Hey,
a possible solution to this problem is to search for all documents from now-$YOUR_INTERVAL*2 (eg 5m), so now-10m and then create a filters aggregation and specify two buckets, now-5m and from -5m till -10m. Then have a terms aggregation on the src_address and check the results for differences.
Note, that this only works up until a certain limit due to limiting the number of buckets. You may want to take a look at the composite aggregation to support pagination, but this will not work with watcher.
Hope this helps as a start.
--Alex