You must have Advanced Sandbox to configure patient 0 alerts.

If you've configured the first-time action of a Sandbox rule to allow and scan unknown files, the Zscaler service:

1. Allows users to download files that match the rule criteria.
2. Sends the files to the Sandbox for behavioral analysis.

A patient 0 event occurs when a user downloads an unknown file that is scanned and found to be malicious. On the Alerts page, you can add the patient 0 alert and receive emails about these events within approximately two hours.

Configuring the Patient 0 Alert

To configure the patient 0 alert:

• 1. Add the Patient 0 Alert

  To add the Patient 0 alert:

  1. Go to Administration > Alerts > Internet & SaaS > Alerts.

  2. On the Define Alerts tab, click Add Alert Definition.

     See image.

     

     Close

     The Add Alert Definition window appears.

  3. In the Add Alert Definition window, do the following:

     See image.

     

     Close
     • Status: Ensure it's Enabled.
     • Alert Name: Choose Patient 0.
     • Comments: (Optional) Enter any comments about the event. The comments cannot exceed 10,240 characters.

     The Admin Portal automatically populates the following fields for the Patient 0 alert. You can't modify any of these fields.

     • Alert ID: This field is blank. The service automatically assigns an ID after you create the alert.
     • Alert Class: Set to Patient 0. The patient 0 alert class includes an unknown file that’s been permitted to download, but found to be malicious through behavioral analysis.
     • Minimum Occurrences: Set to 1. The service sends you an alert if one or more patient 0 events occur.
     • Within Time Interval: Set to 1 hour. The service scans for patient 0 events every hour.
     • Applies To: Set to Organization. The service sends you an alert if a patient 0 event affects any user in your organization.
     • Severity: Set to Critical. All patient 0 events are classified as critical because a malicious file download has been allowed.
  4. Click Save.

  Close
• 2. Subscribe to the Patient 0 Alert

  After adding the patient 0 alert, you must add a patient 0 alert subscription to receive emails about the events.

  To subscribe to patient 0 alerts:

  1. On the Alerts page, click the Publish Alerts tab.

  2. Click Add Alert Subscription to add a new email recipient. If your email is already listed, click the Edit icon.

     The Add/Edit Alert Subscription window appears.

  3. Under Patient 0 Alerts, enable Critical.

     See image.

     

     Close

  4. Click Save and activate the change.

  Close

About the Sandbox Patient 0 Events Widget

On the Security dashboard, the Sandbox Patient 0 Events widget displays the patient 0 events that occurred in your organization.

On the Sandbox Patient 0 Events widget, you can see the following information:

See image.

• Alert Time: Displays the time the patient 0 alert is sent.
• MD5: The MD5 hash of the malicious file. Click to view the following reports:
  • Sandbox Detail Report
  • CrowdStrike Endpoint Hits report (requires a CrowdStrike integration)
• Threat: The threat name of the malicious file. You can enter this name in the Zscaler Threat Library to learn more about it.
• Allowed Transactions: The total number of allowed transactions that occurred with the malicious file. Click to view the transaction logs on the Web Insights Logs page.

If you hover over an event, you can see the following information:

See image.

• File Information: Displays the following information of the malicious file.
  • File Type: The type of file (EXE, DLL, PDF, etc.).
  • File Size: The total bytes of the file.
  • MD5: The MD5 hash of the file.
• Users Affected: Lists the users affected by the malicious file and their location.