Configuring the Patient 0 Alert

Configuring the Patient 0 Alert

You must have the Advanced Sandbox subscription to configure patient 0 alerts.

If you've configured the the first-time action of a Sandbox rule to allow and scan unknown files, the Zscaler service:

  1. allows users to download files that match the rule criteria
  2. sends the files to the Sandbox for behavioral analysis

A patient 0 event occurs when a user downloads an unknown file that is scanned and found to be malicious. On the Alerts page, you can add the patient 0 alert and receive emails about these events within approximately two hours.

Configuring the Patient 0 Alert

Watch a video about Alerts, including how to configure them.

To configure the patient 0 alert:

About the Sandbox Patient 0 Events Widget

On the Security dashboard, the Sandbox Patient 0 Events widget displays the patient 0 events that occurred in your organization.

On the Sandbox Patient 0 Events widget, you can see the following information:
See image.

  • Alert Time: Displays the time the patient 0 alert is sent.
  • MD5: The MD5 hash of the malicious file. Click to view the Sandbox Detail Report.
  • Threat: The threat name of the malicious file.
  • Transactions: The number of transactions that occurred with the malicious file. Click to view the transaction logs on the Web Insights page.

If you hover over an event, you can see the following information:
See image.

  • File Information: Displays the following information of the malicious file.
    • File Type: The type of file (EXE, DLL, PDF, etc.).
    • File Size: The total bytes of the file.
    • MD5: The MD5 hash of the file.
    • SHA1: The SHA-1 hash of the file.
  • Users Affected: Lists the users affected by the malicious file and their location.

To add the Patient 0 alert:

  1. Go to Administration > Alerts.
  2. On the Define Alerts tab, click Add Alert Definition.
    See image.
  3. In the Add Alert Definition window, do the following:
    See image.
    • Status: Ensure it's Enabled.
    • Alert Name: Choose Patient 0.
    • Comments: (Optional) Enter any comments about the event. The comments cannot exceed 10,240 characters.

The Admin Portal automatically populates the following fields for the Patient 0 alert. You can't modify any of these fields.

  • Alert ID: This field is blank. The service automatically assigns an ID after you create the alert.
  • Alert Class: Set to Patient 0. The patient 0 alert class includes an unknown file that’s been permitted to download, but found to be malicious through behavioral analysis. 
  • Minimum Occurrences: Set to 1. The service sends you an alert if one or more patient 0 events occur.
  • Within Time Interval: Set to 1 hour. The service scans for patient 0 events every hour.
  • Applies To: Set to Organization. The service sends you an alert if a patient 0 event affects any user in your organization.
  • Severity: Set to Critical. All patient 0 events are classified as critical because a malicious file download has been allowed.
  1. Click Save.

 After adding the patient 0 alert, you must add a patient 0 alert subscription to receive emails about the events.

To subscribe to patient 0 alerts:

  1. On the Alerts page, click the Publish Alerts tab.
  2. Click Add Alert Subscription to add a new email recipient. If your email is already listed, click the Edit icon.
    The Add/Edit Alert Subscription window will appear.
  3. Under Patient 0 Alerts, enable Critical.
    See image.
  4. Click Save and activate the change.

Screenshot of the Add Alert Definition button on the Define Alerts tab

Screenshot of the configured Patient 0 alert in the Add Alert Definition window

Screenshot highlighting the Critical option for Patient 0 Alerts in the Add Alert Subscription window 

Screenshot of the Sandbox Patient 0 Events widget

Screenshot of the File Information and Users Affected for a Sandbox patient 0 event