Advanced Threat Activity Token Variables

The following table describes token variables for customizing Advanced Threat Activity event notification messages.

Variable

Description

%hostIP%

Depending on the traffic direction, %hostIP% is IP address determined by Deep Discovery Inspector:

  • Outbound traffic (internal traffic going to an external network): %hostIP% is the IP address of the endpoint in the network (source)

  • Traffic within the network: %hostIP% is the IP address of the endpoint in the network

  • External traffic to an endpoint in a network: %hostIP% is the IP address of the endpoint in the network

  • Traffic outside the network: %hostIP% is the IP address of the endpoint outside the network

%group%

Name of the subnetwork

%START_TIME%

Start time

%END_TIME%

End time

The start and end times define the time range interval. When logs are received during a certain interval, Control Manager calculates those logs. If the alert criteria is met, Control Manager counts the logs. %START_TIME% is the start time of the interval and %END_TIME% is the end time of the interval. The length of the interval is determined by the period threshold in the alert settings.

%detections%

Number of detections

For example:

Event: High risk Virtual Analyzer detections

IP address: %hostIP%

Host name: %computer%

Group: %group%

Time range: %START_TIME% - %END_TIME%

Detections: %detections%