I’m trying to figure out what the best practice is for my cloud sandbox rules. Are there any recommendations?
For production use, due to the wide spectrum of risk tolerance versus performance expectations, many customers’ actual appropriate Sandbox Rule Policy will vary significantly from the baseline recommended policy.
Some customers will have a very low tolerance for any zero day malwares being downloaded, and would opt for enabling Quarantine for first time downloads on a majority of URL Categories. Examples include very high transaction or high value transaction financial institutions, legal institutions, organizations or departments with access to highly sensitive IP.
Other customers will have a very low tolerance for “slowing” down their employees ability to download files due to the nature of their work, and would opt for only the Allow and Scan for first time downloads on a majority or all URL Categories. Examples include Engineering or research labs that are often downloading executable files or other files that tend to be “suspicious” in nature, despite not having malicious intent or organizations who’s work involves exchange or download of diverse files with other organizations on a very regular basis.
So in short, one size doesn’t always fit all. That being said, below are a good baseline starting point that suggests Quarantining of never seen before files that are high risk, if downloaded from suspicious URL categories.
The following help article very well summarizes these recommendations as well: