Something like this, but event data here is just a blob of string in

data

(event data)

--windows_event_channels=Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-Sysmon/Operational

osquery> select * from windows_eventlog where channel = "Microsoft-Windows-Sysmon/Operational" limit(1);
      channel = Microsoft-Windows-Sysmon/Operational
     datetime = 2021-03-24T08:17:23.361850100Z
         task = 5
        level = 4
provider_name = Microsoft-Windows-Sysmon
provider_guid = {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
computer_name = DESKTOP-Q7BJ1MD
      eventid = 5
     keywords = 0x8000000000000000
         data = {"EventData":{"RuleName":"-","UtcTime":"2021-03-24 08:17:23.359","ProcessGuid":"{39333bd0-f4d2-605a-6300-000000008c00}","ProcessId":"5028","Image":"C:\\Windows\\System32\\svchost.exe"}}
          pid = 6500
          tid = 6960

I was just trying out some stuff... This might not be the best explanation or query at all. But here is one kind of query a user can write to get some juicy information with the context available in events. Using image loads table and then fetching details about the process using process guid that is available in both the tables.

osquery>
osquery> select * from sysmon_image_load_events where imageloaded like '%System.Management.Automation.ni.dll%';
        RuleName = technique_id=T1086,technique_name=PowerShell Engine
            time = 1616583966
         UtcTime = 2021-03-24 11:04:48.573
     ProcessGuid = {39333bd0-1ccf-605b-df02-000000008c00}
       ProcessId = 8148
           Image = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
     ImageLoaded = C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\6b621f0fd6cc913157b16d8a0cfdc3ec\System.Management.Automation.ni.dll
     FileVersion = 10.0.18362.145
     Description = System.Management.Automation
         Product = Microsoft (R) Windows (R) Operating System
         Company = Microsoft Corporation
OriginalFileName = System.Management.Automation.dll
          Hashes = MD5=B18E1C187DAEB6C9B195BDD2EFDC20C7,SHA256=D36AD842C5E44483BDBBDF13D045AD5A64A9DDD5C1BAB89E81B12299D89DFC27,IMPHASH=00000000000000000000000000000000
          Signed = false
       Signature = -
 SignatureStatus = Unavailable
osquery>
osquery>
osquery>
osquery> select * from sysmon_process_create_events where processguid in (select processguid from sysmon_image_load_events where imageloaded like '%System.Management.Automation.ni.dll%');
         RuleName = -
             time = 1616583947
          UtcTime = 2021-03-24 11:04:47.383
      ProcessGuid = {39333bd0-1ccf-605b-df02-000000008c00}
        ProcessId = 8148
            Image = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      FileVersion = 10.0.18362.1 (WinBuild.160101.0800)
      Description = Windows PowerShell
          Product = Microsoft® Windows® Operating System
          Company = Microsoft Corporation
 OriginalFileName = PowerShell.EXE
      CommandLine = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
 CurrentDirectory = C:\Users\admin\
             User = DESKTOP-Q7BJ1MD\admin
        LogonGuid = {39333bd0-f4cf-605a-6665-020000000000}
          LogonId = 0x26566
TerminalSessionId = 1
   IntegrityLevel = Medium
           Hashes = MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481
ParentProcessGuid = {39333bd0-f4d0-605a-5f00-000000008c00}
  ParentProcessId = 4484
      ParentImage = C:\Windows\explorer.exe
ParentCommandLine = C:\Windows\Explorer.EXE
osquery>

Basically listing all the processes which tried to load powershell system automation dll captured in image load events table.