I often go to my dashboard to identify something like a compromised user account, and when I identify them I get a set of different source addresses, all used by the attacker.
I can't figure out an elegant way to turn that list of values (currently a Top10 terms query) into a new search, so that I can see if there are any other accounts being accessed from the same "known-bad" IPs.
Ideally I'd point at the list and say "query for srcip = anything on this list"; at the moment I get to query
srcip:18.104.22.168 OR srcip:22.214.171.124 OR ... which is pretty tedious and manual.
Any suggestions? Have I missed something simple?