Policy & Content: Advanced Threat Protection

The Advanced Threat Protection (ATP) report lists each unique IP address/user combination for which the SWA has detected attempts to contact malware command and control services. You can block and unblock machines listed in this report. Blocking a machine adds it to the Configuration > Group Policy > Additional Policies page in the Quarantined Machines policy.

The columns in the report are:
  • Block: For each each IP address/user combination, you can use the block/unblock button to add or remove the IP address to or from the Quarantined Machines policy.
    Note
    Blocking a machine will block all instances of that IP address, not just the specific IP/user combination you select.
  • Status: A red circle with an "X" indicates a potential threat that is unblocked. A green checkmark indicates the machine is blocked.
  • IP: The IP address of the detected machine. Clicking this will display a search for suspicious activity from this IP address.
  • Machine: The name associated with the machine. Clicking this will display a search for suspicious activity from the IP address associated with this machine.
  • User: The username associated with the machine when the threat was detected. Clicking this will display a search for suspicious activity by this machine/user combination.
  • Count: The number of times this particular IP/username combination has been detected as a threat.
  • Details: The name or names of any detected threats. Clicking the name of a threat will open the webpage with the corresponding Sophos threat analysis.

To block or unblock all listed machines, use the Block All or Unblock All buttons at the bottom of the page.