Scenario:
(SEPM/SEP 12.1.5) An attempted attack (e.g., "[SID: 27847] Web Attack: Wordpress Arbitrary File Download attack") on an outward-facing server results in a Security Alert Notification which from SEPM identifies under the Remote Host/Remote IP address column as "Not applicable / 87.248.226.226".
Problem:
Later that day, the Network Threat Protection report from SEPM includes that event, but lists both the attacked client and 87.248.226.226 under the Client heading. This is of course incorrect since 87.248.226.226 is external to our network and is actually the attacking IP as indicated in original Security Alert Notification.
Why is Network Threat Protection report listing an external IP as a Client?