Hey all,
I cant see any built-in function to view/report on values like response time (e.g. time between alert being generated and time alert is set to acknowledged/closed).
I can see that alerts appear to have a signal.last.updated value but this does not differentiate between acknowledged/closed, and can of course be changed later if the case is reopened etc.
Ideally what I was hoping for was somewhere to pull the data on:
timestamp alert is generated
timestamp alert is set to acknowledged
timestamp alert is set to closed
Am I missing something or is this just not something that is logged currently in Elastic Security?
Thanks!
Taylor