The ES App currently configured to run few correlation searches and when the notable events are created those events can be assigned to an owner(Analyst 1) under the incident review dashboard for further investigation at this point the incident is changed from "new" to "in progress". lets say the Analyst 1 is unable to resolve and close the incident . how can I assign the same incident to a different owner ( Analyst 2) to perform second level investigation by capturing every thing the first level analyst did so far .
Secondly, is there a way to find out metrics about how long the first level analyst took to resolve or re-assign the notable event to a 2nd level support and also to find how long it took to resolve and close the notable events by both the 1st/2nd and 3rd level security analysts?