Paul Coccoli

For implementing simple correlation in SQL (which we're trying to leverage as much as possible in kestrel 2), consider a simple table `mydata`: ``` # select * from mydata; name...

We may not want to do this since we have an aggregation function called `min`.

This is all I see now: ``` k2 (develop) ~/github/kestrel-lang$ kestrel sds_syslog_sysmon_test.hf Traceback (most recent call last): File "/home/pcoccoli/.pyenv/versions/k2/bin/kestrel", line 8, in sys.exit(kestrel()) File "/home/pcoccoli/github/kestrel-lang/packages/kestrel_core/src/kestrel/cli.py", line 49, in kestrel outputs...

I think any referenced property, e.g. `parent_ref.pid` or `binary_ref.name` could be aliased (as `parent_pid` and `binary_name` if we simply drop the `_ref.`).

In case anyone finds it useful, I think `x-oca-event:code` is mapped to ECS `event.code` which should be the Windows `EventID`.