Submit to Zscaler Sandbox analysis

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use the Zscaler Internet Access products sandbox service to analyzes files in a virtual environment to detect malicious behavior.

    Before you begin

    Role required: sn_si.admin

    About this task

    When you create a Zscaler configuration, a Zscaler sandbox submission is created by default in the Zscaler Sandbox Configuration module.

    The name and source fields are auto-filled, and the configuration is enabled by default. You can edit only the display tag and the active options. Zscaler Internet Access product enables you to fetch only the sandbox report for the MD5 hash type observables.

    The analysis for the file that is associated with the MD5 hash should be complete and the corresponding report should be in the Zscaler sandbox. If the MD5 hash that you send does not have a report in Zscaler, you get an error message.

    Procedure

    1. Navigate to All > Security Incident > Incidents > Show All Incidents.
    2. Select the security incident that you want to run the sandbox analysis on.
    3. Select Show All Related Lists and the Associated Observables tab.
    4. Select an MD5 hash type observable and then from the Actions menu, select Submit to Sandbox.
      Create an MD5 hash type observable if you do not find an existing MD5 hash type observable.
    5. In the File Submission dialog box, select the Zscaler - Sandbox Submission - Server option in the Submission configuration and select Submit to sandbox.
      After you initiate the sandbox submission, you can view the Work notes to see the status of your submission. A tag is also appended to the security incident.
    6. In the Work notes, select the link in the Sandbox Submission Result post.

    Result

    You can also view the results from the Show All Related Lists and Sandbox Submission Results tab.