Sysmon

System Monitor (Sysmon) is a Windows system service and device driver that is installed on a system to monitor and log system activity and write it to the Windows event log. Once installed, it remains across system reboots. It provides detailed information about changes to file creation time,network connections, and process creations. It uses SIEM or Windows Event Collection agents to collect the events it generates and then analyzes them to identify anomalous or malicious activity to help you understand how intruders and malware operate on a network.