sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=3 Protocol=tcp Initiated=true | where DestinationIp!="127.0.0.1" AND DestinationHostname!=SourceHostname| table _time User Computer
 ProcessId ProcessGuid DestinationHostname DestinationPort | join type=inner