To be successful at incident-handling, you need to have the logs available and be able to query them quickly. Log analysis begins to flex its muscle in the second stage of the incident response process. Triage is the third stage, which calls for triage in order to prevent additional systems from becoming compromised. Real-time alerting is important to help ensure firewall rules and disabled accounts were done properly. Clean-up is the fourth stage, where protections are put in place to prevent an issue from happening again.”]
Source: https://www.darkreading.com/analytics/tech-insight-learn-to-love-log-analysis