Dynamic variables
Updated: October 30, 2025
The use of variables in notification integrations can be done through tokens. Notification integrations contain customizable payloads where you can add, remove and change tokens and text.
The information and tokens in the payload determine what information is populated into your alert. For example:
- {alert_name} was triggered at {alert_timestamp}, this populates the alert with the name you have given the alert and the time in UTC when the alert was generated: "404 alert was triggered at 21/04/2023T12:35:36".
The tables below details the different variables you can use in a payload.
Resource Policy
| Variable Name | Description | Example | Process Type |
|---|---|---|---|
| alert_link | Link to the alert in the FireTail SaaS platform. | https://firetail.app/organisations/2b33ac05.../monitor-alerting/27da7c63... | Alert |
| alert_uuid | Unique UUID of the alert. | bd65fefc-43d9-4c6c-9719-21ef828afa6c | Alert |
| alert_name | Name of the alert. | 404 alert | Alert |
| alert_timestamp | Timestamp alert was generated (UTC). | 21/04/2023T12:35:36 | Alert |
| alert_operand | Operand of the alert. | < > >= <= == | Alert |
| alert_nice_operand | Operand in text form. | less than | Alert |
| alert_type | Type of alert. | static | anomaly | Alert |
| alert_static_threshold_condition | Same as alert_operand. | < > >= <= == | Alert |
| alert_static_threshold_value | Threshold value for triggering a static alert. | 1000 | Alert |
| alert_static_triggered_value | Value that caused the alert to trigger. | 1001 | Alert |
| alert_period | Period checked for alert breach (seconds). | 900 | Alert |
| alert_throttle_enabled | If true, alert won't re-trigger during threshold period. | true | Alert |
| alert_throttle_period | Mute period after alerting (seconds). | 900 | Alert |
| alert_message | The alert message. | — | Alert |
| org_uuid | UUID of the organization. | bd65fefc-43d9-4c6c-9719-21ef828afa6c | Alert |
Anomaly Alerts
| Variable Name | Description | Example | Process Type |
|---|---|---|---|
| alert_link | Link to the alert in the FireTail SaaS platform. | https://firetail.app/organisations/2b33ac05.../monitor-alerting/27da7c63... | Alert |
| alert_uuid | Unique UUID of the alert. | bd65fefc-43d9-4c6c-9719-21ef828afa6c | Alert |
| alert_name | Name of the alert. | 404 alert | Alert |
| alert_timestamp | Timestamp alert was generated (UTC). | 21/04/2023T12:35:36 | Alert |
| alert_operand | Operand of the alert. | < > >= <= == | Alert |
| alert_nice_operand | Operand in text form. | less than | Alert |
| alert_type | Type of alert. | static | anomaly | Alert |
| alert_period | Period checked for alert breach (seconds). | 900 | Alert |
| alert_throttle_enabled | If true, alert won't re-trigger during threshold period. | true | Alert |
| alert_throttle_period | Mute period after alerting (seconds). | 900 | Alert |
| alert_anomaly_sensitivity | Sensitivity level for anomaly detection. | 1.5 | Alert |
| alert_anomaly_max_data_points | Max data points checked for anomaly breach. | 1 | Alert |
| alert_anomaly_min_data_points | Min data points for anomaly check (× alert_period). | 1 | Alert |
| alert_anomaly_comparison_operator | Comparison operator for anomaly threshold. | LessThanLowerOrGreaterThanUpperThreshold | Alert |
| alert_message | The alert message. | — | Alert |
| org_uuid | UUID of the organization. | bd65fefc-43d9-4c6c-9719-21ef828afa6c | Alert |
Incident Policy
| Variable Name | Description | Example | Process Type |
|---|---|---|---|
| policy_name | Name of the resource policy. | Example Policy | Resource Policy |
| resource_policy_uuid | UUID of the resource policy. | example-policy-uuid | Resource Policy |
| resource_policy_link | Link to the resource policy in the FireTail SaaS platform. | https://firetail.app/organisations/example-org-uuid/posture-management/resource-policies/example-policy-uuid | Resource Policy |
| history_item_link | Link to the resourcepolicy history item in FireTail SaaS. | https://firetail.app/organisations/example-org-uuid/posture-management/resource-policies/example-policy-uuid/history/example-history-item-uuid | Resource Policy |
| ran_at | Timestamp when the resource policy was executed in UTC. | 2025-08-14T16:15:07.659641 | Resource Policy |
| matching_resource_count | Number of resources that matched the policy criteria. | 3 | Resource Policy |
| matching_resource_item_types | Array of resource types that matched the policy criteria. | ["api", "app"] | Resource Policy |
Example incident message for Slack
{
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "Incident Triggered by Policy '{incident_policy_name}'",
"emoji": true
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Name:*\n{incident_title}"
},
{
"type": "mrkdwn",
"text": "*Trigger Time:*\n{incident_timestamp}"
}
]
},
{
"type": "header",
"text": {
"type": "plain_text",
"text": "Findings - {incident_findings_total_count}"
"emoji": true
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Critical:*\n{incident_findings_critical_count}"
},
{
"type": "mrkdwn",
"text": "*High:*\n{incident_findings_high_count}"
},
{
"type": "mrkdwn",
"text": "*Medium:*\n{incident_findings_medium_count}"
},
{
"type": "mrkdwn",
"text": "*Low:*\n{incident_findings_low_count}"
}
]
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<{incident_link}|View Incident>"
}
}
]
}