After applying the 3.1.0-HF05 to ATP 3.1, the customer is still seeing a lot of SONAR detection's showing in ATP but not in SEPM.
ATP incorrectly tags submissions with "Good" disposition as "Suspicious activity" in UI. 3.1.0-HF06 will address this issue. We will be describing SONAR submissions with "Good" disposition as "SONAR detected activity" to enable the customer to easily distinguish the 4100 events clearly.
Please upgrade to Advanced Threat Protection (ATP) 3.2. If you are not able to upgrade in a timely manner, please open a support case to have an updated hotfix applied to ATP 3.1.
Subscribing will provide email updates when this Article is updated. Login is required.