After enabling the Targeted Attack Analytics feature, you may see Incidents created for clients with an external IP as the hostname. When you review the Entity page for that Endpoint, most of the fields have Unknown or Unsupported.

ATP 3.2 or SEDR 4.0 with one or more SEP licenses uploaded for the Targeted Attack Analytics feature.

This can occur due to a few different circumstances.

1. The license file(s) uploaded to the appliance are used on a SEPM other than the ones configured in the appliance. SEP clients upload telemetry submissions and are correlated by their license file.
2. The SEPM is configured correctly, but the SEPM group(s) to which the unknown endpoint(s) belong to have not been selected for group inclusion.
3. The SEP machine was known to the appliance previously, but the record may have been purged from the appliance database.

This is resolved in Symantec Endpoint Detection and Response 4.1 by ignoring Events and Incidents for Endpoints unknown to the appliance. Further improvements have been made in SEDR 4.4 to ensure at least one appliance keeps the Incident if there are multiple appliances using the same SEP license.