When an analyst thinks they have found the root cause, they should ask "Why?" five times to drill down to the fundamental failure.
Windows EID 4688 – cmd.exe spawning powershell.exe downloading file from hxxp[:]//tiny[.]one/2k9js effective threat investigation for soc analysts pdf