When we have a socket with a remote IP of, e.g., 10.0.0.2, could it make sense to show a provenance edge between that socket and the machine that has that IP? That could help us see visually how the different parts of the attack operation are related to a single C&C server (or, alternatively, to different machines).
When we have a socket with a remote IP of, e.g., 10.0.0.2, could it make sense to show a provenance edge between that socket and the machine that has that IP? That could help us see visually how the different parts of the attack operation are related to a single C&C server (or, alternatively, to different machines).