Token List
The following tokens are provided for you to customize notification messages for administrators and users.
|
Token ID |
Description |
|---|---|
|
%Product_Name% |
Name of our product, Cloud App Security. |
|
%Security_risk_name% |
Name of the security risk detected, for example, "HEUR_PDFEXP.A", "EXPL_CVE20060022". For unscannable files, options for this token are as follows:
|
|
%action% |
Action that Cloud App Security takes after detecting a security risk. |
|
%date% %time% |
|
|
%foundin% |
Location where a security risk was detected. For Exchange Online, it is <email address>\<mailbox folder path>; for SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, it is the folder path or website URL; for Gmail, it is the label(s) of the email message; for Salesforce, URI of the object record. For Teams Chat, it is the private teams chat URL. |
|
%policy_name% |
Name of a configured policy that was violated. |
|
%sender% |
Email address of the sender. |
|
%violator% |
Affected user related to a policy violation. For Exchange Online and Gmail, it is the mailbox of a protected user that received or sent an email message violating a policy; for SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, it is the user who uploaded or modified a file violating a policy; for Salesforce, it is the user who updated an object record; for Teams Chat, it is the user that sent a private chat message violating a policy. |
|
%recipient% |
Email address of the recipient. |
|
%subject% |
Subject of an email message violating a policy. |
|
%attachments% |
Name of an attachment violating a policy. |
|
%filename% |
Name of a file violating a policy. |
|
%suspicious_url% |
Suspicious URL detected. |
|
%risk_level% |
There are five Web Reputation risk levels assigned to an analyzed URL:
There are five Virtual Analyzer risk levels assigned to an analyzed object:
|
|
%url_category% |
Category of a suspicious URL detected. There are more than 90 categories, such as "Spyware" and "Crack". |
|
%dlptemplatename% |
Name of a sensitivity label or compliance template that triggers the Data Loss Prevention policy. |
|
%spam_category% |
Category of a spam email message detected. There are four spam categories supported by Cloud App Security:
|
|
%detected_by% |
Technology or method through which email messages and files were detected as containing a security threat. Options include:
|
|
%file_format% |
Format of a file that violated the Keyword Extraction security filter in a Data Loss Prevention policy. |
|
%violated_keyword% |
Keyword(s) that caused a file to violate the Keyword Extraction security filter in a Data Loss Prevention policy. |
|
%redirected_to% |
Email addresses to which email messages triggering the "Change recipient" action are redirected. |
The following tokens are provided for you to specify the content in Replacement text.
|
Service |
Token ID |
Description |
|---|---|---|
|
Exchange Online Exchange Online (Inline Mode) Gmail (Inline Mode) - Inbound Protection |
[Attachment Name] |
Name of an attachment violating a policy. |
|
SharePoint Online OneDrive Microsoft Teams Box Dropbox Google Drive |
%action% |
Action that Cloud App Security takes after detecting a security risk. |
|
%policy_name% |
Name of a configured policy that was violated. |
|
|
%FilterName% |
Filter in an Advanced Threat Protection or Data Loss Prevention policy that detects an violation by a file in the protected application or service. Applicable filters include:
|
|
|
%Security_risk_name% |
Name of the security risk detected, for example, "HEUR_PDFEXP.A", "EXPL_CVE20060022". For unscannable files, options for this token are as follows:
|
|
|
%filename% |
Name of a file violating a policy. |
|
|
%suspicious_url% |
Suspicious URL detected. |
|
|
%dlptemplatename% |
Name of a sensitivity label or compliance template that triggers the Data Loss Prevention policy. |
|
|
%risk_level% |
There are five Web Reputation risk levels assigned to an analyzed URL:
There are five Virtual Analyzer risk levels assigned to an analyzed object:
|
The following tokens are provided for you to customize notification messages for administrators and users in Writing Style Analysis for BEC.
|
Token ID |
Description |
|---|---|
|
%expected_sender_displayname% |
Display name of the high profile user who is expected to be the real sender of an email message. |
|
%action% |
Action that Cloud App Security takes after detecting a probable BEC attack, which includes:
|
|
%spam_category% |
Category of a spam email message detected, which is BEC. |
|
%date% %time% |
Date and time when a probable BEC attack was detected. |
|
%foundin% |
Location where a probable BEC attack was detected. For Exchange Online, it is <email address>\<mailbox folder path>; for Gmail, it is the label(s) of the email message. |
|
%policy_name% |
Name of a configured policy that was violated. |
| %detected_by% |
Technology or method through which an email message was detected as containing a probable BEC attack, which is Writing style analysis. |
|
%sender% |
Email address of the sender. |
|
%recipient% |
Email address of the recipient. |
|
%subject% |
Subject of an email message violating a policy. |
|
%attachments% |
Name of an attachment violating a policy. |
|
%expected_sender% |
Display name of the high profile user who is expected to be the real sender of an email message. |
|
%origin_mail_message_id% |
ID of an email message. |
The following tokens are provided for you to customize the disclaimer in the redirected emails that triggered the "Change recipient" action.
|
Token ID |
Description |
|---|---|
|
%policy_name% |
Name of a configured policy that was violated. |
The following tokens are provided for you to customize the disclaimer for messages detected as from suspicious senders.
|
Token ID |
Description |
|---|---|
|
%detected_risk% |
Specific risk that caused the message sender to be identified as suspicious. |
