Token List

The following tokens are provided for you to customize notification messages for administrators and users.

Token ID

Description

%Product_Name%

Name of our product, Cloud App Security.

%Security_risk_name%

Name of the security risk detected, for example, "HEUR_PDFEXP.A", "EXPL_CVE20060022".

%action%

Action that Cloud App Security takes after detecting a security risk.

  • Replace with text or file: replace the file that violates a policy with a replacement text file

  • Quarantine: move the email message or file to a restricted access folder

  • Delete: delete the email message or file

  • Pass: deliver the email message or file unchanged no matter it violates a policy or not

  • Tag subject: add a tag to the message subject if the email message violates a policy

  • Move to Junk Email folder: move the email message to the user's Junk Email folder

%date% %time%

  • For Exchange Online: Date and time when an email message detected as containing a security risk was received

  • For SharePoint Online, OneDrive for Business, Box, Dropbox and Google Drive: Date and time when a file detected as containing a security risk was uploaded or last modified

%foundin%

Location where a security risk was detected.

For Exchange Online, it is the email address; for SharePoint Online, OneDrive for Business, Box, Dropbox and Google Drive, it is the folder path or website URL.

%policy_name%

Name of a configured policy that was violated.

%sender%

Email address of the sender.

%violator%

Affected user related to a policy violation. For SharePoint Online, OneDrive for Business, Box, Dropbox and Google Drive, it is the user who uploaded, modified, or downloaded a file violating a policy. For Exchange Online, it is the mailbox that received an email message violating a policy.

%recipient%

Email address of the recipient.

%subject%

Subject of an email message violating a policy.

%attachments%

Name of an attachment violating a policy.

%filename%

Name of a file violating a policy.

%suspicious_url%

Suspicious URL detected.

%risk_level%

There are five Web Reputation risk levels assigned to an analyzed URL:

  • Dangerous

  • Highly suspicious

  • Suspicious

  • Safe

  • Untested

Note:

For details about each risk level, see Web Reputation Risk Levels.

There are five Virtual Analyzer risk levels assigned to an analyzed object:

  • High risk

  • Medium risk

  • Low risk

  • No risk

  • Unrated

Note:

For details about each risk level, see Virtual Analyzer Risk Levels.

%url_category%

Category of a suspicious URL detected.

There are more than 90 categories, such as "Spyware" and "Crack".

%dlptemplatename%

Name of a compliance template that triggers the Data Loss Prevention policy.

There are currently more than one hundred built-in templates.

%spam_category%

Category of a spam email message detected.

There are four spam categories supported by Cloud App Security:

  • BEC

  • Phishing

  • Ransomware

  • Others

%detected_by%

Technology or method through which email messages and files were detected as containing a security threat. Options include:

  • Pattern-based scanning

  • Predictive Machine Learning

  • Suspicious Object list

  • Web Reputation

  • Antispam engine

  • Writing style analysis

  • Blocked sender list

  • Blocked URL list

  • Dynamic URL scanning

  • Computer vision

%file_format%

Format of a file that violated the Keyword Extraction security filter in a Data Loss Prevention policy.

%violated_keyword%

Keyword(s) that caused a file to violate the Keyword Extraction security filter in a Data Loss Prevention policy.

The following tokens are provided for you to specify the content in Replacement text.

Token ID

Description

%FilterName%

Filter in an Advanced Threat Protection or Data Loss Prevention policy that detects an violation by a file in the protected service, except for Exchange Online.

Applicable filters include:

  • Malware Scanning

  • File Blocking

  • Web Reputation

  • Virtual Analyzer

  • Data Loss Prevention

  • Keyword Extraction (for Box only)

%action%

Options include Quarantine and Delete.

The following tokens are provided for you to customize notification messages for administrators and users in Writing Style Analysis for BEC.

Token ID

Description

%expected_sender_displayname%

Display name of the high profile user who is expected to be the real sender of an email message.

%action%

Action that Cloud App Security takes after detecting a probable BEC attack, which includes:

  • Tag subject

  • Add disclaimer

  • Pass

%spam_category%

Category of a spam email message detected, which is BEC.

%date%

%time%

Date and time when a probable BEC attack was detected.

%foundin%

Email address where a probable BEC attack was detected.

%policy_name%

Name of a configured policy that was violated.

%detected_by%

Technology or method through which an email message was detected as containing a probable BEC attack, which is Writing style analysis.

%sender%

Email address of the sender.

%recipient%

Email address of the recipient.

%subject%

Subject of an email message violating a policy.

%attachments%

Name of an attachment violating a policy.

%expected_sender%

Display name of the high profile user who is expected to be the real sender of an email message.

%origin_mail_message_id%

ID of an email message.