Is there any way to have alias.host populate for various devices during collection without using a custom feed that one needs to maintain? This seems like a lot of work to maintain a DNS mapping when Security Analytics should be doing this as ingest/collection. The parser itself does not contain the alias.host meta value for many devices (rhlinux for example) and so this value is empty -- in Investigator view, you only see a list of devices for device.ip but alias.host is empty.
The alias.host value is for the host names of websites, not network devices..for example in a rule "alias.host = google.com"