How do I view Sandbox reports and data?

The Sandbox logs provide additional information about the transactions with malicious activity, as shown below. Note that the Threat Name may indicate the exact malware, such as Trojan.Zbot, Backdoor.Caphaw, or just the malware category, based on the behavior recognized by the service.

The logs contain a column called Policy Action that displays what the Sandbox engine has done with suspicious files. The following are the actions that the Sandbox engine may take:

  • Sent to Analysis: The file was sent to the sandbox for behavioral analysis and the user can download the file.
  • Quarantined: The file was sent to the sandbox for behavioral analysis but the user cannot download the file and will receive a notification about the ongoing analysis.
  • Blocked: The file was blocked immediately based on previous sandbox analysis with a known MD5 hash.

The logs also contain a column called MD5 that displays the hash of suspicious files. If your organization has the Cloud Sandbox subscription, you can click the value in this column to view the Sandbox Detail Report.

 Additionally, you can monitor malware detected by the service on the dashboard. For example, you can edit the Security dashboard and add widgets that display the Sandbox or Sandbox Action data type.

About the Sandbox Detail Report

If your organization has the Cloud Sandbox subscription, the Sandbox Detail Report provides information about a file and its behavior. It provides different types of information, including forensic details such as which registry keys were changed, which network connections were initiated, and which files were read.

For each category, you can view additional details by clicking the Expand icon at the top right-hand corner.

About the Sandbox Detail Report

Viewing the Sandbox Detail Report from NSS

If your organization has an NSS subscription, you can open a Sandbox Detail Report based on the MD5 parameter that you retrieve from your logs in the SIEM. You can copy the MD5 parameter from the logs in your SIEM and add it to the following URL string:

admin.<zscaler_cloud>/ba/<MD5_string>

For example, if your organization logs into https://admin.zscalerbeta.net, and the MD5 for the log is 728e5700a401498d91fb83159beec834, then enter the following to view the corresponding Sandbox Detail Report:

admin.zscalerbeta.net/ba/728e5700a401498d91fb83159beec834

To learn how you can find your cloud name, see What is my cloud name?

Note that you must be logged in to the Zscaler admin portal and have the following permissions:

  • Reporting Access: Full or View Only
  • Functional Scope: Security