Views:
Note
Note
For the list of standard token variables supported by all event notifications, see Standard Token Variables.
The following table describes token variables for customizing Advanced Threat Activity event notification messages.
Variable
Description
%hostIP%
Depending on the traffic direction, %hostIP% is IP address determined by Deep Discovery Inspector:
  • Outbound traffic (internal traffic going to an external network): %hostIP% is the IP address of the endpoint in the network (source)
  • Traffic within the network: %hostIP% is the IP address of the endpoint in the network
  • External traffic to an endpoint in a network: %hostIP% is the IP address of the endpoint in the network
  • Traffic outside the network: %hostIP% is the IP address of the endpoint outside the network
%group%
The name of the subnetwork
%START_TIME%
The start date and time of the detection period
Note
Note
The specified time period for the notification criteria determines the start and end times.
%END_TIME%
The end date and time of the detection period
The start and end times define the time range interval. When logs are received during a certain interval, Apex Central calculates those logs. If the alert criteria is met, Apex Central counts the logs. %START_TIME% is the start time of the interval and %END_TIME% is the end time of the interval. The length of the interval is determined by the period threshold in the alert settings.
Note
Note
The specified time period for the notification criteria determines the start and end times.
%detections%
The number of detections
For example:
Event: High risk Virtual Analyzer detections
IP address: %hostIP%
Host name: %computer%
Group: %group%
Time range: %START_TIME% - %END_TIME%
Detections: %detections%
The following table describes token variables for customizing event notification messages for Behavior Monitoring violations and Predictive Machine Learning detections.
Variable
Description
%hostIP%
Depending on the traffic direction, %hostIP% is IP address determined by Deep Discovery Inspector:
  • Outbound traffic (internal traffic going to an external network): %hostIP% is the IP address of the endpoint in the network (source)
  • Traffic within the network: %hostIP% is the IP address of the endpoint in the network
  • External traffic to an endpoint in a network: %hostIP% is the IP address of the endpoint in the network
  • Traffic outside the network: %hostIP% is the IP address of the endpoint outside the network
%START_TIME%
The start date and time of the detection period
Note
Note
The specified time period for the notification criteria determines the start and end times.
%END_TIME%
The end date and time of the detection period
The start and end times define the time range interval. When logs are received during a certain interval, Apex Central calculates those logs. If the alert criteria is met, Apex Central counts the logs. %START_TIME% is the start time of the interval and %END_TIME% is the end time of the interval. The length of the interval is determined by the period threshold in the alert settings.
Note
Note
The specified time period for the notification criteria determines the start and end times.
%detections%
The number of detections
For example:
Event: High risk Virtual Analyzer detections
IP address: %hostIP%
Host name: %computer%
Group: %group%
Time range: %START_TIME% - %END_TIME%
Detections: %detections%
%domain%
The root domain of the target in the Apex One domain hierarchy
%hierarchy%
The full path of the target in the Apex One domain hierarchy
%BM_policy%
The Behavior Monitoring policy ID
Note
Note
This token variable is available for Behavior Monitoring violation notification messages only.
%risklevel%
The risk level of the event
Note
Note
This token variable is available for Behavior Monitoring violation notification messages only.
%target%
The target of the event
Note
Note
This token variable is available for Behavior Monitoring violation notification messages only.