Hello,
I recently blogged about my experiences around detecting domains in alias.host field created by Domain Generating algorithms within investigator by using some regex. I'm not sure if the community allows link outs but I have screenshots and such there that would be a bit cumbersome to recreate here. Also I wanted to get the word out about the home version of Investigator for people toying with info sec at home to the 3 or so people that stumble upon my blog a month.
I'm interested in any more information around the syntax for regex within investigator. I view it as powerful as the regex abilities of an IDS signature, which I guess informer alerts would qualify as.
https://scottfromsecurity.com/blog/2012/10/28/rsa-netwitness-investigator-regular-expressions
If there is an issue around posting links, just let me know. I didn't really see a "community rules" sticky.
Regex content searching or queries within Investigator follows the Perl regex conventions.
In addition, when using it as part of a query, you should place quotes around your expression and escape any quotes in your expression using a backslash.