Views:

The following table explains the tokens available for alert notifications. Use the table to customize your alert notifications with message tokens.

Note:

Not every alert notification can accept every message token. Review the alert's parameter specifications before using a message token. For details, see Alert Notification Parameters.

Table 1. Message Tokens

Token

Description

Notes

%Account%

The user name of the account that Deep Discovery Email Inspector locks

Where allowed:

  • System: Account Locked

Examples:

  • JohnDoe

  • Test

%Action%

The action that Deep Discovery Email Inspector took on the processed message

Where allowed:

  • Policy: Recipient Notifications

Examples:

  • Policy: Recipient Notifications

  • Pass and tag

%AveSandboxProc%

The average time in minutes it takes to queue and analyze messages in the past hour

Where allowed:

  • System: Long Virtual Analyzer Processing Time

Examples:

  • 3

  • 2

%ComponentList%

The list of components.

Where allowed:

  • System: Component Update/Rollback Successful

  • System: Component Update/Rollback Unsuccessful

Examples:

  • Network Content Inspection Engine/ 0x48000204/ 9.862.1107

  • Network Content Inspection Engine/ 0x48000204/ Unknown

%ConsoleURL%

The Deep Discovery Email Inspector management console URL.

Where allowed:

  • All

Example:

  • https://192.168.252.1/loginPage.ddei

%CPUThreshold%

The maximum CPU usage as a percentage allowed before Deep Discovery Email Inspector sends an alert notification

Where allowed:

  • System: High CPU Usage

Examples:

  • 95

  • 85

%CPUUsage%

The total CPU utilization as a percentage

Where allowed:

  • System: High CPU Usage

Examples:

  • 80

  • 65

%DateTime%

The date and time that the Deep Discovery Email Inspector received the email message

Where allowed:

  • All

Examples:

  • 2014-03-21 03:34:09

  • 2014-06-15 11:31:22

%DaysBeforeExpirationATD%

The number of days before the product license for Advanced Threat Protection expires

Where allowed:

  • System: License Expiration

Examples:

  • 4

  • 123

%DaysBeforeExpirationSEG%

The number of days before the product license for Gateway Module expires

Where allowed:

  • System: License Expiration

Examples:

  • 4

  • 123

%DeferredQueue%

The number of email messages in the deferred queue waiting for Deep Discovery Email Inspector to process.

Where allowed:

  • System: Long Message Deferred Queue

Example:

  • 100

%DeliveryQueue%

The number of email messages in the delivery queue waiting for Deep Discovery Email Inspector to process.

Where allowed:

  • System: Long Message Delivery Queue

Examples:

  • 100

  • 600

%DetectionCount%

The number of messages detected with suspicious characteristics during the specified period of time

Where allowed:

  • System: Detection Surge

Examples:

  • 50

  • 200

%DetectionThreshold%

The maximum number of messages detected to have suspicious characteristics before Deep Discovery Email Inspector sends an alert notification

Where allowed:

  • System: Detection Surge

Examples:

  • 50

  • 40

%DeviceIP%

The IP address of the Deep Discovery Email Inspector appliance

Where allowed:

  • All

Example:

  • 123.123.123.123

%DeviceName%

The host name of the Deep Discovery Email Inspector appliance

Where allowed:

  • All

Example:

  • example.com

%DiagnosisTip%

Recommendations on how to resolve the issue

Where allowed:

  • System: Connection Issue

%DiskSpace%

The lowest amount of disk space in GB before Deep Discovery Email Inspector send an alert notification

Where allowed:

  • System: Low Free Disk Space

  • System: Low Free Quarantine Disk Space

Examples:

  • 2

  • 30

%ExpirationDateATD%

The day the product license for Advanced Threat Protection expires

Where allowed:

  • System: License Expiration

Examples:

  • 2014-03-21 03:34:09

  • 2014-06-15 11:31:22

%ExpirationDateSEG%

The day the product license for Gateway Module expires

Where allowed:

  • System: License Expiration

Examples:

  • 2014-03-21 03:34:09

  • 2014-06-15 11:31:22

%Interval%

The frequency that Deep Discovery Email Inspector checks the message processing volume in minutes

Where allowed:

  • System: Detection Surge

  • System: Processing Surge

Examples:

  • 15

  • 10

%LicenseStatusATD%

The current status of the product license for Advanced Threat Protection

Where allowed:

  • System: License Expiration

Examples:

  • Evaluation

  • Not Activated

  • Activated

  • Expired

  • Grace Period

For details, see Product License Status.

%LicenseStatusSEG%

The current status of the product license for Gateway Module

Where allowed:

  • System: License Expiration

Examples:

  • Evaluation

  • Not Activated

  • Activated

  • Expired

  • Grace Period

For details, see Product License Status.

%LicenseTypeATD%

The Advanced Threat Protection product license type

Where allowed:

  • System: License Expiration

Examples:

  • Full

  • Trial

%LicenseTypeSEG%

The Gateway Module product license type

Where allowed:

  • System: License Expiration

Examples:

  • Full

  • Trial

%MemoryThreshold%

The maximum memory usage as a percentage allowed before Deep Discovery Email Inspector sends an alert notification.

Where allowed:

  • System: High Memory Usage

Example: 90

%MemoryUsage%

The total memory utilization as a percentage.

Where allowed:

  • System: High Memory Usage

Example: 90

%MessageList%

The list of detected messages, which includes the risk level, threat name, action taken, message ID, recipients, sender, recipient, subject, top three most risky attachment details, and when the message was received.

This token also provides the names of detected threats for the following alert notifications:

  • Security: Suspicious Message Identified

  • Security: Watchlisted Recipients at Risk

  • System: Quarantined Messages

  • Security: Data Loss Prevention Incident

Where allowed:

  • Security: Suspicious Message Identified

  • Security: Watchlisted Recipients at Risk

  • System: Quarantined Messages

  • Security: Data Loss Prevention Incident

Examples:

  • ==============
Risk: High (Suspicious File)
Action: Action set to 'pass'
Threat Name: EMERGING-THREAT_GENERIC.ERS|VAN_DROPPER.UMXX
Message ID: <E1fk6FQ-00073X-Ns@funimo.com>
Recipients: relay@njrelay.itlab.trendmicro.comSender: aliconwamonic@yahoo.com
Subject: Our Order#6501732
Attachment: 65017832.xls (Excel 95 or 97 spreadsheet), Company Profile.ZIP(ZIP
            archive)
Detected: 2018-07-30 19:41:23
================
  • ================ 
Risk: Medium (Malicious URL) 
Action:  Quarantined 
Threat Name: LOW-REPUTATION-URL_BLOCKED-LIST.SCORE.WRS 
Message ID: <20180903210849.3B4D93A06C9@ddei155.localdomain
Recipients: bvt@ddei.com Sender: test@test.com
Subject: Te_%*s'<>?|\@~$%^&#$!`~(=-+<>;:.){[太严]}(`)+=-_t"ddd, Attachment: (Link only)
Detected: 2018-09-03 21:08:51
================
  • ================
Message ID: <5C32BC03.9090201@test.com>
Recipients: test@test.com;test@test1.com
Sender: test@test.com
Subject: 1033
Attachment: (Link only)
DLP templates (Data identifiers): 
templateName (China: Mobile Phone Number )
Detected: 2019-02-25 01:07:42
================

%MTAList%

The list of unreachable MTAs. Each MTA appears as an IP address and the port number.

Where allowed:

  • System: Relay MTAs Inaccessible

Examples:

  • [1.1.1.1]:99

  • [7.7.7.7]:77

%ProcessingCount%

The total number of processed messages over the specified period of time

Where allowed:

  • System: Processing Surge

Examples:

  • 50

  • 200

%ProcessingThreshold%

The maximum number of processed messages during the specified time frame before Deep Discovery Email Inspector sends an alert notification

Where allowed:

  • System: Processing Surge

Examples:

  • 100

  • 40

%QueueThreshold%

The maximum number of messages in the delivery queue before Deep Discovery Email Inspector sends an alert notification

Where allowed:

  • System: Long Message Delivery Queue

Examples:

  • 100

  • 40

%SandboxProcThreshold%

The maximum amount of time allocated for average sandbox processing before Deep Discovery Email Inspector sends an alert notification

Where allowed:

  • System: Long Virtual Analyzer Processing Time

Examples:

  • 15

  • 30

%SandboxQueue%

The email message count in the sandbox queue waiting to be analyzed by Virtual Analyzer

Where allowed:

  • System: Long Virtual Analyzer Submission Queue

Examples:

  • 30

  • 75

%SandboxQueueThreshold%

The maximum number of messages in the sandbox queue before Deep Discovery Email Inspector sends an alert notification

Where allowed:

  • System: Long Virtual Analyzer Submission Queue

Examples:

  • 100

  • 75

%ServiceList%

The list of services affected by the connection issue

Where allowed:

  • System: Connection Issue

Example:

  • Internal Virtual Analyzer network (eth1, No proxy)

%ServiceName%

The stopped Deep Discovery Email Inspector service

Where allowed:

  • System: Service Stopped

Where allowed:

  • System: Service Stopped

Example:

  • scanner

%TotalMessages%

The total number of messages with unsuccessful DKIM signing

Where allowed:

  • System: Unsuccessful DKIM Signing

Example:

  • 10

  • 25
Parent topic: Notification Message Tokens