Description: This Query get the currently open sockets from the Endpoints - useful in Incident Response
Tested on Windows 7/10,MAC OS X 10.14.5 and CentOS 7.7-1908
What The Data Shows: This provides you with the open sockets from the endpoint to find local and remote port, as well as PID, username, process and more
select u.username, p.pid, p.name, pos.local_address, pos.local_port, p.path, p.cmdline, pos.remote_address, pos.remote_port
from processes as p
join users as u on u.uid=p.uid
join process_open_sockets as pos on pos.pid=p.pid
where pos.remote_port !='0'