https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/querying-users-who-changed-incident-status-to-quot-action/m-p/1228483#M186 <P class="" data-start="197" data-end="205">Hi Team,</P> <P class="" data-start="207" data-end="509">We have a process where a user works on an incident and updates its status to <STRONG data-start="285" data-end="306">"Action Required"</STRONG> for further investigation. While we can see the identity of the user who made this change in the <STRONG data-start="404" data-end="416">Timeline</STRONG> tab of each incident, reviewing this individually for <STRONG data-start="471" data-end="492">500–800 incidents</STRONG> is not feasible.</P> <P class="" data-start="511" data-end="709">We would like to know if there is a way to <STRONG data-start="554" data-end="581">filter or export a list</STRONG> of incidents along with the users who changed the status to <STRONG data-start="642" data-end="663">"Action Required"</STRONG>, ideally through a query or report in XSIAM.</P> <P class="" data-start="711" data-end="835">Is there a method (e.g., using XQL, audit logs, or another feature) that can help us <STRONG data-start="796" data-end="834">retrieve this information at scale</STRONG>?</P> <P class="" data-start="837" data-end="861"><BR />Thank you<BR /><BR /></P> Thu, 08 May 2025 12:38:17 GMT AvinashAddala 2025-05-08T12:38:17Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/querying-users-who-changed-incident-status-to-quot-action/m-p/1228483#M186 <P class="" data-start="197" data-end="205">Hi Team,</P> <P class="" data-start="207" data-end="509">We have a process where a user works on an incident and updates its status to <STRONG data-start="285" data-end="306">"Action Required"</STRONG> for further investigation. While we can see the identity of the user who made this change in the <STRONG data-start="404" data-end="416">Timeline</STRONG> tab of each incident, reviewing this individually for <STRONG data-start="471" data-end="492">500–800 incidents</STRONG> is not feasible.</P> <P class="" data-start="511" data-end="709">We would like to know if there is a way to <STRONG data-start="554" data-end="581">filter or export a list</STRONG> of incidents along with the users who changed the status to <STRONG data-start="642" data-end="663">"Action Required"</STRONG>, ideally through a query or report in XSIAM.</P> <P class="" data-start="711" data-end="835">Is there a method (e.g., using XQL, audit logs, or another feature) that can help us <STRONG data-start="796" data-end="834">retrieve this information at scale</STRONG>?</P> <P class="" data-start="837" data-end="861"><BR />Thank you<BR /><BR /></P> Thu, 08 May 2025 12:38:17 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/querying-users-who-changed-incident-status-to-quot-action/m-p/1228483#M186 AvinashAddala 2025-05-08T12:38:17Z