I want to search for an IDS event like this
sourcetype=IDS "MALWARE-CNC"
Then I want to use the src_IP and dst_IP to search the proxy logs to see if the proxy blocked the traffic. Something Like this I would think
sourcetype=IDS "MALWARE-CNC" | fields src_ip dst_ip [ search sourcetype=proxy src_ip dst_ip action!=DENIED]