I was running some powershell script and getting events with powershell_events query, however results are split in multiple events and each events do not have basic information like , last IP, computername etc , is there a way to combine few events in single events and then run the rule ?
01/28/2020, 6:34 AM
From the rule section, you can create rules based on host_identifier
For adding other system constraints you need to construct your query by adding information from other tables
select powershell_events.*,system_info.computer_name from powershell_events,system_info;
and then you can apply rules on these additional attributes