Added AH query, identify accounts logged on to endpoints affected by cobalt strike

[martyav]

I'm an internal contributor, tasked with adding AH queries from TA reports.

Before I get too far in, I wanted to get a review.

This file covers a query that identifies accounts logged on to endpoints affected by cobalt strike

[tali-ash]

Thanks for contributing !

Currently this query will run on MDATP only(DeviceAlertEvents exist only in MDATP), can you please adjust it to work on MTP as well using the tables: AlertInfo and AlertEvidence?

Can you please add time limit to the query? for example | where Timestamp > ago(7d)

In addition, can you please put it in the folder of Credential access, which I saw this is the technique it represents :)

[martyav]

@tali-ash Thanks for the review. I was out for a week, so didn't see until today. I just pushed a commit that should address the changes requested.

[lomayor]

@endisphotic, @tali-ash, Marty is helping add the threat analytics queries to this repo, but might need your help adjust the queries as necessary.

[tali-ash]

Hi @martyav , I made some changes to the query, updated the file itself, this is how it should be written as I understand, please review it before I am inserting into master.

[martyav]

Thanks for the review. It looks good -- other queries in the older docs I am drawing upon will probably need similar updates

[martyav]

@lomayor I updated the file to replace "Ploty" with "Cosipor"