When using Synapse with the Email Security.cloud correlation feature, you see Cloud Error showing as the status for this feature.
The Health Status may also show the message, "Synapse Email correlation is malfunctioning: please call support"
This is indicating that the ATP Manager is unable to obtain the Email events from datafeedapi.symantec.com.
status_checkshows that datafeedapi.symantec.com is NOT reachable, and other Symantec servers that are NOT reachable, check the firewall or proxy configuration against the ports and urls document, here:
tcp_check datafeedapi.symanteccloud.com 443
tcp_checkdoes not show
CONNECTED, ATP does not have access to TCP port 443 for datafeedapi.symanteccloud.com. Please resolve before continuing.
CONNECTED, ATP has port access, but an upstream device is changing the certificate used to secure the TLS1.2 communication of datafeedapi.symanteccloud.com. ATP knows the digital certificate of this individual server and will disconnect when it receives a substitute or alteration to this certificate to prevent attackers from gaining user data using a Man In The Middle attack against the organization it protects. Please configure intervening proxy, firewall, or other network devices to permit TLS traffic between ATP and datafeedapi.symantec.com to pass without alteration.
If the triage steps above do not appear to point to a solution, at the ATP CLI, type "gather_logs" to upload logs to the ATP Telemetry server, then open a case with Symantec Technical Support.