The Alert Message can provide additional documentation for you and others about the conditions that triggered an alert.
For Event Alerts, you can add tags to the message so that it provides data specific to the alert instance. The following table shows the available tags.
| Tag |
Description |
|---|---|
| <FileName> |
Name of the file from the event initiating the alert. If multiple files led to the alert, contains a comma-separated list. |
| <Sha256> |
SHA-256 hash of the file from initiating event. If multiple files led to the alert, contains a comma-separated list. |
| <Md5> |
MD5 hash of the file from the initiating event. If multiple files led to the alert, contains a comma-separated list. |
| <Sha1> |
SHA-1 hash of the file from initiating event. If multiple files led to the alert, contains a comma-separated list. |
| <RootSha256> |
Root SHA-256 hash of the file from the initiating event. If multiple files led to the alert, contains a comma-separated list. |
| <HostName> |
Name of computer from the initiating event. If multiple computers led to the alert, contains a comma-separated list. |
| <UserName> |
Username from initiating event. If multiple users led to the alert, contains a comma-separated list. |
| <EventRuleName> |
If an event rule initiated the alert, the name of the rule. |
| <EventRuleDescription> |
If an event rule initiated the alert, the description of the rule. |
| <EventSubtype> |
The subtype of the initiating event. If multiple events led to the alert, contains a comma-separated list. |
| <EventDescription> |
Description field from the initiating event. |
| <AntibodyId> |
ID of the file from initiating event. If multiple events led to the alert, contains a comma separated list. |
| <HostId> |
ID of the host from the initiating event. If multiple events led to the alert, contains a comma separated list. |
