and then determine if that process (or its parent process) had a socket connection open (
). Even then, a process could have multiple connections open. There is no direct line of cause from file change back to remote IP address. Every packet would have to be traced from ingress to process receiving it and then traced through that process's execution to perform an analysis of actions it might have caused.
could be one but u will probably need another to associate it with an IP For example on windows combining the data/timestamps from
with IIS logs u may be able to associate it with an IP