Refer to the severity definition and SLA to determine the alert severity.
Alerts refer often to a specific cluster (mainnet/sepolia) and a specific network (op, mode, …. other usperchain networks) Alerts should already come with a specific log filtering and dashboard that should already be helpful for the investigation.
In the alert look at the function_name, and select the alert relative to the rule_name
Runbooks:
Global_Event: Security Council Safe Management
Global_Event: Pause Event Emitted
Global_Event: UnPause Event Emitted
Global_Event: Initialized-Upgrade Proxies