Hi
alias.host is a metakey and it will be populated by parsers or feeds.
For example if you look at the table-map-custom.xml or table-map.xml file on the logdecoder this tells you which keys in the log parser will be mapped the the Security Analytics meta keys.
For instance in table-map.xml the following keys map to alias host.
<mapping envisionName="devicehostname" nwName="alias.host" flags="None"/> <mapping envisionName="hostid" nwName="alias.host" flags="None"/> <mapping envisionName="hostname" nwName="alias.host" flags="None" > <mapping envisionName="r_hostid" nwName="alias.host" flags="None"/> <mapping envisionName="web_host" nwName="alias.host" flags="None" envisionDisplayName="WebHost"/> <mapping envisionName="web_ref_host" nwName="alias.host" flags="None"/> <mapping envisionName="workstation" nwName="alias.host" flags="None" envisionDisplayName="HostName"/> |
For Packet Parser this will be defined by the author what gets mapped to alias host. For example the http_lua parser will write a website host name into alias.host
Regarding the question that when you I search alias.host contains "bar",why do I get results that do not contain "bar"?
This is because Security Analytics is session based. A session is either a TCP Session for packets, or a line of a log. For example if a user browses a web page in a single session then there will be multiple alias.host entries captured in that session. There might be the original web page requested, and then further links to other web content such as pictures or referring sites. All of these will generate alias.host meta within a single session.
When you do alias.host contains "bar" this will return the session where there was alias.host containing "bar". There might also be other alias.host within this session and these will also be displayed.
Let me know if this isnt clear.
