This is a simple enough query for detecting a host with multiple infections/detections. The reason for the bucket and incorporating a search over a longer time span (say 60m) is I found it to provide better results and less false negatives if the infrastructure isn’t setup to ingest data in near real-time.

index=malware category="something_high_fidelity" | bucket _time span=15m | stats count by dest | where count>=3