Token list | Trend Micro

Views:

The following tokens are provided for you to customize notification messages for administrators and users.

Token ID	Description
%Product_Name%	Name of our product.
%Security_risk_name%	Name of the security risk detected, for example, "HEUR_PDFEXP.A", "EXPL_CVE20060022". For unscannable files, options for this token are as follows: For files whose size exceeds the limitation: Over restriction (message body size) Over restriction (file size) For unscannable compressed files: Over restriction (compression ratio) Over restriction (number of layer of compression) Over restriction (decompressed file size) Over restriction (decompressed file count) Over restriction (mail entity count) Over restriction (others) For password-protected compressed files: Protected compressed file For other password-protected files: Other protected file
%action%	Action taken after detection of a security risk.
%date% %time%	For Exchange Online and Gmail: Date and time when an email message detected as containing a security risk was received For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Date and time when a file detected as containing a security risk was uploaded or last modified For Salesforce: Date and time when an object record detected as containing a security risk was updated
%foundin%	Location where a security risk was detected. For Exchange Online, it is <email address>\<mailbox folder path>; for SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, it is the folder path or website URL; for Gmail, it is the label(s) of the email message; for Salesforce, URI of the object record; for Teams Chat, it is the private teams chat URL.
%policy_name%	Name of a configured policy that was violated.
%sender%	Email address of the sender.
%violator%	Affected user related to a policy violation. For Exchange Online and Gmail, it is the mailbox of a protected user that received or sent an email message violating a policy; for SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, it is the user who uploaded or modified a file violating a policy; for Salesforce, it is the user who updated an object record; for Teams Chat, it is the user that sent a private chat message violating a policy.
%recipient%	Email address of the recipient.
%subject%	Subject of an email message violating a policy.
%attachments%	Name of an attachment violating a policy.
%filename%	Name of a file violating a policy.
%suspicious_url%	Suspicious URL detected.
%risk_level%	There are five Web Reputation risk levels assigned to an analyzed URL: Dangerous Highly suspicious Suspicious Safe Untested There are five Virtual Analyzer risk levels assigned to an analyzed object: High risk Medium risk Low risk No risk Unrated
%url_category%	Category of a suspicious URL detected. There are more than 90 categories, such as "Spyware" and "Crack".
%dlptemplatename%	Name of a sensitivity label or compliance template that triggers the Data Loss Prevention policy.
%spam_category%	Category of a spam email message detected. There are four spam categories supported: BEC Phishing Ransomware Malicious spam Other spam
%detected_by%	Technology or method through which email messages and files were detected as containing a security threat. Options include: Pattern-based scanning Predictive Machine Learning Suspicious Object list Web Reputation Antispam engine Writing style analysis Blocked sender list Blocked URL list Dynamic URL scanning Computer vision Retro Scan & Auto Remediate
%file_format%	Format of a file that violated the Keyword Extraction security filter in a Data Loss Prevention policy.
%violated_keyword%	Keyword(s) that caused a file to violate the Keyword Extraction security filter in a Data Loss Prevention policy.
%redirected_to%	Email addresses to which email messages triggering the "Change recipient" action are redirected.

The following tokens are provided for you to specify the content in Replacement text.

Service	Token ID	Description
Exchange Online Exchange Online (Inline Mode) Gmail (Inline Mode) - Inbound Protection	[Attachment Name]	Name of an attachment violating a policy.
SharePoint Online OneDrive Microsoft Teams Box Dropbox Google Drive	%action%	Action taken after detection of a security risk.
	%policy_name%	Name of a configured policy that was violated.
	%FilterName%	Filter in an Advanced Threat Protection or Data Loss Prevention policy that detects an violation by a file in the protected application or service. Applicable filters include: Malware Scanning File Blocking Web Reputation Virtual Analyzer Data Loss Prevention Keyword Extraction (for Box only)
	%Security_risk_name%	Name of the security risk detected, for example, "HEUR_PDFEXP.A", "EXPL_CVE20060022". For unscannable files, options for this token are as follows: For files whose size exceeds the limitation: Over restriction (message body size) Over restriction (file size) For unscannable compressed files: Over restriction (compression ratio) Over restriction (number of layer of compression) Over restriction (decompressed file size) Over restriction (decompressed file count) Over restriction (mail entity count) Over restriction (others) For password-protected compressed files: Protected compressed file For other password-protected files: Other protected file
	%filename%	Name of a file violating a policy.
	%suspicious_url%	Suspicious URL detected.
	%dlptemplatename%	Name of a sensitivity label or compliance template that triggers the Data Loss Prevention policy.
	%risk_level%	There are five Web Reputation risk levels assigned to an analyzed URL: Dangerous Highly suspicious Suspicious Safe Untested There are five Virtual Analyzer risk levels assigned to an analyzed object: High risk Medium risk Low risk No risk Unrated

The following tokens are provided for you to customize notification messages for administrators and users in Writing Style Analysis for BEC.

Token ID	Description
%expected_sender_displayname%	Display name of the high profile user who is expected to be the real sender of an email message.
%action%	Action taken after detection of a probable BEC attack, which includes: Tag subject Add disclaimer Pass Move to Spam
%spam_category%	Category of a spam email message detected, which is BEC.
%date% %time%	Date and time when a probable BEC attack was detected.
%foundin%	Location where a probable BEC attack was detected. For Exchange Online, it is <email address>\<mailbox folder path>; for Gmail, it is the label(s) of the email message.
%policy_name%	Name of a configured policy that was violated.
%detected_by%	Technology or method through which an email message was detected as containing a probable BEC attack, which is Writing style analysis.
%sender%	Email address of the sender.
%recipient%	Email address of the recipient.
%subject%	Subject of an email message violating a policy.
%attachments%	Name of an attachment violating a policy.
%expected_sender%	Display name of the high profile user who is expected to be the real sender of an email message.
%origin_mail_message_id%	ID of an email message.

The following tokens are provided for you to customize the disclaimer in the redirected emails that triggered the "Change recipient" action.

Token ID	Description
%policy_name%	Name of a configured policy that was violated.

The following tokens are provided for you to customize the disclaimer for messages detected as from suspicious senders.

Token ID	Description
%detected_risk%	Specific risk that caused the message sender to be identified as suspicious.

The following tokens are provided for you to customize the confirmation email that is sent to end users upon receipt of a reported email to acknowledge their feedback.

Token ID	Description
%subject%	Subject of the reported email message.
%sender%	Sender email address of the reported email message.
%recipients%	Recipient email addresses of the reported email message.
%reporter%	Email address of the reporter.