drop sysmon evtx csv with event 3 · or netstat snapshots · and process creation events · link specific process executions to specific network connections via pid and timestamp · identify which process made which connection · runs locally
network + process csvs
drop sysmon / evtx / netstat csv
or click
Sysmon Event 3 direct attribution · PID lifecycle match · LOLBIN / office / beaconing flags
drop sysmon csv (event 1+3) · security 4688 · netstat snapshots