Customizing Notification Messages

Common variables used by all event notifications

%cmserver%

Control Manager server host name

%computer%

Network name of the computer where an event was detected

%entity%

Product Directory path of the managed product where an event occurred

%event%

Event that triggered the notification

%pname%

Managed product name

%pver%

Managed product version

%time%

Time (hh:mm) when an event occurred

%vloginuser%

The logon user information for customized events in spyware logs

%act%

The action taken by the managed product. Example: file cleaned, file deleted, file quarantined

%actresult%

The result of the action taken by the managed product. Example: successful, further action required

Virus variables: Used by alert or Outbreak Prevention Service event notifications

%device_ip%

IP address of an infected endpoint.

%egnver%

• Scan engine version.

• Used by the alert event category as well as the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Mode started" notifications. For the notification types of the alert event category, this variable refers to the scan engine version currently installed on the managed product server.

• For the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Mode started" notifications, this variable refers to the Outbreak Prevention Policy required.

%ptnver%

• Virus pattern version.

• Used by the alert event category and the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started" notifications. For the notification types of the alert event category, this variable refers to the virus pattern version currently installed on the managed product server.

• For the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started" notifications, this variable refers to the Outbreak Prevention Policy required.

%scanmethod%

The scan method for specific virus actions. This token is only available for the following alerts:

• Virus found-first action unsuccessful and second action unavailable

• Virus found-first and second actions unsuccessful

• Virus found-first action successful

• Virus found-second action successful

%threat_info%

• Virus/malware threat information provided by outbreak prevention policies.

• Used by "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started."

%vcnt%

• Virus count.

• Used by virus outbreak alert.

%vdest%

• Virus/malware destination.

• Examples:

  Email detection: %vdest% is the intended recipient

  Host-based/Endpoint detection: %vdest% is the endpoint IP address or host name

• Used by alert event category.

%vfile%

Infected file name. Used by alert event category.

%vfilepath%

Infected file directory. Used by alert event category.

%vname%

Virus or malware name. Used by alert event category.

%vsrc%

• Virus/malware origin or infection source.

• For example, the message sender takes the value of %vsrc% if an antivirus managed product detected a virus/malware in an email message.

• Used by the alert event category as well as the network virus alert notification type.

Special variables: Used by Network VirusWall Enforcer task completed-related events

%action%

Network VirusWall Enforcer action (pass, drop, or quarantine) on network virus.

%description%

Error description used by the potential vulnerability attack detected events.

DLP variables: Used by scheduled incident summary and incident details updated events

%DLP_INCIDENT_TOTAL_NUM%

The total number of incidents triggered by directly managed users

%DLP_INCIDENT_HIGH_NUM%

The total number of high severity incidents triggered by directly managed users

%DLP_INCIDENT_MED_NUM%

The total number of medium severity incidents triggered by directly managed users

%DLP_INCIDENT_LOW_NUM%

The total number of low severity incidents triggered by directly managed users

%DLP_INCIDENT_INFO_NUM%

The total number of informational incidents triggered by directly managed users

%DLP_INCIDENT_UNDEFINED_NUM%

The total number of undefined severity incidents triggered by directly managed users

%DLP_INCIDENT_ALLTOTAL_NUM%

The total number of incidents triggered by all managed users

%DLP_INCIDENT_ALLHIGH_NUM%

The total number of high severity incidents triggered by all managed users

%DLP_INCIDENT_ALLMED_NUM%

The total number of medium severity incidents triggered by all managed users

%DLP_INCIDENT_ALLLOW_NUM%

The total number of low severity incidents triggered by all managed users

%DLP_INCIDENT_ALLINFO_NUM%

The total number of informational incidents triggered by all managed users

%DLP_INCIDENT_ALLUNDEFINED_NUM%

The total number of undefined severity incidents triggered by all managed users

%DLP_START_TIME%

The start date and time for the reporting period

%DLP_END_TIME%

The end date and time for the reporting period

%weblink%

The link to view details of the incident information listed in the notification message

%INCIDENTID%

Incident ID number

%SEVERITY%

Incident severity level

%POLICY%

Control Manager policy name

%ACCOUNT%

User name

%OLD_STATUS%

Incident status before modification

%NEW_STATUS%

Incident status after modification

%LATEST_COMMENT%

The latest comments about the incident

%DLP_VIOLATION_NUM%

The number of violations matching DLP policies

%DLP_THRESHOLD%

The number of violations that must be triggered to indicate a significant increase on policy violations

%DLP_TEMPLATE%

Template matching the significant incident increase

%DLP_USER_NAME%

Significant incident increase by user

%DLP_SENDER%

Significant incident increase by sender

%DLP_CHANNEL%

Significant incident increase by channel

%STATUS_CHANGE_TIME%

Incident details updated

%subject%

Subject header of the email notification

%sender%

Sender's email address

%recipient%

Recipient's email address

%filtername%

Name of the content filter rule/policy that has been violated

%filteract%%

Action applied by the filter

%msgact%

Action applied to the message

%url%

URL in question

%vdestip%

IP address of the target URL

%blockrule%

Name of the rule that has been violated

%blocktype%

Action applied to the URL

%CALLBACK_ADDR%

URL, IP address, or email address to which a compromised host attempts a callback

%COMPR_HOST%

Affected host or email address

%CnC_LIST_SRC%

Name of the list that contains the callback address

%CALLBACK_NUM%

Number of contacts made between callback addresses and compromised hosts

%COMPR_HOST_NUM%

Number of compromised hosts involved in the outbreak

%CALLBACK_ADDR_NUM%

Number of callback addresses involved in the outbreak

%hostIP%

Depending on the traffic direction, %hostIP% is IP address determined by Deep Discovery Inspector:

• Outbound traffic (internal traffic going to an external network): %hostIP% is the IP address of the endpoint in the network (source)

• Traffic within the network: %hostIP% is the IP address of the endpoint in the network

• External traffic to an endpoint in a network: %hostIP% is the IP address of the endpoint in the network

• Traffic outside the network: %hostIP% is the IP address of the endpoint outside the network

%group%

Name of the subnetwork

%START_TIME%

Start time

%END_TIME%

End time

The start and end times define the time range interval. When logs are received during a certain interval, Control Manager calculates those logs. If the alert criteria is met, Control Manager counts the logs. %START_TIME% is the start time of the interval and %END_TIME% is the end time of the interval. The length of the interval is determined by the period threshold in the alert settings.

%detections%

Number of detections

For example:

Event: High risk Virtual Analyzer detections

IP address: %hostIP%

Host name: %computer%

Group: %group%

Time range: %START_TIME% - %END_TIME%

Detections: %detections%