When it comes to Elastic Stack is has great functionalities for specific detection trigerred by well tuned rules but security analysts struggle when it comes to generic checks like if I have a phishing related public IP that hosts a malware and i wanna see the list of source.ip and user.name that started a communication towards this IP, neither in the timeline or discovery panel I can see unique number of source.ip since i should scroll down pages and i might miss something. Even the unique values at the left panel in the Discovery page won't be enough.
My question is, is there a way to do this apart from creating aggregation (more queries and time consuming). Would it be such a feature in future releases ? why isn't up till now present in the SIEM APP ?