Investigating an incident
You’ve run individual audits; now string them together. This tutorial walks through a realistic scenario — reconstructing a Code Blue — using three audits in sequence plus an ad-hoc question when the menu doesn’t quite fit.
By the end you’ll have:
- Used the Incident status audit to anchor the timeline
- Used Recent notifications to see what fired and to whom
- Used Pending confirmations to spot recipients who didn’t acknowledge
- A pattern for follow-up questions when one answer surfaces the next
You will need:
- Claude Code (or another MCP client) connected to your team’s mcsinglewire instance
- A few minutes; this conversation runs longer than the per-audit tutorials
The scenario
Section titled “The scenario”It’s 14:17. Five minutes ago the cardiology floor’s Code Blue alarm fired. You weren’t watching the InformaCast console at the time. The ICU charge nurse asks you: “Did everyone we paged actually get it? Anyone not respond?”
You open Claude Code.
-
Anchor the timeline
Start with the incident itself:
/mcp__singlewire__incident_statusThe response gives you a list of currently-open incidents and incidents closed in the last 24 hours. You’re looking for the Code Blue:
Open incidents (1):• INC-20260509-141204 — "Code Blue / Cardiology Bay 4"opened: 2026-05-09 14:12:04site: Main-Campus / CardiologyRecently resolved (last 24h, 3):• INC-20260509-093011 — "Fire drill / B-Wing"closed: 2026-05-09 09:42:18 (33 min duration)• INC-20260508-160844 — "Severe weather / All sites"closed: 2026-05-08 17:04:11 ( 56 min)• INC-20260508-110002 — "Drill: Active threat / ED"closed: 2026-05-08 11:14:17 ( 14 min)Now you have the incident ID —
INC-20260509-141204— and the time window. The Code Blue is still open: nobody has formally cleared it. -
See what fired
Switch to the notification side:
/mcp__singlewire__recent_notifications hours=1You’re narrowing to the last hour because the incident opened five minutes ago and you want to see only the calls that belong to it. A truncated answer:
Notifications dispatched in the last hour (3):14:12:09 Scenario: "Code Blue Cardiology"Recipients: dist-list "Code-Blue-Responders" (28 users)+ IP speakers in zone "cardiology"Status: dispatched / 28 user notifications, 14 speaker activations14:12:34 Scenario: "Code Blue Cardiology — Escalation 1"Recipients: dist-list "Code-Blue-Backup" (12 users)Status: dispatched / 12 user notifications14:15:01 Scenario: "Code Blue Cardiology — Escalation 2"Recipients: dist-list "Code-Blue-Charge" (6 users)Status: dispatched / 6 user notificationsThree waves fired. The escalations triggered automatically because the first wave didn’t get acknowledged within the configured window. You now know what was sent; the question shifts to what came back.
-
Find the silence
/mcp__singlewire__pending_confirmationsThis sorts oldest-first, so the unanswered Code Blue notifications appear at the top:
Pending confirmations, oldest first (4):Sent 14:12:09 conf-id 4f1e22c9User: jsmith@hospital.example (Cardiology RN)Origin: Code Blue Cardiology (INC-20260509-141204)Escalation rule: notify Code-Blue-Backup after 25sStatus: timed out, escalated at 14:12:34Sent 14:12:09 conf-id 7c930a18User: blee@hospital.example (Cardiology RN)Origin: Code Blue Cardiology (INC-20260509-141204)Escalation rule: notify Code-Blue-Backup after 25sStatus: timed out, escalated at 14:12:34Sent 14:12:34 conf-id b248f7c1User: wcho@hospital.example (Cardiology Backup)Origin: Code Blue Cardiology — Escalation 1Escalation rule: notify Code-Blue-Charge after 25sStatus: timed out, escalated at 14:15:01Sent 14:15:01 conf-id e91a0b3dUser: rmalik@hospital.example (Charge nurse)Origin: Code Blue Cardiology — Escalation 2Escalation rule: (final tier; no further escalation)Status: pending (2m 16s elapsed)The picture clarifies fast:
- jsmith and blee on first call — both timed out (not unusual; they may have been responding in person rather than tapping the app).
- wcho on backup — also timed out.
- rmalik on final escalation — still pending. They haven’t acknowledged the page after 2 minutes 16 seconds.
That’s the answer the charge nurse asked for.
-
Drill into one user
The charge nurse wants to know whether
rmalikwas paged correctly or whether the system glitched. Drop the menu and ask plainly:For user rmalik@hospital.example, show their notification devicesand the last known activity on each.Claude looks up where notification devices live and pulls the answer:
rmalik@hospital.example has 2 notification devices:• iPhone (mobile app)Last activity: 2026-05-09 14:15:01 (delivery confirmed)• Desktop client (Mac)Last activity: 2026-05-09 13:48:22 (idle since lunch)The escalation reached the iPhone. Delivery confirmed, butacknowledgement not yet received.So the page got there. Either rmalik is on a procedure and physically unable to tap the app, or there’s a different problem to chase.
-
Settle it
You report back to the charge nurse with the timeline:
“Code Blue fired at 14:12. First wave hit jsmith and blee on Cardiology; both timed out at 14:12:34. Backup wave hit wcho — also timed out. Final escalation hit rmalik at 14:15 — phone received the page (delivery confirmed) but the ack hasn’t come back yet. They might just be hands-busy in the resus.”
That whole sequence — three audits plus one ad-hoc question — took under a minute and nobody had to open the InformaCast admin console. Every call is recorded if anyone needs to retrace your steps.
What’s next
Section titled “What’s next”- The pattern generalises: Anchor → Activity → Outliers → Drill in. Reach for the audits in the Activity & runtime state group that match the shape of your question; switch to plain English when the menu doesn’t quite fit.
- If your team runs this same triad often, it can be turned into a single audit that produces the combined report. Mention it to whoever maintains your mcsinglewire deployment.
- Built-in audits is the full catalogue of what’s already on the menu.
