I was playing with NTA alerts, and realized that they were far too granular. So I came up with this:
SELECT TOP 10 Caption , Nodes.FlowsByHostname.DestinationHostname , Nodes.FlowsByHostname.TimeStamp FROM Orion.Nodes as Nodes WHERE Nodes.FlowsByHostname.DestinationHostname LIKE '%HOSTNAME%' AND Nodes.FlowsByHostname.TimeStamp >= AddMinute(-17,DateTrunc('minute', GetUtcDate())) AND Nodes.FlowsByHostname.TimeStamp <= AddMinute(-2,DateTrunc('minute', GetUtcDate()))
Just modify the DestinationHostName to whatever you'd want an alert on. This was a security requirement from one of my clients who wanted to know if there was any traffic at all on a specific hostname. This will grab when anything shows traffic from the last 2-17 minutes, roughly.