Viewing Sandbox Reports and Data

Viewing Sandbox Reports and Data

Depending on your Sandbox subscription, you can view a variety of Sandbox data and reports under Dashboard and Analytics:

You can monitor malware detected by the sandbox on the Security dashboard (Dashboard > Security). You can edit the dashboard and add widgets that display transaction information for the SandboxSandbox Action, and Top Users/Locations for Sandbox.

Screenshot of the sandbox related widgets on the Security Dashboard.

If you have the Advanced Sandbox subscription, you can also see the Sandbox Patient 0 Events widget. It displays patient 0 events that occurred in your organization within the chosen time frame. To learn more about patient 0 events and the widget, see Configuring the Patient 0 Alert

Screenshot of the Sandbox Patient 0 Events widget.

In Web Insights (Analytics > Web Insights), the Sandbox logs provide additional information about malicious transactions.

Screenshot of the Sandbox logs on the Web Insights page

The Threat Name can indicate the exact malware, such as Trojan.Zbot, Backdoor.Caphaw, or just the malware category, based on the behavior recognized by the service.

The logs contain a Policy Action column that displays what the Sandbox engine has done with suspicious files. The following are the actions that the Sandbox engine might take:

  • Sent to Analysis: The file was sent to the Sandbox for behavioral analysis, and the user can download the file.
  • Quarantined: The file was sent to the Sandbox for behavioral analysis, and the user cannot download the file until the analysis is completed.
  • Blocked: The file was blocked immediately based on previous sandbox analysis with a known MD5 hash.

The logs also contain a MD5 column that displays the hash of suspicious files. If your organization has the Advanced Sandbox subscription, you can click the value in this column to view the Sandbox Detail Report.

If you have the Standard Sandbox subscription and a malicious file is allowed because it doesn't match criteria of the default Sandbox rule, the Zscaler service displays Not Subscribed in the Threat Name column.

Screenshot of a Sandbox malware with the Not Subscribed tag in the Threa Name column

The Advanced Sandbox subscription allows you to add additional rules for other file types (e.g., Word documents, PDF files, etc.).

If your organization has the Advanced Sandbox subscription, you can click the MD5 hash of the file in the logs and view the Sandbox Detail Report. It provides different types of information about a file and its behavior, including forensic details such as which registry keys were changed, which network connections were initiated, and which files were read.

For each category, you can view additional details by clicking the Expand icon at the top right-hand corner of each widget.

Screenshot of the Expand icon in the Sandbox Detail Report

You can also print the report by clicking the Print icon.

Screenshot of the Print icon in the Sanbox Detail Report