Sandbox Detection Log
Sandbox detection logs provide visibility into sandbox detection records (such as the name and type of the detected files, the source zone and the destination zone where the detected files were sent from and to). Sandbox detection details help the administrator identify exceptions and respond in time.
Context
Before viewing sandbox detection logs, ensure that you have configured the sandbox detection function on the FW.
Sandbox detection logs include local sandbox and cloud sandbox detection logs. Before querying cloud sandbox detection logs, ensure that the cloud sandbox detection license has been installed and the cloud sandbox component package has been loaded.
Procedure
- Choose to view the detailed information including Sandbox Type, File Name, File Type, Source Zone, Destination Zone, Source Region, Destination Region, Source Address, Destination Address and Source User.
- Choose Customize and select/deselect conditions for sandbox detection log display.
- Optional: Click
to export user activity logs in CSV format to the management PC. - Click Add Filter and enter search criteria to search for sandbox detection logs.
If the device has no disk, click Advanced Search to filter logs.
- Optional: You can click
to save the current log query conditions as a log query template for future use.The next time you want to use these query conditions, you only need to click
to select the template name and click OK. Then the system queries logs based on the template conditions. The device administrator can click Template Distribution to view the number of templates created by each user. In addition, you can click 
to delete a log query template. Only the user that creates a log query template can view or use this template.
Each log page supports a maximum of 10 log query templates, and a device supports a maximum of 1000 log query templates.
Log Example
User activity logs within a given time range are as follows:
Field meanings are as follows:
Field |
Description |
|---|---|
Time |
Time at which a sandbox detection log is generated |
Log Type |
Log type, which can be sandbox scanning, malicious URL, or file reputation |
Threat Name |
Threat name |
Result |
Detection result, which can be malicious and suspicious |
Threat Level |
Threat level, which may be High-risk, Medium-risk-risk, or low-risk for a malicious file. |
Action |
Action (alert, block, declare, or delete attachment) for the traffic that matches the profile |
File MD5 |
MD5 value of the sandbox detection log NOTE:
Click File MD5 to configure the file MD5 value as a file reputation exception. Then, you can view the file reputation exception in . |
File Type |
File type |
Source Zone |
Source security zone of the traffic |
Destination Zone |
Destination security zone of the traffic |
Source Region |
Source region of the traffic |
Destination Region |
Destination security zone of traffic |
Source Address |
Source IP address of traffic |
Destination Address |
Destination IP address of traffic |
Source User |
User who generates traffic |
Source Port |
Source port of traffic |
Destination Port |
Destination port of traffic |
Application |
Application type of traffic |
Protocol |
Protocol of traffic |
External Address |
Addresses connected to the malicious file |
Security Policy |
Name of the security policy that the traffic matches |
Profile |
Name of the APT profile that the traffic matches |
Virtual System |
Virtual system to which the traffic belongs |