Update rules/macos/execution_script_via_automator_workflows.toml

Author: DefSecSentinel

rules/macos/execution_script_via_automator_workflows.toml

@@ -56,7 +56,7 @@ tags = [
 type = "eql"
 
 query = '''
-sequence by process.entity_id with maxspan=15s
+sequence by host.id, process.entity_id with maxspan=15s
  [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "Automator"]
  [network where host.os.type == "macos"]
 '''