Views:
The following tokens are provided for you to customize notification messages for administrators and users.
Token ID
Description
%Product_Name%
Name of our product.
%Security_risk_name%
Name of the security risk detected, for example, "HEUR_PDFEXP.A", "EXPL_CVE20060022".
For unscannable files, options for this token are as follows:
  • For files whose size exceeds the limitation:
    • Over restriction (message body size)
    • Over restriction (file size)
  • For unscannable compressed files:
    • Over restriction (compression ratio)
    • Over restriction (number of layer of compression)
    • Over restriction (decompressed file size)
    • Over restriction (decompressed file count)
    • Over restriction (mail entity count)
    • Over restriction (others)
  • For password-protected compressed files: Protected compressed file
  • For other password-protected files: Other protected file
%action%
Action taken after detection of a security risk.
%date% %time%
  • For Exchange Online and Gmail: Date and time when an email message detected as containing a security risk was received
  • For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Date and time when a file detected as containing a security risk was uploaded or last modified
  • For Salesforce: Date and time when an object record detected as containing a security risk was updated
%foundin%
Location where a security risk was detected.
For Exchange Online, it is <email address>\<mailbox folder path>; for SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, it is the folder path or website URL; for Gmail, it is the label(s) of the email message; for Salesforce, URI of the object record; for Teams Chat, it is the private teams chat URL.
%policy_name%
Name of a configured policy that was violated.
%sender%
Email address of the sender.
%violator%
Affected user related to a policy violation. For Exchange Online and Gmail, it is the mailbox of a protected user that received or sent an email message violating a policy; for SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, it is the user who uploaded or modified a file violating a policy; for Salesforce, it is the user who updated an object record; for Teams Chat, it is the user that sent a private chat message violating a policy.
%recipient%
Email address of the recipient.
%subject%
Subject of an email message violating a policy.
%attachments%
Name of an attachment violating a policy.
%filename%
Name of a file violating a policy.
%suspicious_url%
Suspicious URL detected.
%risk_level%
There are five Web Reputation risk levels assigned to an analyzed URL:
  • Dangerous
  • Highly suspicious
  • Suspicious
  • Safe
  • Untested
There are five Virtual Analyzer risk levels assigned to an analyzed object:
  • High risk
  • Medium risk
  • Low risk
  • No risk
  • Unrated
%url_category%
Category of a suspicious URL detected.
There are more than 90 categories, such as "Spyware" and "Crack".
%dlptemplatename%
Name of a sensitivity label or compliance template that triggers the Data Loss Prevention policy.
%spam_category%
Category of a spam email message detected.
There are four spam categories supported:
  • BEC
  • Phishing
  • Ransomware
  • Malicious spam
  • Other spam
%detected_by%
Technology or method through which email messages and files were detected as containing a security threat. Options include:
  • Pattern-based scanning
  • Predictive Machine Learning
  • Suspicious Object list
  • Web Reputation
  • Antispam engine
  • Writing style analysis
  • Blocked sender list
  • Blocked URL list
  • Dynamic URL scanning
  • Computer vision
  • Retro Scan & Auto Remediate
%file_format%
Format of a file that violated the Keyword Extraction security filter in a Data Loss Prevention policy.
%violated_keyword%
Keyword(s) that caused a file to violate the Keyword Extraction security filter in a Data Loss Prevention policy.
%redirected_to%
Email addresses to which email messages triggering the "Change recipient" action are redirected.
The following tokens are provided for you to specify the content in Replacement text.
Service
Token ID
Description
Exchange Online
Exchange Online (Inline Mode)
Gmail (Inline Mode) - Inbound Protection
[Attachment Name]
Name of an attachment violating a policy.
SharePoint Online
OneDrive
Microsoft Teams
Box
Dropbox
Google Drive
%action%
Action taken after detection of a security risk.
%policy_name%
Name of a configured policy that was violated.
%FilterName%
Filter in an Advanced Threat Protection or Data Loss Prevention policy that detects an violation by a file in the protected application or service.
Applicable filters include:
  • Malware Scanning
  • File Blocking
  • Web Reputation
  • Virtual Analyzer
  • Data Loss Prevention
  • Keyword Extraction (for Box only)
%Security_risk_name%
Name of the security risk detected, for example, "HEUR_PDFEXP.A", "EXPL_CVE20060022".
For unscannable files, options for this token are as follows:
  • For files whose size exceeds the limitation:
    • Over restriction (message body size)
    • Over restriction (file size)
  • For unscannable compressed files:
    • Over restriction (compression ratio)
    • Over restriction (number of layer of compression)
    • Over restriction (decompressed file size)
    • Over restriction (decompressed file count)
    • Over restriction (mail entity count)
    • Over restriction (others)
  • For password-protected compressed files: Protected compressed file
  • For other password-protected files: Other protected file
%filename%
Name of a file violating a policy.
%suspicious_url%
Suspicious URL detected.
%dlptemplatename%
Name of a sensitivity label or compliance template that triggers the Data Loss Prevention policy.
%risk_level%
There are five Web Reputation risk levels assigned to an analyzed URL:
  • Dangerous
  • Highly suspicious
  • Suspicious
  • Safe
  • Untested
There are five Virtual Analyzer risk levels assigned to an analyzed object:
  • High risk
  • Medium risk
  • Low risk
  • No risk
  • Unrated
The following tokens are provided for you to customize notification messages for administrators and users in Writing Style Analysis for BEC.
Token ID
Description
%expected_sender_displayname%
Display name of the high profile user who is expected to be the real sender of an email message.
%action%
Action taken after detection of a probable BEC attack, which includes:
  • Tag subject
  • Add disclaimer
  • Pass
  • Move to Spam
%spam_category%
Category of a spam email message detected, which is BEC.
%date%
%time%
Date and time when a probable BEC attack was detected.
%foundin%
Location where a probable BEC attack was detected. For Exchange Online, it is <email address>\<mailbox folder path>; for Gmail, it is the label(s) of the email message.
%policy_name%
Name of a configured policy that was violated.
%detected_by%
Technology or method through which an email message was detected as containing a probable BEC attack, which is Writing style analysis.
%sender%
Email address of the sender.
%recipient%
Email address of the recipient.
%subject%
Subject of an email message violating a policy.
%attachments%
Name of an attachment violating a policy.
%expected_sender%
Display name of the high profile user who is expected to be the real sender of an email message.
%origin_mail_message_id%
ID of an email message.
The following tokens are provided for you to customize the disclaimer in the redirected emails that triggered the "Change recipient" action.
Token ID
Description
%policy_name%
Name of a configured policy that was violated.
The following tokens are provided for you to customize the disclaimer for messages detected as from suspicious senders.
Token ID
Description
%detected_risk%
Specific risk that caused the message sender to be identified as suspicious.