Tier 2 Support Investigation SOP

Standard procedure for Tier 2 support teams to gather data, reproduce issues, document findings, and coordinate resolution.

Steps

• Validate the escalation and open the investigation record
  The Tier 2 analyst verifies that the ticket is assigned to Tier 2, confirms the escalation reason, and opens or updates the investigation record. Record at minimum: - Incident or request ID - Affected user, service, or asset - Reported symptoms and impact - Time reported and current status - Escalation source and priority If required fields are missing, the analyst requests the missing information before proceeding.
• Collect the minimum investigation data set
  The Tier 2 analyst gathers the minimum data set needed to investigate the issue. Collect: - Exact error message or symptom description - Timestamp of the last known good state - User actions immediately before the issue occurred - Device, browser, application version, or environment details - Relevant logs, screenshots, or alert IDs - Recent changes, deployments, or configuration updates The analyst records each data point in the ticket and notes any gaps as a follow-up action.
• Assess severity and determine the investigation path
  The Tier 2 analyst evaluates impact, urgency, and business risk before continuing.
• Initiate containment and notify the appropriate stakeholders
  The Tier 2 analyst initiates approved containment actions and notifies the incident owner, resolver group, or on-call contact. Examples of containment actions: - Advise users to stop a known harmful action - Disable a faulty integration if authorized - Apply a temporary workaround from the knowledge base The analyst documents the action taken, the approval source if required, and the time of notification.
• Reproduce the issue in a controlled environment
  The Tier 2 analyst reproduces the issue using the reported steps, environment details, and available logs. The analyst: - Uses the same or equivalent user role, browser, device, or application version when possible - Repeats the reported steps one at a time - Captures the exact step where the failure occurs - Records whether the issue is reproducible, intermittent, or not reproducible The analyst stops reproduction if the activity could cause data loss, security exposure, or service disruption.
• Capture evidence and isolate likely causes
  The Tier 2 analyst captures evidence that supports the investigation. Capture: - Screenshots or screen recordings - Relevant log excerpts with timestamps - Error codes, request IDs, or correlation IDs - Configuration differences or recent change references - Any workaround behavior observed during reproduction The analyst compares the evidence against known issues, recent changes, and common failure patterns to isolate likely causes.
• Document findings and recommended next action
  The Tier 2 analyst documents the investigation in a concise, audit-ready format. Include: - Problem statement - Data collected - Reproduction method - Observed result - Likely cause or ruled-out causes - Workaround, if any - Recommended next action - Owner for the next action The analyst verifies that the notes are complete, objective, and traceable to the evidence.
• Escalate to the resolver group with complete handoff notes
  The Tier 2 analyst escalates the case to the correct resolver group when the issue requires deeper analysis, code changes, vendor support, or a change window. The handoff includes: - Summary of the issue and business impact - Steps already performed - Evidence collected - Reproduction status - Suspected component or failure domain - Urgency and any deadline constraints - Requested action from the resolver group The analyst confirms the escalation target and records the handoff time.
• Confirm resolution and close the investigation record
  The Tier 2 analyst confirms that the issue is resolved or that ownership has been transferred appropriately. Before closure, the analyst verifies: - The user or monitoring signal confirms recovery - The resolution matches the documented issue - Any workaround or preventive action is recorded - Follow-up tasks are assigned with owners and due dates The analyst closes the record only after the final status is documented and any required notifications are sent.