One of the critical questions we ask is Where did this process come from?
Context of where the process came from is important in establishing initial access vector!
We could collect all process execution from all endpoints, but:
psexec.exe /s powershell
ping.exe www.google.com
curl.exe -o script.ps1 https://www.google.com/
notepad.exe