drop 4688 and 4689 evtx csv or sysmon evtx csv · detect processes that started with no exit record · identify orphaned process tree nodes · surface attacker processes that evaded exit logging · runs locally
drop 4688 and 4689 evtx csv or sysmon evtx csv · local only
heuristic screener · vendor schema varies · not definitive proof