Token List

The following tokens are provided for you to customize notification messages for administrators and users.

Token ID

Description

%Product_Name%

Name of our product, Cloud App Security.

%Security_risk_name%

Name of the security risk detected, for example, "HEUR_PDFEXP.A", "EXPL_CVE20060022".

For unscannable files, options for this token are as follows:

  • For files whose size exceeds the limitation:

    • Over restriction (message body size)

    • Over restriction (file size)

  • For unscannable compressed files:

    • Over restriction (compression ratio)

    • Over restriction (number of layer of compression)

    • Over restriction (decompressed file size)

    • Over restriction (decompressed file count)

    • Over restriction (mail entity count)

    • Over restriction (others)

  • For password-protected compressed files: Protected compressed file

  • For other password-protected files: Other protected file

%action%

Action that Cloud App Security takes after detecting a security risk.

%date% %time%

  • For Exchange Online and Gmail: Date and time when an email message detected as containing a security risk was received

  • For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Date and time when a file detected as containing a security risk was uploaded or last modified

  • For Salesforce: Date and time when an object record detected as containing a security risk was updated

%foundin%

Location where a security risk was detected.

For Exchange Online, it is <email address>\<mailbox folder path>; for SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, it is the folder path or website URL; for Gmail, it is the label(s) of the email message; for Salesforce, URI of the object record. For Teams Chat, it is the private teams chat URL.

%policy_name%

Name of a configured policy that was violated.

%sender%

Email address of the sender.

%violator%

Affected user related to a policy violation. For Exchange Online and Gmail, it is the mailbox that received an email message violating a policy; for SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, it is the user who uploaded or modified a file violating a policy; for Salesforce, it is the user who updated an object record; for Teams Chat, it is the user that sent a private chat message violating a policy.

%recipient%

Email address of the recipient.

%subject%

Subject of an email message violating a policy.

%attachments%

Name of an attachment violating a policy.

%filename%

Name of a file violating a policy.

%suspicious_url%

Suspicious URL detected.

%risk_level%

There are five Web Reputation risk levels assigned to an analyzed URL:

  • Dangerous

  • Highly suspicious

  • Suspicious

  • Safe

  • Untested

There are five Virtual Analyzer risk levels assigned to an analyzed object:

  • High risk

  • Medium risk

  • Low risk

  • No risk

  • Unrated

%url_category%

Category of a suspicious URL detected.

There are more than 90 categories, such as "Spyware" and "Crack".

%dlptemplatename%

Name of a sensitivity label or compliance template that triggers the Data Loss Prevention policy.

%spam_category%

Category of a spam email message detected.

There are four spam categories supported by Cloud App Security:

  • BEC

  • Phishing

  • Ransomware

  • Malicious spam

  • Other spam

%detected_by%

Technology or method through which email messages and files were detected as containing a security threat. Options include:

  • Pattern-based scanning

  • Predictive Machine Learning

  • Suspicious Object list

  • Web Reputation

  • Antispam engine

  • Writing style analysis

  • Blocked sender list

  • Blocked URL list

  • Dynamic URL scanning

  • Computer vision

  • Retro Scan & Auto Remediate

%file_format%

Format of a file that violated the Keyword Extraction security filter in a Data Loss Prevention policy.

%violated_keyword%

Keyword(s) that caused a file to violate the Keyword Extraction security filter in a Data Loss Prevention policy.

%redirected_to%

Email addresses to which email messages triggering the "Change recipient" action are redirected.

The following tokens are provided for you to specify the content in Replacement text.

Token ID

Description

%FilterName%

Filter in an Advanced Threat Protection or Data Loss Prevention policy that detects an violation by a file in the protected application or service, except for Exchange Online and Gmail.

Applicable filters include:

  • Malware Scanning

  • File Blocking

  • Web Reputation

  • Virtual Analyzer

  • Data Loss Prevention

  • Keyword Extraction (for Box only)

%action%

Options include Quarantine and Delete.

The following tokens are provided for you to customize notification messages for administrators and users in Writing Style Analysis for BEC.

Token ID

Description

%expected_sender_displayname%

Display name of the high profile user who is expected to be the real sender of an email message.

%action%

Action that Cloud App Security takes after detecting a probable BEC attack, which includes:

  • Tag subject

  • Add disclaimer

  • Pass

  • Move to Spam

%spam_category%

Category of a spam email message detected, which is BEC.

%date%

%time%

Date and time when a probable BEC attack was detected.

%foundin%

Location where a probable BEC attack was detected. For Exchange Online, it is <email address>\<mailbox folder path>; for Gmail, it is the label(s) of the email message.

%policy_name%

Name of a configured policy that was violated.

%detected_by%

Technology or method through which an email message was detected as containing a probable BEC attack, which is Writing style analysis.

%sender%

Email address of the sender.

%recipient%

Email address of the recipient.

%subject%

Subject of an email message violating a policy.

%attachments%

Name of an attachment violating a policy.

%expected_sender%

Display name of the high profile user who is expected to be the real sender of an email message.

%origin_mail_message_id%

ID of an email message.

The following tokens are provided for you to customize the callout message in the redirected emails that triggered the "Change recipient" action.

Token ID

Description

%policy_name%

Name of a configured policy that was violated.