Driverless and userland Live Forensic with Event Tracing for Windows (ETW) to track suspicious network behaviour

Analysis should not relies only on beautiful dashboards on your SIEM

What is ETW?

Event Tracing for Windows architecture
logman query providers
Monitoring network using ETW listener on the whole protocol stack

Start with what you want to detect and then collect the necessary information, not the opposite

ETW architecture