Token List

The following tokens are provided for you to customize notification messages for administrators and users.

Token ID

Description

%Product_Name%

Name of our product, Cloud App Security.

%Security_risk_name%

Name of the security risk detected, for example, "HEUR_PDFEXP.A", "EXPL_CVE20060022".

%action%

Action that Cloud App Security takes after detecting a security risk.

  • Replace with text or file: replace the file that violates a policy with a replacement text file

  • Quarantine: move the email message or file to a restricted access folder

  • Delete: delete the email message or file

  • Pass: deliver the email message or file unchanged no matter it violates a policy or not

  • Tag subject: add a tag to the message subject if the email message violates a policy

  • Move to Junk Email folder: move the email message to the user's Junk Email folder

  • Move to Spam: apply Gmail's system label "Spam" to the email message and the message only displays in the user's Spam label

  • Label email: include a label Risky (by Trend Micro) at the top of the email message in the user's mailbox

%date% %time%

  • For Exchange Online and Gmail: Date and time when an email message detected as containing a security risk was received

  • For SharePoint Online, OneDrive for Business, Microsoft Teams, Box, Dropbox, and Google Drive: Date and time when a file detected as containing a security risk was uploaded or last modified

%foundin%

Location where a security risk was detected.

For Exchange Online, it is <email address>\<mailbox folder path>; for SharePoint Online, OneDrive for Business, Microsoft Teams, Box, Dropbox, and Google Drive, it is the folder path or website URL; for Gmail, it is the label(s) of the email message.

%policy_name%

Name of a configured policy that was violated.

%sender%

Email address of the sender.

%violator%

Affected user related to a policy violation. For Exchange Online and Gmail, it is the mailbox that received an email message violating a policy. For SharePoint Online, OneDrive for Business, Microsoft Teams, Box, Dropbox, and Google Drive, it is the user who uploaded or modified a file violating a policy.

%recipient%

Email address of the recipient.

%subject%

Subject of an email message violating a policy.

%attachments%

Name of an attachment violating a policy.

%filename%

Name of a file violating a policy.

%suspicious_url%

Suspicious URL detected.

%risk_level%

There are five Web Reputation risk levels assigned to an analyzed URL:

  • Dangerous

  • Highly suspicious

  • Suspicious

  • Safe

  • Untested

There are five Virtual Analyzer risk levels assigned to an analyzed object:

  • High risk

  • Medium risk

  • Low risk

  • No risk

  • Unrated

%url_category%

Category of a suspicious URL detected.

There are more than 90 categories, such as "Spyware" and "Crack".

%dlptemplatename%

Name of a compliance template that triggers the Data Loss Prevention policy.

There are currently more than one hundred built-in templates.

%spam_category%

Category of a spam email message detected.

There are four spam categories supported by Cloud App Security:

  • BEC

  • Phishing

  • Ransomware

  • Malicious spam

  • Other spam

%detected_by%

Technology or method through which email messages and files were detected as containing a security threat. Options include:

  • Pattern-based scanning

  • Predictive Machine Learning

  • Suspicious Object list

  • Web Reputation

  • Antispam engine

  • Writing style analysis

  • Blocked sender list

  • Blocked URL list

  • Dynamic URL scanning

  • Computer vision

%file_format%

Format of a file that violated the Keyword Extraction security filter in a Data Loss Prevention policy.

%violated_keyword%

Keyword(s) that caused a file to violate the Keyword Extraction security filter in a Data Loss Prevention policy.

The following tokens are provided for you to specify the content in Replacement text.

Token ID

Description

%FilterName%

Filter in an Advanced Threat Protection or Data Loss Prevention policy that detects an violation by a file in the protected service, except for Exchange Online and Gmail.

Applicable filters include:

  • Malware Scanning

  • File Blocking

  • Web Reputation

  • Virtual Analyzer

  • Data Loss Prevention

  • Keyword Extraction (for Box only)

%action%

Options include Quarantine and Delete.

The following tokens are provided for you to customize notification messages for administrators and users in Writing Style Analysis for BEC.

Token ID

Description

%expected_sender_displayname%

Display name of the high profile user who is expected to be the real sender of an email message.

%action%

Action that Cloud App Security takes after detecting a probable BEC attack, which includes:

  • Tag subject

  • Add disclaimer

  • Pass

  • Move to Spam

%spam_category%

Category of a spam email message detected, which is BEC.

%date%

%time%

Date and time when a probable BEC attack was detected.

%foundin%

Location where a probable BEC attack was detected. For Exchange Online, it is <email address>\<mailbox folder path>; for Gmail, it is the label(s) of the email message.

%policy_name%

Name of a configured policy that was violated.

%detected_by%

Technology or method through which an email message was detected as containing a probable BEC attack, which is Writing style analysis.

%sender%

Email address of the sender.

%recipient%

Email address of the recipient.

%subject%

Subject of an email message violating a policy.

%attachments%

Name of an attachment violating a policy.

%expected_sender%

Display name of the high profile user who is expected to be the real sender of an email message.

%origin_mail_message_id%

ID of an email message.