hello , i want to detect foreign ip at first step, then search in traffic for connections between foreign ip and other local ips.
| tstats `security_content_summariesonly` values(All_Traffic.src_ip) AS src values(All_Traffic.dest_ip) AS dest values(All_Traffic.dest_ip_Country) AS dest_country values(All_Traffic.src_ip_Country) AS src_country from datamodel=Network_Traffic by _time
| eval attacker=if(src_country="","$src$","$dest$")
| search
[
| tstats count from datamodel=Network_Traffic WHERE (All_Traffic.src_ip=attacker OR All_Traffic.dest_ip=attacker) by _time
]