Advanced Threat Activity Token Variables

Views:

Note:

For the list of standard token variables supported by all event notifications, see Standard Token Variables.

The following table describes token variables for customizing Advanced Threat Activity event notification messages.

Variable	Description
`%hostIP%`	Depending on the traffic direction, %hostIP% is IP address determined by Deep Discovery Inspector: Outbound traffic (internal traffic going to an external network): `%hostIP%` is the IP address of the endpoint in the network (source) Traffic within the network: `%hostIP%` is the IP address of the endpoint in the network External traffic to an endpoint in a network: `%hostIP%` is the IP address of the endpoint in the network Traffic outside the network: `%hostIP%` is the IP address of the endpoint outside the network
`%group%`	The name of the subnetwork
`%START_TIME%`	The start date and time of the detection period Note: The specified time period for the notification criteria determines the start and end times.
`%END_TIME%`	The end date and time of the detection period The start and end times define the time range interval. When logs are received during a certain interval, Apex Central calculates those logs. If the alert criteria is met, Apex Central counts the logs. `%START_TIME%` is the start time of the interval and `%END_TIME%` is the end time of the interval. The length of the interval is determined by the period threshold in the alert settings. Note: The specified time period for the notification criteria determines the start and end times.
`%detections%`	The number of detections For example: `Event: High risk Virtual Analyzer detections` `IP address: %hostIP%` `Host name: %computer%` `Group: %group%` `Time range: %START_TIME% - %END_TIME%` `Detections: %detections%`

The following table describes token variables for customizing event notification messages for Behavior Monitoring violations and Predictive Machine Learning detections.

Variable	Description
`%hostIP%`	Depending on the traffic direction, %hostIP% is IP address determined by Deep Discovery Inspector: Outbound traffic (internal traffic going to an external network): `%hostIP%` is the IP address of the endpoint in the network (source) Traffic within the network: `%hostIP%` is the IP address of the endpoint in the network External traffic to an endpoint in a network: `%hostIP%` is the IP address of the endpoint in the network Traffic outside the network: `%hostIP%` is the IP address of the endpoint outside the network
`%START_TIME%`	The start date and time of the detection period Note: The specified time period for the notification criteria determines the start and end times.
`%END_TIME%`	The end date and time of the detection period The start and end times define the time range interval. When logs are received during a certain interval, Apex Central calculates those logs. If the alert criteria is met, Apex Central counts the logs. `%START_TIME%` is the start time of the interval and `%END_TIME%` is the end time of the interval. The length of the interval is determined by the period threshold in the alert settings. Note: The specified time period for the notification criteria determines the start and end times.
`%detections%`	The number of detections For example: `Event: High risk Virtual Analyzer detections` `IP address: %hostIP%` `Host name: %computer%` `Group: %group%` `Time range: %START_TIME% - %END_TIME%` `Detections: %detections%`
`%domain%`	The root domain of the target in the Apex One domain hierarchy
`%hierarchy%`	The full path of the target in the Apex One domain hierarchy
`%BM_policy%`	The Behavior Monitoring policy ID
`%risklevel%`	The risk level of the event
`%target%`	The target of the event