Advanced Threat Protection

Question

Hello, 
 In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12) 
 A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company. 
 Details about the alert: 
 Threat name....: C2/Generic-A 
 Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx 
 Time...........: 2016-03-20 06:41:17 
 Traffic blocked: yes 
 Source IP address or host: 218.60.112.225 
 
 Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?

William Warren · Answer

part of it is configuration of your dns. in order for ATP to work correctly you need to have all dns requests go to the firewall FIRST. if you are not using the firewall for dhcp then set primary dns in dhcp as the firewall. 
 
 If you are using AD then you also need to setup dns routing under dns in the webadmin so the firewall will route internal dns requests to your AD server/s. Then you will get proper alerts for internal machines...:)