In any case the ROI for correlating SSH logs against network traffic is potentially error prone and may be more noisy than useful (can you differentiate in logs between SSH logins from a private IP and a public one?).
An EDR tool would be much better to look for an attacker’s next steps. But if you’re trying to catch a nation state they probably already have a plan for hiding their tracks.
This kind of anomaly detection is possible. Not sure how common it is. I doubt it is common.