUND
Tools Fire Alerts Automatically
Before the engineer opens the console, the underlying stack is already working. RMM agents, EDR sensors, SIEM rules, and PSA automation are continuously generating signals. The engineer never monitors these directly — Copilot does.
NinjaRMM alerts SentinelOne detections Azure Sentinel rules CW ticket creation Mimecast blocks
02
COPILOT // AUTO-ANALYSIS
Copilot Aggregates, Correlates, and Scores
Copilot ingests all incoming signals, cross-references tool data, assigns severity, and drafts a plain-language recommendation with a proposed action. By the time anything appears in the console, Copilot has already done the diagnostic work.
EXAMPLE ▸ "SentinelOne confirms process injection on explorer.exe on ACME-WS-04. Huntress case auto-opened. Recommend full isolation and snapshot before remediation. Dispatch IR runbook to L4?"
03
L1 // ENGINEER ACTION
Engineer Opens the Triage Queue
The engineer opens the console to the TRIAGE view. Items are sorted by severity — Critical and High at the top. Each card shows the client, affected system, Copilot's finding, and the recommended action. The engineer reads the Copilot bar, not a raw alert feed.
CRITICAL — ransomware behavior HIGH — MFA gap HIGH — agents offline MEDIUM — disk full LOW — onboarding
04
L1 // DECISION GATE
Engineer Reviews and Approves — or Overrides
The engineer reads Copilot's recommendation and clicks one of the action buttons. They can approve the suggested action, choose an alternative, request more detail, or skip and defer. This is the only human touchpoint in the entire workflow. No tool logins. No context switching.
KEY POINT ▸ The engineer is a decision-maker, not an operator. Copilot has already done the diagnosis. The human gate exists for accountability and edge-case judgment — not routine execution.
05
L1 → L2 // INTENT DISPATCH
Approved Action Dispatches as Intent
When the engineer clicks a button, the action is sent down as structured intent — not a raw command. It travels from L1 to L2 where the Control Plane selects the correct runbook or automation sequence and begins routing.
Confirm Isolate → IR runbook selected Push Enrollment → Duo + CA policy flow WoL + Restart RPC → NinjaRMM task
06
L2 → L3 → L4 // EXECUTION
The Stack Executes — Ticket Moves to In-Flight
L2 routes the task through L3's integrations into L4 execution. Scripts run, API calls fire, policies apply. The ticket automatically moves from TRIAGE to IN-FLIGHT. The engineer can monitor progress in plain language — no log files, no tool dashboards.
EXAMPLE ▸ "Step 4 of 7 — collecting event logs from 3 affected endpoints. SIEM correlation query running. ETA ~8 min. No further action needed unless escalation requested."
07
RESOLUTION // CLOSED LOOP
Ticket Closes With Evidence — Audit Trail Complete
When execution completes, the ticket auto-closes and moves to RESOLVED. Copilot writes a plain-language summary of what was done, what tools were involved, and what changed. Evidence is logged to the compliance record automatically — before the engineer closes the tab.
Auto-close on success Evidence snapshot saved CMMC / compliance log updated CW ticket updated Reopen available
03 // PRINCIPLES

Why It Works This Way

🚫
No Direct Tool Access
The engineer never logs into NinjaRMM, SentinelOne, Intune, or any other tool to resolve a ticket. Every action flows through Copilot and the stack. This eliminates context switching and tribal knowledge dependency.
🧠
Copilot Does the Diagnosis
By the time a ticket reaches the engineer, Copilot has already correlated the signals, identified the root cause, and drafted a recommendation. The engineer makes decisions — not investigations.
👤
Human Gate for Accountability
The engineer's approval is the only manual step. This keeps a human in the loop for compliance and edge cases without slowing down routine remediation.
📋
Full Audit Trail, Automatically
Every action dispatched, every step executed, and every outcome is logged with a compliance snapshot. No manual documentation. Evidence exists before the engineer closes the tab.
KRAWCZYK.CITY // L1 TRIAGE CONSOLE // HOW IT WORKS