Explanation for most DNS cases....your server most likely is your DC or at least has a DNS server rule. Means your clients requesta internal server, server requesta UTM or public DNS servers. So ATP DNS triggers only on server(s)
Most likely there's no "infected" client in the network, but a client most likely downloaded a cryptomining script (or at least got a website with a link to download such a script from that webminepool site) during surfing some websites.
As it got blocked by ATP DNS and the client didn't find a miner (sophos AV is quite good detecting those) there most likely a script was linked in a website for download, and ATP blocked the DNS request. So you're most likely fine, as download was not possible (no DNS resolution, no download)
I found the station through Sophos Central, thank you guys. Sophos Firewall detected malicious traffic: 'C2 / Generic-C' at 'C: \ Windows \ System32 \ svchost.exe'
