Microsoft's Sysinternals just came out with a new tool called Sysmon. Here's their description:
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
That sounds like a really useful tool to me. Windows is capable of some native process creation tracking, but not with the detail Sysmon offers (hashes of process image files!), and being able to track connections would be invaluable. Being able to pull this data into LEM would be a huge security win.
I've submitted it in a support ticket, but what does everyone think? Potentially useful?
More details on Sysmon can be found at http://technet.microsoft.com/en-us/sysinternals/dn798348.