Which placeholders are available for integrations?

Placeholders are dynamic values that automatically populate fields in your integrations with data from Security Center. Use placeholders to customize notifications with asset details, vulnerability information, ticket data, and more. This gives you detailed, context-specific messages in Slack, Jira, ServiceNow, TOPdesk, Microsoft Teams, Splunk, QRadar, and other supported integrations.

What are placeholders?

Placeholders are special text codes enclosed in curly braces (for example, {asset.name}) that you insert into integration fields. When an event triggers a notification, Holm Security replaces these codes with actual data from the triggered event.

For example, if you add {vuln.severity} to a Slack message, the placeholder will be replaced with the vulnerability's actual severity level when the notification is sent.

Available placeholders by category

Placeholders are organized into three main categories based on the type of data they represent:

Asset placeholders

Use these placeholders to include information about the scanned asset (server, workstation, web application, etc.):

• {asset.name} - The display name of the asset
• {asset.hostname} - The hostname of the asset
• {asset.ipv4} - The IPv4 address of the asset
• {asset.ipv6} - The IPv6 address of the asset
• {asset.type} - The asset type (e.g., Server, Workstation, Web App)
• {asset.os} - The operating system of the asset
• {asset.url} - The web URL of the asset (for web applications)
• {asset.owner} - The owner of the asset as specified in Security Center
• {asset.tags} - Any tags assigned to the asset (comma-separated)
• {asset.business_risk} - The business risk rating of the asset
• {asset.details} - Additional asset details
• {asset.first_scanned} - The date the asset was first scanned
• {asset.last_scanned} - The date the asset was most recently scanned

Ticket placeholders

Use these placeholders to include information about remediation tickets created in your integration system:

• {ticket.url} - The direct link to the ticket in your integration system
• {ticket.number} - The ticket ID or reference number
• {ticket.name} - The ticket subject or title
• {ticket.status} - The current status of the ticket (e.g., Open, In Progress, Closed)
• {ticket.severity} - The severity level assigned to the ticket
• {ticket.due_date} - The due date for the ticket
• {ticket.new_ticket_subject} - The subject line when a new ticket is created
• {ticket.owner.name} - The full name of the ticket owner
• {ticket.owner.first_name} - The first name of the ticket owner
• {ticket.owner.last_name} - The last name of the ticket owner
• {ticket.owner.email} - The email address of the ticket owner

Vulnerability placeholders

Use these placeholders to include vulnerability details in your notifications:

• {vuln.name} - The vulnerability name or title
• {vuln.severity} - The severity level (Critical, High, Medium, Low)
• {vuln.summary} - A brief summary of the vulnerability
• {vuln.solution} - The recommended solution or remediation steps
• {vuln.impact} - The potential impact if the vulnerability is exploited
• {vuln.insight} - Additional insights about the vulnerability
• {vuln.detection} - How the vulnerability was detected
• {vuln.detection_result} - Detailed results from the detection scan
• {vuln.url} - The direct link to the vulnerability details in Security Center
• {vuln.cvss2} - The CVSS v2.0 score
• {vuln.cvss3} - The CVSS v3.0 score
• {vuln.cves} - Associated CVE identifiers (comma-separated)
• {vuln.hid} - The Holm Security internal identifier
• {vuln.exploits} - Known public exploits for this vulnerability
• {vuln.patches} - Available patches and updates
• {vuln.ransomware} - Whether the vulnerability is exploited by ransomware

How to use placeholders in your integrations

Follow these steps to add placeholders to your integration fields:

1. Establish a connection
   First, set up the basic connection with your integration application (Slack workspace, Jira instance, ServiceNow tenant, etc.).
2. Navigate to integration settings
   In Security Center, go to Integrations and select your integration.
3. Click "Add another field"
   This allows you to add custom mapping fields.
4. Enter the placeholder
   Type the placeholder code you want to use (for example, {vuln.severity} or {asset.owner}).
5. Test the integration
   Click Test ticket or Test connection to verify the placeholder resolves correctly with actual data.
6. Save your settings
   Click Update settings to save your configuration.

Example: building a custom Slack message

Here's an example of how to use multiple placeholders together to create a rich Slack notification:

Example placeholder message:

*New Vulnerability Found*

*Asset:* {asset.name} ({asset.ipv4})
*Vulnerability:* {vuln.name}
*Severity:* {vuln.severity}
*CVSS Score:* {vuln.cvss3}
*Solution:* {vuln.solution}

View in Security Center: {vuln.url}

After placeholder substitution, the message might look like:

*New Vulnerability Found*

*Asset:* Web Server 01 (192.168.1.45)
*Vulnerability:* OpenSSL Remote Code Execution
*Severity:* Critical
*CVSS Score:* 9.8
*Solution:* Upgrade OpenSSL to version 1.1.1 or later

View in Security Center: https://sc.holmsecurity.com/vulnerabilities/vuln-12345

Which integrations support placeholders?

Placeholders are available for the following integrations:

• Slack
  Customize Slack messages with asset, ticket, and vulnerability data

• Jira
  Populate Jira issue fields with dynamic vulnerability and asset details

• ServiceNow
  Map placeholders to ServiceNow incident and change request fields

• TOPdesk
  Create detailed TOPdesk tickets with placeholder-driven field mapping

• Microsoft Teams
  Send rich Teams messages with vulnerability and asset information

• Splunk
  Send structured placeholder data to Splunk for security monitoring

• IBM QRadar
  Stream vulnerability events with full placeholder context to QRadar

Best practices for placeholder usage

• Be consistent
  Use the same placeholders across multiple notifications, so your team can easily recognize the data format.
• Include context
  Don't just use {vuln.name} alone. Pair it with {asset.name} and {vuln.severity} so readers understand what is affected.
• Test first
  Always use the "Test ticket" or "Test connection" button to verify placeholders are working before saving your integration configuration.
• Use meaningful labels
  Add descriptive text around placeholders: "Affected Asset: {asset.name}" rather than just "{asset.name}".
• Format for readability
  For long messages, use line breaks and formatting (bold, italics) to make notifications easier to scan.
• Avoid overloading
  Don't use too many placeholders in a single message. Focus on the most relevant information (asset, vulnerability name, severity, action).

Troubleshooting placeholder issues

Placeholder is not being replaced with data

If a placeholder displays as literal text (like {vuln.name}) instead of the actual value:

• Verify the placeholder name is spelled correctly (placeholders are case-sensitive).
• Ensure the placeholder is wrapped in curly braces: {asset.ipv4} not asset.ipv4.
• Check that the data exists in Security Center (for example, {asset.owner} only works if the asset has an owner assigned).
• Use the "Test ticket" button to see actual placeholder values before saving.

Placeholder appears empty or blank

If a placeholder is replaced but shows no value:

• The data may not be available for that specific asset or vulnerability. For example, {asset.owner} is empty if no owner is assigned to the asset.
• Some placeholders (like {ticket.due_date}) only populate when a ticket is created. They won't have values in scan notifications.
• Verify the integration has the necessary permissions to access the data in Security Center.

Integration test fails with placeholder errors

If the "Test ticket" button fails:

• Try removing the placeholder temporarily and test again to isolate the issue.
• Check the integration documentation for field requirements (some fields may not accept all data types).
• Verify your endpoint URL or credentials are correct.
• Review the error message in Security Center for specific details.