[powershell_rename_host]
DEST_KEY = MetaData:Host
SOURCE_KEY = MetaData:Source
REGEX = PowerShell_transcript\.([^\.]+)\.
FORMAT = host::$1

[wef_computername_as_host]
DEST_KEY = MetaData:Host
REGEX = (?m)ComputerName=(.+)
FORMAT = host::$1

[osquery_hostidentifier_as_host]
DEST_KEY = MetaData:Host
REGEX = hostIdentifier\"\:\"([^\"]+)\"
FORMAT = host::$1

[setnull]
REGEX = Error\scasting
DEST_KEY = queue
FORMAT = nullQueue

[autoruns_wineventlog_null]
REGEX = "Script\sName\s=\sC\:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1"
DEST_KEY = queue
FORMAT = nullQueue