drop security evtx csv · detect events with impossible or anomalous process and thread IDs · identify synthetic events with invalid PID/TID values · surface fabricated log entries detectable by process context · runs locally
pid multiple-of-4 · tid zero · pid cross-ref vs 4688 · lsass provider check · logon session pid consistency
drop security evtx csv exports