Create AlertsOnHost.txt

Hunting Queries/SecurityAlert/AlertsOnHost.txt

@@ -0,0 +1,27 @@
+// Name: Alerts On Host
+// Description: Any Alerts that fired on a given host during the range of +6h and -3d
+//
+// Entity: Host
+// Input: Compromised Host, (HostName)
+// Output: Alerts
+//
+// QueryPeriod: +6h and -3d default, change as needed
+//
+// Data Source: SecurityAlert
+//
+// Tactics: #Persistence, #Discovery, #Lateral Movement, #Collection
+//
+let GetAllAlertsOnHost = (suspiciousEventTime:datetime, v_Host:string){
+//-3d and +6h as some alerts fire after accumulation of events
+let v_StartTime = suspiciousEventTime-3d;
+let v_EndTime = suspiciousEventTime+6h;
+SecurityAlert
+| where TimeGenerated between (v_StartTime .. v_EndTime)
+// expand JSON properties
+| extend Extprop = parsejson(ExtendedProperties)
+| extend Computer = toupper(tostring(Extprop["Compromised Host"]))
+| where Computer contains v_Host
+| project TimeGenerated, AlertName, Computer, ExtendedProperties
+};
+// change datetime value and hostname value below
+GetAllAlertsOnHost(datetime('2019-01-20T10:02:51.000'), toupper("<hostname>"))