drop 4688 evtx csv · parent-child process trees · flag unusual parentage · export csv · runs locally
4688 csv
drop 4688 csv
or click
security event id 4688 · newprocessname · processid · parentprocessname · commandline
drop windows 4688 evtx csv export(s)