Endpoint Protection

Scenario:

(SEPM/SEP 12.1.5) An attempted attack (e.g., "[SID: 27847] Web Attack: Wordpress Arbitrary File Download attack") on an outward-facing server results in a Security Alert Notification which from SEPM identifies under the Remote Host/Remote IP address column as "Not applicable / 87.248.226.226".

Problem:

Later that day, the Network Threat Protection report from SEPM includes that event, but lists both the attacked client and 87.248.226.226 under the Client heading. This is of course incorrect since 87.248.226.226 is external to our network and is actually the attacking IP as indicated in original Security Alert Notification.

Why is Network Threat Protection report listing an external IP as a Client?

It's showing the web server. So what happened is someone browsed out to a site and hit a link that SEP determined was malicious and blocked it. This is normal behavior. If you look deeper at the alert it may show the actual URL.

The real client is an outward-facing webserver. It is not a workstation where someone is logged in and browsing.

What's the exact report that was run. I can see what mine show to get a better idea.

The report is Network Threat Protection (Full Report / Default filter), which I have set to run as a scheduled report.

And within this report are you looking at the Top Targets Attacked by Client content?

Yes -Top Targets Attacked by Client