Splunk Enterprise Security Incident status in incident review tab, has anyone used it in correspondence to IR (Incident Response) Life cycle?
Six Stages of Incident Response-
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
I know that we can create new status http://docs.splunk.com/Documentation/ES/5.0.0/Admin/Customizenotables
But I would like to know if someone has leveraged it and get metrics from the Incident Review Audit Page?