Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Why does the highlights ioc_attr have PREPREPRE and POSTPOSTPOST tags?

EDR: Why does the highlights ioc_attr have PREPREPRE and POSTPOSTPOST tags?

Environment

  • EDR Server: All Supported Versions
  • Event Forwarder

Question

Why do the 'highlights' values contain random PREPREPRE and POSTPOSTPOST tags around words? 

Answer

  • The PREPREPRE/POSTPOSTPOST are tags the Server adds to watchlist events to highlight terms related to the query. These are used for highlighting the event body in an e-mail notification.
  • It appears ONLY in the "highlighting" field.

Additional Notes

Multiple alerts may have these values for the same process in different locations depending on each watchlist query that matches on the process

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎04-11-2022
Views:
309
Contributors