How do I view Sandbox reports and data?


How do I view Sandbox reports and data?

The Sandbox logs provide additional information about the transactions with malicious activity, as shown below.

Note that the Threat Name may indicate the exact malware, such as Trojan.Zbot, Backdoor.Caphaw, or just the malware category, based on the behavior recognized by the service.

The logs contain a Policy Action column that displays what the Sandbox engine has done with suspicious files. The following are the actions that the Sandbox engine may take:

  • Sent to Analysis: The file was sent to the sandbox for behavioral analysis, and the user can download the file.
  • Quarantined: The file was sent to the sandbox for behavioral analysis, and the user cannot download the file until the analysis is completed.
  • Blocked: The file was blocked immediately based on previous sandbox analysis with a known MD5 hash.

The logs also contain a MD5 column that displays the hash of suspicious files. If your organization has the Cloud Sandbox subscription, you can click the value in this column to view the Sandbox Detail Report.

 Additionally, you can monitor malware detected by the service on the dashboard. For example, you can edit the Security dashboard and add widgets that display the Sandbox or Sandbox Action data type.

pie chart 2.png  line 2.png

About the Sandbox Detail Report

If your organization has the Cloud Sandbox subscription, the Sandbox Detail Report provides information about a file and its behavior. It provides different types of information, including forensic details such as which registry keys were changed, which network connections were initiated, and which files were read.

For each category, you can view additional details by clicking the Expand icon at the top right-hand corner of each widget.

Expand Sandbox Detail Report.png

You can also print the report by clicking the Print icon.

Print Sandbox Detail Report ver 3.png

Viewing the Sandbox Detail Report from NSS

If your organization has an NSS subscription, you can open a Sandbox Detail Report based on the MD5 parameter that you retrieve from your logs in the SIEM. You can copy the MD5 parameter from the logs in your SIEM and add it to the following URL string:

admin.<Zscaler cloud>/ba/<MD5 value>

For example, if your Zscaler cloud is zscalerbeta, and the MD5 for the log is 728e5700a401498d91fb83159beec834, then enter the following to view the corresponding Sandbox Detail Report:

admin.zscalerbeta.net/ba/728e5700a401498d91fb83159beec834

To learn how you can find your cloud name, see What is my cloud name?

Note that you must be logged in to the Zscaler admin portal and have the following permissions:

  • Reporting Access: Full or View Only
  • Functional Scope: Security