About the Sandbox Activity Report


About the Sandbox Activity Report

The Sandbox Activity Report highlights the Sandbox policy action taken for known and unknown files in your organization. Unknown files are files that the Sandbox encounters for the first time. Files known by cloud effect are files from any organization that the Sandbox analyzed and classified as malicious or benign.

The Sandbox Activity Report also highlights the threat categories, threat names, URL categories, and file types of known and unknown files after Sandbox analysis. You can view the data by transactions or specific files. You can view weekly reports from the last six months, not including the current week.

You can view the report in the Admin Portal by going to Analytics > Sandbox Activity Report.
See image.

  1. View the Sandbox Files Found Malicious report (requires Advanced Sandbox subscription).
  2. Choose the week to view the report for.
  3. View the data by Transactions or Unique FilesTransactions include all download attempts, even of the same file. Unique Files count each file once, regardless of the number of transactions.
  4. Show or hide the detailed explanations under the widgets.
  5. View the widgets in the report.

Screenshot highlighting the Sandbox Activity Report features.

  • Unknown Files & Files Known by Cloud Effect: Shows how many files were known benign or known malicious by cloud effect, or unknown and sent for Sandbox analysis.
  • Policy Actions & Verdicts for Files Known by Cloud Effect: Shows how many known benign or malicious files were allowed or blocked. 

Known malicious files might have been allowed because you don't have the Advanced Sandbox subscription or the right Sandbox rule configured. Zscaler recommends investigating these files.

  • Policy Actions & Verdicts for Unknown Files: Shows how many files were found malicious after being sent for Sandbox analysis. A situation might occur where a file that has been quarantined also could be counted under Allow & Scan if the file was allowed while in quarantine. For example, user A has a quarantine Sandbox rule applied to them, and user B has an allow and scan rule applied to them. User A attempts to download an unknown file that is sent for Sandbox analysis because of the quarantine rule. While the unknown file is being analyzed, user B can download the same file because of the allow and scan rule. In this case, the file would be counted under Quarantine and Allow & Scan.

Malicious files downloaded due to the Allow & Scan policy action are patient 0 events. Zscaler recommends investigating these files.

  • Threat Categories for Malicious Files Known by Cloud Effect: Shows the threat categories of files that were known malicious by cloud effect.
  • Threat Categories for Unknown Files Found Malicious: Shows the threat categories of files analyzed and found malicious.
  • URL Categories for Unknown Files: Shows the URL categories for the destination URLs that were accessed to download unknown files that were sent for analysis.
  • URL Categories for Malicious Files Known by Cloud Effect: Shows the URL categories for the destination URLs from which users attempted to download files that were known malicious by cloud effect. If you notice many malicious files coming from specific URL categories, consider modifying the Sandbox policy to quarantine files from those URL categories.
  • Threat Names for Unknown Files Found Malicious: Shows the top threat names seen across all files analyzed and found malicious.
  • Threat Names for Malicious Files Known by Cloud Effect: Shows the top threat names seen across all files that were known malicious by cloud effect.
  • File Types for Malicious Files Known by Cloud Effect: Shows the files that were known malicious, by file type.
  • File Types for Unknown Files: Shows the files analyzed and found malicious, by file type. If you notice specific file types being found malicious frequently, consider modifying the Sandbox policy to quarantine them.

Screenshot of the Sandbox Activity Report.