Customizing Notification Messages

Use variables to customize event notifications. Insert these variables when you configure notifications to provide details to notification recipients.

Control Manager supports the following variables:

Table 1. Common Notification Message Variables

Variable

Description

Common variables used by all event notifications

%cmserver%

Control Manager server host name

%computer%

Network name of the computer where an event was detected

%entity%

Product Directory path of the managed product where an event occurred

%event%

Event that triggered the notification

%pname%

Managed product name

%pver%

Managed product version

%time%

Time (hh:mm) when an event occurred

%vloginuser%

The logon user information for customized events in spyware logs

%act%

The action taken by the managed product. Example: file cleaned, file deleted, file quarantined

%actresult%

The result of the action taken by the managed product. Example: successful, further action required

Table 2. Virus Notification Message Variables

Variable

Description

Virus variables: Used by alert or Outbreak Prevention Service event notifications

%device_ip%

IP address of an infected endpoint.

%engver%

  • Scan engine version.

  • Used by the alert event category as well as the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Mode started" notifications. For the notification types of the alert event category, this variable refers to the scan engine version currently installed on the managed product server.

  • For the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Mode started" notifications, this variable refers to the Outbreak Prevention Policy required.

%ptnver%

  • Virus pattern version.

  • Used by the alert event category and the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started" notifications. For the notification types of the alert event category, this variable refers to the virus pattern version currently installed on the managed product server.

  • For the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started" notifications, this variable refers to the Outbreak Prevention Policy required.

%scanmethod%

The scan method for specific virus actions. This token is only available for the following alerts:

  • Virus found-first action unsuccessful and second action unavailable

  • Virus found-first and second actions unsuccessful

  • Virus found-first action successful

  • Virus found-second action successful

%threat_info%

  • Virus/malware threat information provided by outbreak prevention policies.

  • Used by "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started."

%vcnt%

  • Virus count.

  • Used by virus outbreak alert.

%vdest%

  • Virus/malware destination.

  • For example, the intended recipient takes the value of %vdest% if an antivirus managed product detected a virus/malware in an email message.

  • Used by alert event category.

%vfile%

Infected file name. Used by alert event category.

%vfilepath%

Infected file directory. Used by alert event category.

%vname%

Virus or malware name. Used by alert event category.

%vsrc%

  • Virus/malware origin or infection source.

  • For example, the message sender takes the value of %vsrc% if an antivirus managed product detected a virus/malware in an email message.

  • Used by the alert event category as well as the network virus alert notification type.

Table 3. Special Notification Message Variables

Variable

Description

Special variables: Used by Network VirusWall Enforcer task completed-related events

%action%

Network VirusWall Enforcer action (pass, drop, or quarantine) on network virus.

%description%

Error description used by the potential vulnerability attack detected events.

Table 4. DLP Notification Message Variables

Variable

Description

DLP variables: Used by scheduled incident summary and incident details updated events

%DLP_INCIDENT_TOTAL_NUM%

The total number of incidents triggered by directly managed users

%DLP_INCIDENT_HIGH_NUM%

The total number of high severity incidents triggered by directly managed users

%DLP_INCIDENT_MED_NUM%

The total number of medium severity incidents triggered by directly managed users

%DLP_INCIDENT_LOW_NUM%

The total number of low severity incidents triggered by directly managed users

%DLP_INCIDENT_INFO_NUM%

The total number of informational incidents triggered by directly managed users

%DLP_INCIDENT_UNDEFINED_NUM%

The total number of undefined severity incidents triggered by directly managed users

%DLP_INCIDENT_ALLTOTAL_NUM%

The total number of incidents triggered by all managed users

%DLP_INCIDENT_ALLHIGH_NUM%

The total number of high severity incidents triggered by all managed users

%DLP_INCIDENT_ALLMED_NUM%

The total number of medium severity incidents triggered by all managed users

%DLP_INCIDENT_ALLLOW_NUM%

The total number of low severity incidents triggered by all managed users

%DLP_INCIDENT_ALLINFO_NUM%

The total number of informational incidents triggered by all managed users

%DLP_INCIDENT_ALLUNDEFINED_NUM%

The total number of undefined severity incidents triggered by all managed users

%DLP_START_TIME%

The start date and time for the reporting period

%DLP_END_TIME%

The end date and time for the reporting period

%weblink%

The link to view details of the incident information listed in the notification message

%INCIDENTID%

Incident ID number

%SEVERITY%

Incident severity level

%POLICY%

Control Manager policy name

Note:

For incidents triggering DLP policies created in managed products, this appears as N/A.

%ACCOUNT%

User name

%OLD_STATUS%

Incident status before modification

%NEW_STATUS%

Incident status after modification

%LATEST_COMMENT%

The latest comments about the incident

Table 5. C&C Callback Notification Message Variables

Variable

Description

%CALLBACK_ADDR%

URL, IP address, or email address to which a compromised host attempts a callback

%COMPR_HOST%

Affected host or email address

%CnC_LIST_SRC%

Name of the list that contains the callback address

%CALLBACK_NUM%

Number of contacts made between callback addresses and compromised hosts

%COMPR_HOST_NUM%

Number of compromised hosts involved in the outbreak

%CALLBACK_ADDR_NUM%

Number of callback addresses involved in the outbreak

Table 6. Update Notification Message Variables

Variable

Description

Update variables: Used by update related events

%update_info%

The version of an updated pattern.

Used by the update event category. The supported pattern file can be defined with the tag m_strUpdatePatternPassList in SystenConfiguration.xml.