Hello,
I recently blogged about my experiences around detecting domains in alias.host field created by Domain Generating algorithms within investigator by using some regex. I'm not sure if the community allows link outs but I have screenshots and such there that would be a bit cumbersome to recreate here. Also I wanted to get the word out about the home version of Investigator for people toying with info sec at home to the 3 or so people that stumble upon my blog a month. 
I'm interested in any more information around the syntax for regex within investigator. I view it as powerful as the regex abilities of an IDS signature, which I guess informer alerts would qualify as.
https://scottfromsecurity.com/blog/2012/10/28/rsa-netwitness-investigator-regular-expressions
If there is an issue around posting links, just let me know. I didn't really see a "community rules" sticky.
