{
  "feature_names": [
    "raw_score",
    "enriched_score",
    "time_in_phase_minutes",
    "queue_depth_at_ingestion",
    "soar_playbook_triggered",
    "sla_breached_flag",
    "mttd_minutes",
    "mttr_minutes",
    "fatigue_score_at_alert",
    "enrichment_lift",
    "log_mttr",
    "log_mttd",
    "queue_pressure",
    "enrichment_per_minute",
    "is_high_confidence",
    "alert_severity_critical_confirmed",
    "alert_severity_duplicate_suppressed",
    "alert_severity_false_positive",
    "alert_severity_high_severity",
    "alert_severity_informational",
    "alert_severity_low_severity",
    "alert_severity_medium_severity",
    "alert_source_cspm_cloud_rule",
    "alert_source_edr_behavioural_engine",
    "alert_source_honeypot_trigger",
    "alert_source_itdr_identity_anomaly",
    "alert_source_nids_signature",
    "alert_source_siem_correlation_rule",
    "alert_source_threat_intel_ioc_match",
    "alert_source_ueba_user_anomaly",
    "mitre_tactic_collection",
    "mitre_tactic_command_and_control",
    "mitre_tactic_credential_access",
    "mitre_tactic_defense_evasion",
    "mitre_tactic_discovery",
    "mitre_tactic_execution",
    "mitre_tactic_exfiltration",
    "mitre_tactic_impact",
    "mitre_tactic_initial_access",
    "mitre_tactic_lateral_movement",
    "mitre_tactic_persistence",
    "mitre_tactic_privilege_escalation",
    "analyst_tier_L1_junior",
    "analyst_tier_L2_senior",
    "analyst_tier_L3_threat_hunter",
    "siem_platform_chronicle_google",
    "siem_platform_elastic_siem",
    "siem_platform_exabeam_fusion",
    "siem_platform_ibm_qradar",
    "siem_platform_logrhythm_axon",
    "siem_platform_microsoft_sentinel",
    "siem_platform_splunk_enterprise",
    "siem_platform_sumo_logic"
  ],
  "numeric_features": [
    "raw_score",
    "enriched_score",
    "time_in_phase_minutes",
    "queue_depth_at_ingestion",
    "soar_playbook_triggered",
    "sla_breached_flag",
    "mttd_minutes",
    "mttr_minutes",
    "fatigue_score_at_alert",
    "enrichment_lift",
    "log_mttr",
    "log_mttd",
    "queue_pressure",
    "enrichment_per_minute",
    "is_high_confidence"
  ],
  "categorical_levels": {
    "alert_severity": [
      "critical_confirmed",
      "duplicate_suppressed",
      "false_positive",
      "high_severity",
      "informational",
      "low_severity",
      "medium_severity"
    ],
    "alert_source": [
      "cspm_cloud_rule",
      "edr_behavioural_engine",
      "honeypot_trigger",
      "itdr_identity_anomaly",
      "nids_signature",
      "siem_correlation_rule",
      "threat_intel_ioc_match",
      "ueba_user_anomaly"
    ],
    "mitre_tactic": [
      "collection",
      "command_and_control",
      "credential_access",
      "defense_evasion",
      "discovery",
      "execution",
      "exfiltration",
      "impact",
      "initial_access",
      "lateral_movement",
      "persistence",
      "privilege_escalation"
    ],
    "analyst_tier": [
      "L1_junior",
      "L2_senior",
      "L3_threat_hunter"
    ],
    "siem_platform": [
      "chronicle_google",
      "elastic_siem",
      "exabeam_fusion",
      "ibm_qradar",
      "logrhythm_axon",
      "microsoft_sentinel",
      "splunk_enterprise",
      "sumo_logic"
    ]
  },
  "label_to_int": {
    "auto_resolved_soar": 0,
    "duplicate_merged": 1,
    "false_positive_closed": 2,
    "true_positive_remediated": 3,
    "true_positive_escalated": 4
  },
  "int_to_label": {
    "0": "auto_resolved_soar",
    "1": "duplicate_merged",
    "2": "false_positive_closed",
    "3": "true_positive_remediated",
    "4": "true_positive_escalated"
  },
  "oracle_excluded": [
    "alert_lifecycle_phase",
    "automation_resolved",
    "escalation_flag"
  ],
  "high_cardinality_excluded": [
    "mitre_technique_id",
    "detection_rule_id"
  ]
}