Token List

%Product_Name%

Name of our product, Cloud App Security.

%Security_risk_name%

Name of the security risk detected, for example, "HEUR_PDFEXP.A", "EXPL_CVE20060022".

For unscannable files, options for this token are as follows:

• For files whose size exceeds the limitation:

  • Over restriction (message body size)

  • Over restriction (file size)

• For unscannable compressed files:

  • Over restriction (compression ratio)

  • Over restriction (number of layer of compression)

  • Over restriction (decompressed file size)

  • Over restriction (decompressed file count)

  • Over restriction (mail entity count)

  • Over restriction (others)

• For password-protected compressed files: Protected compressed file

• For other password-protected files: Other protected file

%action%

Action that Cloud App Security takes after detecting a security risk.

%date% %time%

• For Exchange Online and Gmail: Date and time when an email message detected as containing a security risk was received

• For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Date and time when a file detected as containing a security risk was uploaded or last modified

• For Salesforce: Date and time when an object record detected as containing a security risk was updated

%foundin%

Location where a security risk was detected.

For Exchange Online, it is <email address>\<mailbox folder path>; for SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, it is the folder path or website URL; for Gmail, it is the label(s) of the email message; for Salesforce, URI of the object record. For Teams Chat, it is the private teams chat URL.

%policy_name%

Name of a configured policy that was violated.

%sender%

Email address of the sender.

%violator%

Affected user related to a policy violation. For Exchange Online and Gmail, it is the mailbox that received an email message violating a policy; for SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, it is the user who uploaded or modified a file violating a policy; for Salesforce, it is the user who updated an object record; for Teams Chat, it is the user that sent a private chat message violating a policy.

%recipient%

Email address of the recipient.

%subject%

Subject of an email message violating a policy.

%attachments%

Name of an attachment violating a policy.

%filename%

Name of a file violating a policy.

%suspicious_url%

Suspicious URL detected.

%risk_level%

There are five Web Reputation risk levels assigned to an analyzed URL:

• Dangerous

• Highly suspicious

• Suspicious

• Safe

• Untested

There are five Virtual Analyzer risk levels assigned to an analyzed object:

• High risk

• Medium risk

• Low risk

• No risk

• Unrated

%url_category%

Category of a suspicious URL detected.

There are more than 90 categories, such as "Spyware" and "Crack".

%dlptemplatename%

Name of a sensitivity label or compliance template that triggers the Data Loss Prevention policy.

%spam_category%

Category of a spam email message detected.

There are four spam categories supported by Cloud App Security:

• BEC

• Phishing

• Ransomware

• Malicious spam

• Other spam

%detected_by%

Technology or method through which email messages and files were detected as containing a security threat. Options include:

• Pattern-based scanning

• Predictive Machine Learning

• Suspicious Object list

• Web Reputation

• Antispam engine

• Writing style analysis

• Blocked sender list

• Blocked URL list

• Dynamic URL scanning

• Computer vision

• Retro Scan & Auto Remediate

%file_format%

Format of a file that violated the Keyword Extraction security filter in a Data Loss Prevention policy.

%violated_keyword%

Keyword(s) that caused a file to violate the Keyword Extraction security filter in a Data Loss Prevention policy.

%redirected_to%

Email addresses to which email messages triggering the "Change recipient" action are redirected.

%FilterName%

Filter in an Advanced Threat Protection or Data Loss Prevention policy that detects an violation by a file in the protected application or service, except for Exchange Online and Gmail.

Applicable filters include:

• Malware Scanning

• File Blocking

• Web Reputation

• Virtual Analyzer

• Data Loss Prevention

• Keyword Extraction (for Box only)

%action%

Options include Quarantine and Delete.

%expected_sender_displayname%

Display name of the high profile user who is expected to be the real sender of an email message.

%action%

Action that Cloud App Security takes after detecting a probable BEC attack, which includes:

• Tag subject

• Add disclaimer

• Pass

• Move to Spam

%spam_category%

Category of a spam email message detected, which is BEC.

%date%

%time%

Date and time when a probable BEC attack was detected.

%foundin%

Location where a probable BEC attack was detected. For Exchange Online, it is <email address>\<mailbox folder path>; for Gmail, it is the label(s) of the email message.

%policy_name%

Name of a configured policy that was violated.

Technology or method through which an email message was detected as containing a probable BEC attack, which is Writing style analysis.

%sender%

Email address of the sender.

%recipient%

Email address of the recipient.

%subject%

Subject of an email message violating a policy.

%attachments%

Name of an attachment violating a policy.

%expected_sender%

Display name of the high profile user who is expected to be the real sender of an email message.

%origin_mail_message_id%

ID of an email message.