I was playing with NTA alerts, and realized that they were far too granular. So I came up with this:
SELECT TOP 10 Caption
, Nodes.FlowsByHostname.DestinationHostname
, Nodes.FlowsByHostname.TimeStamp
FROM Orion.Nodes as Nodes
WHERE Nodes.FlowsByHostname.DestinationHostname LIKE '%HOSTNAME%'
AND Nodes.FlowsByHostname.TimeStamp >= AddMinute(-17,DateTrunc('minute', GetUtcDate()))
AND Nodes.FlowsByHostname.TimeStamp <= AddMinute(-2,DateTrunc('minute', GetUtcDate()))</pre>Just modify the DestinationHostName to whatever you'd want an alert on. This was a security requirement from one of my clients who wanted to know if there was any traffic at all on a specific hostname. This will grab when anything shows traffic from the last 2-17 minutes, roughly.