Describe the feature:
When an analyst changes the state of a detection alert the alert should show what Kibana user changed the state of the alert. This value should be added to a list field within the alert stored on the .siem-signals-* index. This field should contain all of the previous state changes that were made to the rule so that during an audit it can be easily seen when and who made any changes to the alert. This status should also include actions such as add to case. At this time there is only the signal.status and the kibana.alert.workflow_status fields in the index and it only displays open, closed, and acknowledged.

Describe a specific use case for the feature:

• When conducting an audit of the previous month's alerts the auditor can see the full history of the alert workflow and can generate metrics and dashboards using this information
• By adding the values to the alerts in the .siem-signals-* index we can create automations using this information. For example, we could create an automation that regularly queries the workflow update fields for newly updated alert status and then use the username values to automatically update third party applications such as Slack or theHive with the information and assign tasks directly to the individual that acknowledged, closed, or opened the alert.