Description: This Query get the currently open sockets from the Endpoints - useful in Incident Response
Tested on Windows 7/10,MAC OS X 10.14.5 and CentOS 7.7-1908
What The Data Shows: This provides you with the open sockets from the endpoint to find local and remote port, as well as PID, username, process and more
from processes as p
join users as u
join process_open_sockets as pos
where pos.remote_port !='0'