Customizing Notification Messages

Use variables to customize event notifications. Insert these variables when you configure notifications to provide details to notification recipients.

Control Manager supports the following variables:

Table 1. Common Notification Message Variables

Variable

Description

Common variables used by all event notifications

%cmserver%

Control Manager server host name

%computer%

Network name of the computer where an event was detected

%entity%

Product Directory path of the managed product where an event occurred

%event%

Event that triggered the notification

%pname%

Managed product name

%pver%

Managed product version

%time%

Time (hh:mm) when an event occurred

%vloginuser%

The logon user information for customized events in spyware logs

%act%

The action taken by the managed product. Example: file cleaned, file deleted, file quarantined

%actresult%

The result of the action taken by the managed product. Example: successful, further action required

Table 2. Virus Notification Message Variables

Variable

Description

Virus variables: Used by alert or Outbreak Prevention Service event notifications

%device_ip%

IP address of an infected endpoint.

%egnver%

  • Scan engine version.

  • Used by the alert event category as well as the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Mode started" notifications. For the notification types of the alert event category, this variable refers to the scan engine version currently installed on the managed product server.

  • For the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Mode started" notifications, this variable refers to the Outbreak Prevention Policy required.

%ptnver%

  • Virus pattern version.

  • Used by the alert event category and the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started" notifications. For the notification types of the alert event category, this variable refers to the virus pattern version currently installed on the managed product server.

  • For the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started" notifications, this variable refers to the Outbreak Prevention Policy required.

%scanmethod%

The scan method for specific virus actions. This token is only available for the following alerts:

  • Virus found-first action unsuccessful and second action unavailable

  • Virus found-first and second actions unsuccessful

  • Virus found-first action successful

  • Virus found-second action successful

%threat_info%

  • Virus/malware threat information provided by outbreak prevention policies.

  • Used by "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started."

%vcnt%

  • Virus count.

  • Used by virus outbreak alert.

%vdest%

  • Virus/malware destination.

  • Examples:

    Email detection: %vdest% is the intended recipient

    Host-based/Endpoint detection: %vdest% is the endpoint IP address or host name

  • Used by alert event category.

%vfile%

Infected file name. Used by alert event category.

%vfilepath%

Infected file directory. Used by alert event category.

%vname%

Virus or malware name. Used by alert event category.

%vsrc%

  • Virus/malware origin or infection source.

  • For example, the message sender takes the value of %vsrc% if an antivirus managed product detected a virus/malware in an email message.

  • Used by the alert event category as well as the network virus alert notification type.

Table 3. Special Notification Message Variables

Variable

Description

Special variables: Used by Network VirusWall Enforcer task completed-related events

%action%

Network VirusWall Enforcer action (pass, drop, or quarantine) on network virus.

%description%

Error description used by the potential vulnerability attack detected events.

Table 4. DLP Notification Message Variables

Variable

Description

DLP variables: Used by scheduled incident summary and incident details updated events

%DLP_INCIDENT_TOTAL_NUM%

The total number of incidents triggered by directly managed users

%DLP_INCIDENT_HIGH_NUM%

The total number of high severity incidents triggered by directly managed users

%DLP_INCIDENT_MED_NUM%

The total number of medium severity incidents triggered by directly managed users

%DLP_INCIDENT_LOW_NUM%

The total number of low severity incidents triggered by directly managed users

%DLP_INCIDENT_INFO_NUM%

The total number of informational incidents triggered by directly managed users

%DLP_INCIDENT_UNDEFINED_NUM%

The total number of undefined severity incidents triggered by directly managed users

%DLP_INCIDENT_ALLTOTAL_NUM%

The total number of incidents triggered by all managed users

%DLP_INCIDENT_ALLHIGH_NUM%

The total number of high severity incidents triggered by all managed users

%DLP_INCIDENT_ALLMED_NUM%

The total number of medium severity incidents triggered by all managed users

%DLP_INCIDENT_ALLLOW_NUM%

The total number of low severity incidents triggered by all managed users

%DLP_INCIDENT_ALLINFO_NUM%

The total number of informational incidents triggered by all managed users

%DLP_INCIDENT_ALLUNDEFINED_NUM%

The total number of undefined severity incidents triggered by all managed users

%DLP_START_TIME%

The start date and time for the reporting period

%DLP_END_TIME%

The end date and time for the reporting period

%weblink%

The link to view details of the incident information listed in the notification message

%INCIDENTID%

Incident ID number

%SEVERITY%

Incident severity level

%POLICY%

Control Manager policy name

Note:

For incidents triggering DLP policies created in managed products, this appears as N/A.

%ACCOUNT%

User name

%OLD_STATUS%

Incident status before modification

%NEW_STATUS%

Incident status after modification

%LATEST_COMMENT%

The latest comments about the incident

%DLP_VIOLATION_NUM%

The number of violations matching DLP policies

%DLP_THRESHOLD%

The number of violations that must be triggered to indicate a significant increase on policy violations

%DLP_TEMPLATE%

Template matching the significant incident increase

%DLP_USER_NAME%

Significant incident increase by user

%DLP_SENDER%

Significant incident increase by sender

%DLP_CHANNEL%

Significant incident increase by channel

%STATUS_CHANGE_TIME%

Incident details updated

Table 5. Content Security Violation Notification Message Variables

Variable

Description

%subject%

Subject header of the email notification

%sender%

Sender's email address

%recipient%

Recipient's email address

%filtername%

Name of the content filter rule/policy that has been violated

%filteract%%

Action applied by the filter

%msgact%

Action applied to the message

Table 6. Web Security Violation Notification Message Variables

Variable

Description

%url%

URL in question

%vdestip%

IP address of the target URL

%blockrule%

Name of the rule that has been violated

%blocktype%

Action applied to the URL

Table 7. C&C Callback Notification Message Variables

Variable

Description

%CALLBACK_ADDR%

URL, IP address, or email address to which a compromised host attempts a callback

%COMPR_HOST%

Affected host or email address

%CnC_LIST_SRC%

Name of the list that contains the callback address

%CALLBACK_NUM%

Number of contacts made between callback addresses and compromised hosts

%COMPR_HOST_NUM%

Number of compromised hosts involved in the outbreak

%CALLBACK_ADDR_NUM%

Number of callback addresses involved in the outbreak

Table 8. Advanced Threat Activity Variables

Variable

Description

%hostIP%

Depending on the traffic direction, %hostIP% is IP address determined by Deep Discovery Inspector:

  • Outbound traffic (internal traffic going to an external network): %hostIP% is the IP address of the endpoint in the network (source)

  • Traffic within the network: %hostIP% is the IP address of the endpoint in the network

  • External traffic to an endpoint in a network: %hostIP% is the IP address of the endpoint in the network

  • Traffic outside the network: %hostIP% is the IP address of the endpoint outside the network

%group%

Name of the subnetwork

%START_TIME%

Start time

%END_TIME%

End time

The start and end times define the time range interval. When logs are received during a certain interval, Control Manager calculates those logs. If the alert criteria is met, Control Manager counts the logs. %START_TIME% is the start time of the interval and %END_TIME% is the end time of the interval. The length of the interval is determined by the period threshold in the alert settings.

%detections%

Number of detections

For example:

Event: High risk Virtual Analyzer detections

IP address: %hostIP%

Host name: %computer%

Group: %group%

Time range: %START_TIME% - %END_TIME%

Detections: %detections%