I often go to my dashboard to identify something like a compromised user account, and when I identify them I get a set of different source addresses, all used by the attacker.
I can't figure out an elegant way to turn that list of values (currently a Top10 terms query) into a new search, so that I can see if there are any other accounts being accessed from the same "known-bad" IPs.
Ideally I'd point at the list and say "query for srcip = anything on this list"; at the moment I get to query srcip:1.2.3.4 OR srcip:2.3.4.5 OR ... which is pretty tedious and manual.
Any suggestions? Have I missed something simple?
