When investigating some of the more advanced practice cases, primarily those classified as Incident Responder alerts, it would be very helpful to be able to export a selection of logs or Endpoint Security “activity” entries (Process Activity/Network Activity/etc) to a CSV.
Nearly every SIEM or EDR tool on the marketplace allows you to do this, so it replicates real-world investigation steps. It would also allow for “offline” workflows such as working with this CSV data in Excel/Timeline Explorer/Jupyter Notebooks.
Alternatively, but probably a bigger ask, if the data in the Endpoint Security module was available to query in the Log Management tool, that would also be helpful, as you could do filtering on the data. Taking this approach would reflect best practices of having all your logs/data in a centralized location and the Endpoint Security tool could be used primarily for initiating connections to machines for more in-depth investigations.