To prepare for an eventual compromise, we've got a handful of queries that we collect the output from every 15 minutes, but before that we had these queries listed in our incident response guide as reasonable ones to build confidence before accessing the host in question:
• SELECT * FROM processes;
• SELECT * FROM process_envs;
• SELECT * FROM process_events;
• SELECT * FROM process_open_files;
• SELECT * FROM launchd;
• SELECT * FROM listening_ports;
• SELECT * FROM process_open_sockets
It's worth noting that we're a Linux/macOS shop, you may have different interesting tables on Windows.