After enabling the Targeted Attack Analytics feature, you may see Incidents created for clients with an external IP as the hostname. When you review the Entity page for that Endpoint, most of the fields have Unknown or Unsupported.
This can occur due to a few different circumstances.
ATP 3.2 or SEDR 4.0 with one or more SEP licenses uploaded for the Targeted Attack Analytics feature.
This is resolved in Symantec Endpoint Detection and Response 4.1 by ignoring Events and Incidents for Endpoints unknown to the appliance. Further improvements have been made in SEDR 4.4 to ensure at least one appliance keeps the Incident if there are multiple appliances using the same SEP license.