You have enabled 'Automatic Submission' on the Global settings page on the ATP 3.1 Manager. After a while you review the Systems Activity log for 'submit_to_sandbox' events and find that almost none are submitted by user_name 'ATP'.
The SEPM has not been enrolled in SEP Cloud.
The main driving feature behind the Automatic Submission feature is the SEP Cloud machine learning verdicts for High Intensity Detection. Without this feature, very few files will trigger the Suspicious Detection feature of the SEP client. In order to take full advantage of this feature, you will need to enroll the SEPM(s) into SEP Cloud.
If you are not enrolled in SEP Cloud, the 4099 event needs to have a file reputation of -5 or lower.. They also need to be a Portable Executable with a file name ending in ".exe" and have a file size under 10MiB. The automatic submission option will not submit the file if there has been a sandbox verdict within the last 7 days.
Subscribing will provide email updates when this Article is updated. Login is required.