Group anomalous network-call detections by process to distinguish legitimate VPN daemons (tailscaled, twingate, etc.) from other processes needing per-destination review. Returns per-process count, distinct endpoints, sample detections, and a suggested suppression rule for VPN processes.
Apache 2.0