When using Synapse with the Email Security.cloud correlation feature, you see Cloud Error showing as the status for this feature.

The Health Status may also show the message, "Synapse Email correlation is malfunctioning: please call support"

This is indicating that the ATP Manager is unable to obtain the Email events from datafeedapi.symantec.com.

1. To check for a known issue with the cloud infrastructure, log in to identity.symanteccloud.com and navigate to System Alerts
2. If the cloud portal shows a System Alert related to the API is in place, wait until the Alert ends before continuing.
3. To check ATP's ability to reach the Symantec servers, at the ATP command line interface (CLI), type:
   status_check
    
4. If output from status_check shows that datafeedapi.symantec.com is NOT reachable, and other Symantec servers that are NOT reachable, check the firewall or proxy configuration against the ports and urls document, here:
   
   Title: DOC9667 - Symantec™ Advanced Threat Protection Platform 2.3 Release Notes
   URL: https://support.symantec.com/en_US/article.DOC9667.html
    
5. If output from status_check shows that datafeedapi.symantec.com is NOT reachable, and it is the only Symantec server that is NOT reachable, and there is no proxy where ATP is deployed, to test the firewall port, type:
   tcp_check datafeedapi.symanteccloud.com 443
    
6. If output from tcp_check does not show CONNECTED, ATP does not have access to TCP port 443 for datafeedapi.symanteccloud.com. Please resolve before continuing.
7. If output from tcp_check shows CONNECTED, ATP has port access, but an upstream device is changing the certificate used to secure the TLS1.2 communication of datafeedapi.symanteccloud.com. ATP knows the digital certificate of this individual server and will disconnect when it receives a substitute or alteration to this certificate to prevent attackers from gaining user data using a Man In The Middle attack against the organization it protects. Please configure intervening proxy, firewall, or other network devices to permit TLS traffic between ATP and datafeedapi.symantec.com to pass without alteration.

If the triage steps above do not appear to point to a solution, at the ATP CLI, type "gather_logs" to upload logs to the ATP Telemetry server, then open a case with Symantec Technical Support.