Hi,

I have the following search that allows me to internal IPs contacting destinations categorized as CnC in Emerging Threats

| tstats `summariesonly` prestats=true count from datamodel=Network_Traffic where * nodename=All_Traffic by _time, All_Traffic.src All_Traffic.dest All_Traffic.dest_port, All_Traffic.action 
| `drop_dm_object_name("All_Traffic")` 
| `et_ip_lookup(IP=dest)` 
| search rep_category_name="CnC" src=10.0.0.0/8
| table _time, src, dest, dest_port, ports, rep_score, action

And the opposite (external as source):

| tstats `summariesonly` prestats=true count from datamodel=Network_Traffic where * nodename=All_Traffic by _time, All_Traffic.src All_Traffic.dest All_Traffic.dest_port, All_Traffic.action 
| `drop_dm_object_name("All_Traffic")` 
| `et_ip_lookup(IP=src)` 
| search rep_category_name="CnC"
| table _time, src, dest, dest_port, ports, rep_score, action

I'm trying to find a way to do the following in the same search/results:
- Get the list of the internal to external CnC
- Then search for callbacks: internal to external, followed by external to internal in a short time frame (few seconds)

I'm pretty new to Splunk. I tried various things, like join or a saved search with appendcols but I am unable to achieve the result I want. Anyway, this can be done?

Thanks!