ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Targets/sources IP Address displayed as in incident view


Article ID: 157092


Updated On:


Security Information Manager


When browsing incident view, in some case the Target or Source are listed as

Some system rules description says :

"At least 2 accounts at have failed to authenticate within 600 seconds.  This might indicate that a malicious user attempted to guess the accounts on the server and gain unauthorized access."


This situation happens when the source event doesn't contains the right information. In some situation the collector cannot map an "IP Source" or IP Destination" if it doesn't exist in the event.




This is working as designed, if the point product collecting from doesn't contain the information the collector cannot map this.

The correlation engine, as this field is blank, replaces it by

Applies To

This can happens with multiple collectors depending of the source event