While trying to troubleshoot advanced threat protection false positives, I noticed only 1 entry for today in its log, with nothing over the weekend, though it had marked 4 threats.
in the atp.log only threats are logged which are detected by appctrl, iptables or dns. Threats which are detected by IPS or by the http proxy are logged to ips.log / http.log and not to the atp.log. At the moment we are working on a solution to make the reporting more transparent.
