Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Author: DefSecSentinel

rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

@@ -59,7 +59,7 @@ tags = [
 type = "eql"
 
 query = '''
-sequence by process.entity_id with maxspan=30s
+sequence by host.id, process.entity_id with maxspan=30s
  [process where host.os.type == "macos" and event.type == "start" and process.name == "osascript"]
  [network where host.os.type == "macos" and event.type == "start" and process.name == "osascript" and
    not cidrmatch(destination.ip,