Targets/sources IP Address displayed as 0.0.0.0 in incident view

book

Article ID: 157092

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

When browsing incident view, in some case the Target or Source are listed as 0.0.0.0.

Some system rules description says :

"At least 2 accounts at  0.0.0.0 have failed to authenticate within 600 seconds.  This might indicate that a malicious user attempted to guess the accounts on the server and gain unauthorized access."

Cause

This situation happens when the source event doesn't contains the right information. In some situation the collector cannot map an "IP Source" or IP Destination" if it doesn't exist in the event.

 

 

Resolution

This is working as designed, if the point product collecting from doesn't contain the information the collector cannot map this.

The correlation engine, as this field is blank, replaces it by 0.0.0.0.


Applies To

This can happens with multiple collectors depending of the source event

Attachments