If you have the Advanced Sandbox subscription, you can add rules to the Sandbox policy. You can configure different rules in your Sandbox policy to apply to different sets of users or to different locations. Also, see the recommended Sandbox policy.
To configure the Sandbox policy:
The service logs transactions in real time, and you can view the Sandbox reports and data under Dashboards and Analytics.
To enable inbound and outbound traffic inspection:
The Sandbox only analyzes files that are downloaded (inbound).
Any rule that applies to unauthenticated traffic must apply to all Groups and Departments. So, if you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments.
The Zscaler service does an initial Sandbox static analysis for unknown PDF or Microsoft Office files to check if they contain active content. If they do, they are sent to the Sandbox for behavioral analysis. If they don't, they are classified as benign and allowed to download.