The Sandbox Activity Report highlights the Sandbox policy action taken for known and unknown files in your organization. Unknown files are files that the Sandbox encounters for the first time. Files known by cloud effect are files from any organization that the Sandbox analyzed and classified as malicious or benign.
The Sandbox Activity Report also highlights the threat categories, threat names, URL categories, and file types of known and unknown files after Sandbox analysis. You can view the data by transactions or specific files. You can view weekly reports from the last six months, not including the current week.
You can view the report in the Admin Portal by going to Analytics > Sandbox Activity Report.
Known malicious files might have been allowed because you don't have the Advanced Sandbox subscription or the right Sandbox rule configured. Zscaler recommends investigating these files.
Malicious files downloaded due to the Allow & Scan policy action are patient 0 events. Zscaler recommends investigating these files.