Microsoft has a very popular tool (part of the SysInternals) called Sysmon[1]. It is a system service and device driver designed to monitor and log system activity, including very useful events like process creations, network connections, DNS requests, file changes, and more. This tool is deployed by many organizations because it's a great companion to expand the visibility of your Windows environments. Many SOCs rely on it to perform investigations and hunting.
This article has been indexed from SANS Internet Storm Center, InfoCON: green