icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Viewing Sandbox Reports and Data

You can view a variety of Sandbox data and reports under Dashboard and Analytics:

  • You can monitor malware detected by the Sandbox on the Security dashboard (Dashboard > Security). You can edit the dashboard and add widgets that display transaction information for the Sandbox, Sandbox Action, and Top Users/Locations for Sandbox.

    If you have Advanced Sandbox, you can also see the Sandbox Patient 0 Events widget. It displays patient 0 events that occurred in your organization within the chosen time frame. To learn more about patient 0 events and the widget, see Configuring the Patient 0 Alert.

    Close

  • In Web Insights Logs (Analytics > Web Insights > Logs), the Sandbox logs provide additional information about malicious transactions.

    Following are some popular columns used for troubleshooting Sandbox transactions:

    • Threat Name: Indicates the exact malware name (e.g., Trojan.Zbot, Backdoor.Caphaw) or the malware category, based on the behavior recognized by the Zscaler service. You can click the threat to view more information about it in the Zscaler Threat Library. If you have Standard Sandbox and a malicious file is allowed because it doesn't match criteria of the default Sandbox rule, the service displays Not Subscribed in the Threat Name column.

    • Policy Action: Displays what the Sandbox engine has done with suspicious files. The Sandbox engine takes the following actions with suspicious files:
      • Sent to Analysis: The file was sent to the Sandbox for behavioral analysis, and the user can download the file.
      • Quarantined: The file was sent to the Sandbox for behavioral analysis, and the user cannot download the file until the analysis is completed.
      • Blocked: The file was blocked immediately based on previous Sandbox analysis with a known MD5 hash.
    • MD5: Displays the hash of suspicious files. If you have Advanced Sandbox, you can click the value to view the Sandbox Detail Report.
    • Threat Category: Displays the threat type of the file. The following categories appear under this column:
      • Benign: A known non-malicious file.
      • Sandbox Adware: A known malicious file that automatically renders advertisements and installs adware.
      • Sandbox Anonymizer: A known malicious file that contains anonymizers and P2P clients.
      • Sandbox Malware: A known malicious file that behaves like APTs, exploits, botnets, trojans, keyloggers, spyware, and other malware.
      • Sent for Analysis: An unknown file that is sent to the Sandbox for behavioral analysis. After analysis, if the Sandbox classifies the file as malicious, the new malicious threat category is appended to Sent for Analysis (e.g., Sent for Analysis - Sandbox Malware/Anonymizer/Adware).

    • Suspicious Content: Displays the raw Page Risk Index score of the file. If the file is blocked for other security reasons, the score is set to 100.
    Close

  • If your organization has Advanced Sandbox, you can click the MD5 hash of the file in the logs and view the Sandbox Detail Report. It provides different types of information about a file and its behavior, including forensic details such as which registry keys were changed, which network connections were initiated, and which files were read.

    For each category, you can view additional details by clicking the Expand icon at the top right-hand corner of each widget.

    You can print the report by clicking the Print icon and a printer-friendly version of the report appears.

    You can also download the original file sample, dropped files, and network packet capture from the Download Summary widget.

    The Sandbox is augmented with machine learning capabilities. Machine learning improves malware detection and increases the accuracy of Sandbox verdicts. You can view the machine learning results in the Machine Learning Analysis widget.

    For Advanced Sandbox users, all malicious samples are analyzed twice automatically, first through an unpatched vulnerable VM (Zero Day Report or Fully Patched VM Report) and then a second time through the fully patched secured VM (Regular Report). This allows you to compare the report outputs to identify mitigation effectiveness and potential risk.

    When configuring the Sandbox policy, you also can enable AI Quarantine to analyze an unknown file in quarantine and determine the likelihood of it being benign or suspicious while the file is undergoing Sandbox analysis. To learn more, see Configuring the Sandbox Policy.

    Close
  • Sandbox Activity Report
  • Sandbox Files Found Malicious Report
  • CrowdStrike Endpoint Hits Report
  • Microsoft Defender Endpoint Hits Report

Related Articles
About SandboxConfiguring the Default Sandbox RuleConfiguring the Sandbox PolicyAdd Custom File HashesViewing Sandbox Reports and DataConfiguring the Patient 0 AlertAbout Sandbox End User NotificationsUsing the Sandbox Scanning PortalRecommended Sandbox PolicyAbout the Sandbox Activity ReportScheduling the Sandbox Activity Report Weekly EmailAbout the Sandbox Files Found Malicious ReportScheduling the Sandbox Files Found Malicious Report Weekly Email