I'm currently evaluating the SIEM app for integration in our security workflows, and converting most of our datasets to ECS for that purpose. I'm puzzled by the existence of both client/server and source/destination for network connections. The doc says:
Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations.
I'm curious in which situations this extra semantic context is meaningful. Are there any cases where the source is not the client or the destination not the server ? Are there any cases where we would have a source/destination but no client/server ?