icon-zia.svg
Secure Internet and SaaS Access (ZIA)

About the Sandbox Activity Report

The Sandbox Activity Report highlights the Sandbox policy action taken for known and unknown files in your organization. Unknown files are files that the Sandbox encounters for the first time. Files known by cloud effect are files from any organization that the Sandbox analyzed and classified as malicious or benign.

The Sandbox Activity Report also highlights the threat categories, threat names, URL categories, and file types of known and unknown files after Sandbox analysis. You can view the data by transactions or specific files. You can view weekly reports from the last six months, not including the current week.

About the Sandbox Activity Report Page

On the Sandbox Activity Report page (Analytics > Sandbox Activity Report), you can do the following:

  1. View the Sandbox Files Found Malicious report (requires the Advanced Sandbox).
  2. Choose the week to view the report for.
  3. View the data by Transactions or Unique Files. Transactions include all download attempts, even of the same file. Unique Files count each file once, regardless of the number of transactions.
  4. Print the report.
  5. Export the displayed transactions to a PDF or JSON file.
  6. Schedule or manage email deliveries of the Sandbox Activity Report.
    • Add Schedule: Schedule a weekly email delivery of the Sandbox Activity Report. The email contains a report preview and a link to the full report. To learn more, see Scheduling the Sandbox Activity Report Weekly Email.
    • Manage Schedule: If you have scheduled a weekly email delivery, view the Scheduled Reports page to edit or delete the scheduled delivery. To learn more, see About Scheduled Reports.
  7. Show or hide the detailed explanations under the widgets.
  8. View the widgets in the report.
      • Unknown Files & Files Known by Cloud Effect: Shows how many files were known benign or known malicious by cloud effect, or unknown and sent for Sandbox analysis.
      • Policy Actions & Verdicts for Files Known by Cloud Effect: Shows how many known benign or malicious files were allowed or blocked.

      Known malicious files might have been allowed because you don't have the Advanced Sandbox subscription or the right Sandbox rule configured. Zscaler recommends investigating these files.

      • Policy Actions & Verdicts for Unknown Files: Shows how many files were found malicious after being sent for Sandbox analysis. A situation might occur where a file that has been quarantined could also be counted under Allow & Scan if the file was allowed while in quarantine. For example, user A has a quarantine Sandbox rule applied to them, and user B has an allow and scan rule applied to them. User A attempts to download an unknown file that is sent for Sandbox analysis because of the quarantine rule. While the unknown file is being analyzed, user B can download the same file because of the allow and scan rule. In this case, the file would be counted under Quarantine and Allow & Scan.

      Malicious files downloaded due to the Allow & Scan policy action are patient 0 events. Zscaler recommends investigating these files.

      • Threat Categories for Malicious Files Known by Cloud Effect: Shows the threat categories of files that were known malicious by cloud effect.
      • Threat Categories for Unknown Files Found Malicious: Shows the threat categories of files analyzed and found malicious.
      • URL Categories for Unknown Files: Shows the URL categories for the destination URLs that were accessed to download unknown files that were sent for analysis.
      • URL Categories for Malicious Files Known by Cloud Effect: Shows the URL categories for the destination URLs from which users attempted to download files that were known malicious by cloud effect. If you notice many malicious files coming from specific URL categories, consider modifying the Sandbox policy to quarantine files from those URL categories.
      • Threat Names for Unknown Files Found Malicious: Shows the top threat names seen across all files analyzed and found malicious.
      • Threat Names for Malicious Files Known by Cloud Effect: Shows the top threat names seen across all files that were known malicious by cloud effect.
      • File Types for Malicious Files Known by Cloud Effect: Shows the files that were known malicious, by file type.
      • File Types for Unknown Files: Shows the files analyzed and found malicious, by file type. If you notice specific file types being found malicious frequently, consider modifying the Sandbox policy to quarantine them.
      Close

Screenshot highlighting the Sandbox Activity Report features.

Related Articles
Viewing the Resource Discovery ReportAbout the Email Security ReportAbout Email Security Report: IncidentsAbout the Gen AI Security ReportAbout the Instance Discovery ReportAbout Cybersecurity InsightsAbout Interactive ReportsAbout Industry Peer ComparisonAbout the System Audit ReportAbout the Sandbox Activity ReportScheduling the Sandbox Activity Report Weekly EmailAbout the Sandbox Files Found Malicious ReportScheduling the Sandbox Files Found Malicious Report Weekly EmailCIPA Compliance ReportAbout the Company Risk Score ReportAbout the User Risk ReportCompany Summary Report (CIO Report)Company Summary Report (CSO Report)Security Policy Audit ReportExecutive Insights ReportAbout SaaS Assets Summary ReportViewing Quarterly Business Review ReportsAbout Attack Surface ReportConfiguring the Attack Surface Report NotificationAbout Configuration Risk ReportAbout the Data Discovery ReportViewing Data Discovery DetailsAbout the IoT ReportAbout Discovered DevicesProviding Feedback on IoT Device ClassificationsAbout Scheduled ReportsScheduling ReportsCreating or Copying a ReportExcluding Locations in User-Related ReportsExporting and Importing ReportsPrinting ReportsAbout Endpoint DLP ReportAbout Endpoint DLP Report: Incidents