Hi,
I have been looking into how to get an overview over actions taken by an Security Analyst whilst using the Incidents view on Logpoint.
Therefore i have created this Search Query to get an overview over Incdents and Actions.
Repository to be searched on is _LogPoint
incident_id = * | chart count() by incident_id, log_ts, alert_id, status, action, user, alert_name, comment order by incident_id, log_ts asc
Hope this could be useful.
Best Regards,
Gustav