Notification Variables

The different IWSVA modules support different variables (or tokens) in their notification messages. If you choose to create a custom message, please refer to the lists below to find out which variables are appropriate for a given module. Variables are not case sensitive.

Note

For verbs such as Actions, IWSVA uses simple present tense. To avoid grammar mishaps, Trend Micro recommends using "column style" notifications rather than "sentence style."

HTTPS Decryption

%h:IWSVA hostname
%u:URL/URI
%c:IP address:port after "https://"
$$DETAILS:details of certificate failure reason / access denied reason

HTTPS/HTTP and FTP Scanning

%A—action
%F—file name
%H—IWSVA host name
%L—Detailed file name and reason
%M—move path
%N—user name
%R—transfer direction
%U—URL/URI
%V—Malware name(virus, Trojan, or Bot name)
%X—reasons/block type
%Y—date and time

HTTP/HTTPS Access Denied by Application Control

%N—User name
%A—Action
%P—Path and file name
%C—Category
%Z—Policy name
%Y—Date and time
%H—IWSVA host name

Data Loss Protection

%T—Template name
%U—URL/URI
%Y—Date and time — The date and time of the triggering event
%A—Action taken
%N—User name
%Z—Policy name

Data Loss Protection URL Blocking

%H—IWSVA host name
%T—Template name
%N—User name
%U—URL/URI
%Y—Date and time
%Z—Policy name

C&C Callback Attempt Detection

%Z—Policy name
%N—User name
%U—URL/URI
%A—Action
%K—Risk level

HTTPS/HTTP/FTP File Type Block

%U—URL/URI

The following tokens are only used in messages for administrators or in user notification messages:
%F—File name
%A—Action taken
%H—IWSVA host name
%R—Transfer direction
%X—Reasons/block type
%Y—Date and time
%N—User Name
%V—Virus, Trojan, or Bot name

Applets and ActiveX Security

%D—Protocol being scanned
%H—IWSVA host name
%N—User name
%U—URL/URI
%W—New certificate information
%X—[reasons/block type]
%Y—Date and time
%Z—Policy name

URL Blocked by Access Control

%H—IWSVA host name
%N—User name
%U—URL/URI
%X—reason (only works in body)
%Y—Date and time

URL Blocked by URL Filtering

%C—Category
%H—IWSVA host name (only works in the header field)
%N—User name
%U—URL/URI
%Y—Date and time

URL Filtering

%U—URL/URI
%X—reason

URL Filtering by Time Quota

%U—URL/URI
%C—Category
%H—IWSVA host name
%N—User name
%Q—Quantity of time
%Y—Date and time

URL Access Warning

%A—Action
%B—Warn and Continue URL/URI
%C—Category
%H—IWSVA host name (only works in header field)
%N—User name
%U—URL/URI (only works in body)
%Y—Date and time

To customize URL Warning Access notifications, the message template must contain following form to display the "Continue" option:
```
<form id="warncontinue" method="post" action="%B$$$IWSX_URL_ACTION$$$">
    <INPUT type=hidden value="%A" name=data>
</form>
```

URL Access Override

%A—Action
%B—Continue to URL/URI
%C—Category
%E—Policy default Time Limit
%H—IWSVA host name
%J— Policy max Time Limit
%N—User name
%U—URL/URI
%Y—Date and time
%Z—Policy name

If you customize URL Access Override notifications, the message template must contain some javascript code to encrypt the password with base64 code. It should contain some elements: password, time limit and ttl_type. Otherwise, the customized notification page cannot work.
```
<form id="overridecontinue" method="post" action="%B[Warn and Continue URL/URI]$$$IWSX_URL_ACTION$$$">
<INPUT type=hidden value="%A[Action]" name=data>
```
To customize URL Warning Access notifications, the message template must contain following form to display the "Continue" option:
```
<input type="button" name="Button22"
```
```
value="Submit" class="style3"
```
```
onclick="doSubmit();" />
```

URL Blocking by HTTP Inspection

%H—IWSVA host name
%I— Filter name
%N—User name
%U—URL/URI
%Y—Date and time

Threshold Notification

%m—metric
%t—threshold value

High Availability Events

%h—host name
%p—peer name
%r—reason

/*<![CDATA[*/ $('#title').html($('meta[name=map-description]').attr('content')); /*]]>*/

Notification Variables

Note