AnsweredAssumed Answered

Odd response to investigator queries

Question asked by Mike Kupec on Sep 6, 2016
Latest reply on Sep 6, 2016 by Mike Kupec

I have a question about how the query function in Investigator is supposed to work. 

If I do a query on a meta value like ip.src such as:   ip.src  =  128.177.108.37

The results will show just 128.177.108.37 in meta value Source IP Address (ip.src) along with everything associated with it within investigator. 

 

However, if I do the same kind of filter on a meta key like "filename" like so:  filename = 'index.php' 

I get that entry listed in the filename meta value plus lots of other file names. 

 

Shouldn't it filter out all the other filenames? Or is this SOP for the way Investigator queries work?

 

Currently running 10.6.1.0 BTW. 

Outcomes