Hi,
In SEPM, there is a report for "Top Ttackers". That gives you the IP address of the machines that have attacked other clients with SEP IPS enabled.
You can run the report. Set a threshold, e.g. machines that have attacked more than 10-15 times..
You can investigate those IPs. Searching them in SEPM would be the first step.
If the IP is not there in SEPM and it is a machine/laptop/server then install SEP on the machine and scan.
If its a device [ router , etc .] then ignore.
Regards,
Aniket