drop 4688 or sysmon csv · decode encoded commands · burst windows · c2 fingerprints · ioc extraction · export csv · runs locally
input
drop evtx csv
or click
security 4688 · sysmon event 1 · powershell 4104
drop 4688 · sysmon · or powershell 4104 csv