Hunting for bad actors / searching for multiple IP addresses

I often go to my dashboard to identify something like a compromised user account, and when I identify them I get a set of different source addresses, all used by the attacker.

I can't figure out an elegant way to turn that list of values (currently a Top10 terms query) into a new search, so that I can see if there are any other accounts being accessed from the same "known-bad" IPs.

Ideally I'd point at the list and say "query for srcip = anything on this list"; at the moment I get to query srcip: OR srcip: OR ... which is pretty tedious and manual.

Any suggestions? Have I missed something simple?

This is a neat idea and a common use case - I'd suggest submitting as a feature request to the project:

OK ... recorded. Thanks :slight_smile: