ATP alert

Can anyone suggest on the below query

ATP Event reoccurs every two to three days.


2021:04:13-01:45:20 nwusophos01 named[5282]: rpz: client @0xa519a18 10.161.1.2#49191 (61-219-11-153.hinet-ip.hinet.net): view default: rpz IP NXDOMAIN rewrite 61-219-11-153.hinet-ip.hinet.net via 32.153.11.219.61.rpz-ip.rpz

measurements already taken:
- enable DNS diagnostic logging on Microsoft active directory domain controller/dns server.
- match dns query to atp event: querying system is domain controller (10.161.1.2)
- scan of domain controller with customer's antivirus software
result: clean
- scan with sophos virus removal tool
result: clean

UTM:
Firmware version: 9.705-3
Pattern version: 197682

We need verfiy if ATP alert is a false postive or not. Please assist.


Added TAG
[edited by: emmosophos at 8:44 PM (GMT -7) on 14 Apr 2021]