Any update @anlynch . I've did something similar in this rule, don't know if this can help you out:
/* Query finds the last connection of a suspicious domain and then displays all connections 5 minutes prior and 10 seconds after the connection to a suspicious domain. Fields AGENT and DOMAIN are mandatory. You may change variables minutes_before_connection and seconds_after_connection to include more or less results around the connection.
Last connection time used to filter for results is based both on established connections and dns queries. */
dataset = xdr_data | filter agent_hostname = "AGENT" // <-- Agent that you are investigating | alter suspicious_domain = "DOMAIN" // <-- Domain that caused the alert | alter minutes_before_connection = 5 | alter seconds_after_connection = 10 | filter action_external_hostname != null or dns_query_name != null | join type = inner ( dataset = xdr_data | alter domain = if(action_external_hostname != null, action_external_hostname, dns_query_name != null, dns_query_name, null) | filter domain != null and agent_hostname != null | comp max(_time) as last_visit by domain, agent_hostname ) as X _time <= X.last_visit and X.domain = suspicious_domain and X.agent_hostname = agent_hostname | filter timestamp_diff(last_visit, _time, "MINUTE") <= minutes_before_connection and timestamp_diff(_time, last_visit, "SECOND") <= seconds_after_connection | fields _time, actor_process_image_name, actor_process_image_command_line, action_external_hostname as established_connection, dns_query_name as dns_query, _product | sort desc _time As description shows, it is used to tell us number of connection before and after generic alert and incident. If this can help you, it's great.
... View more