2 ACCEPTED SOLUTIONS
Accepted Solutions
Hmm...interesting...
Those aliases are set and controlled by the service index XMLs, and are intended to allow for easier understanding of various content (e.g.: some folks might not immediately understand what service=80 means, but they'll understand what service=HTTP means).
That said, I don't believe those content exports should be maintaining the alias'd names in their outputs, especially since we intend some outputs to be used in the other NW features, like the ESA testing window.
What method are you using to view/output the raw alert details?
In my lab (v 11.5.3.1), I am not seeing the service alias names in the alert details (left is the raw alert within Respond, right is the raw alert written to disk):
We're running 11.5.0, and I'm just exporting meta from the Event Viewer, and pasting it into the ESA test window. That's where I get the error about the type mismatch. (you can see it does the same thing to "ip.proto")
Hmm...interesting...
Those aliases are set and controlled by the service index XMLs, and are intended to allow for easier understanding of various content (e.g.: some folks might not immediately understand what service=80 means, but they'll understand what service=HTTP means).
That said, I don't believe those content exports should be maintaining the alias'd names in their outputs, especially since we intend some outputs to be used in the other NW features, like the ESA testing window.
