EDR: Why does the highlights ioc_attr have PREPREPRE and POSTPOSTPOST tags?

EDR: Why does the highlights ioc_attr have PREPREPRE and POSTPOSTPOST tags?

search cancel

EDR: Why does the highlights ioc_attr have PREPREPRE and POSTPOSTPOST tags?

book

Article ID: 290290

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why do the 'highlights' values contain random PREPREPRE and POSTPOSTPOST tags around words?

Environment

EDR Server: All Supported Versions
Event Forwarder

Resolution

The PREPREPRE/POSTPOSTPOST are tags the Server adds to watchlist events to highlight terms related to the query. These are used for highlighting the event body in an e-mail notification.
It appears ONLY in the "highlighting" field.

Additional Information

Multiple alerts may have these values for the same process in different locations depending on each watchlist query that matches on the process

Feedback

thumb_up Yes

thumb_down No