Enriched Event descriptions are preformatted for a user interface and contain some HTML markup. This format can be effectively stripped away, although you might lose some context.
Required Product: Carbon Black Cloud Endpoint Standard
Required Data: Events (Data Forwarder) or Enrich CB Analytic Events (App Alert Action)
Example:
The application "<share><link hash="643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7">C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule</link></share>" invoked the application "<share><link hash="f1f67830fc3531dfbdaf5315f59422438ab9f243d89491ac75d1818e7ed98b5d">C:\program files (x86)\google\update\googleupdate.exe</link></share>". The operation was <accent>blocked by Cb Defense</accent>.
becomes:
The application "C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" invoked the application "C:\program files (x86)\google\update\googleupdate.exe". The operation was blocked by Cb Defense.
To remove tags from Enriched Events:
eventtype="vmware_cbc_events" event_description="*" | rex mode=sed field=event_description "s/(<[^>]+>)//g" | table event_description
