In your SEP/SES agent Security logs for Browser Protection event types, you are seeing the IP address 0.0.0.0 for the remote host.

In the SEPM console, you might also see the same IP "0.0.0.0" under Top Target attacks by client.

Our Intrusion Prevention policy encompasses Browser Protection, where browser extensions monitor both inbound and outbound HTTP and HTTPS traffic. If deemed malicious, these extensions block the traffic to the web browser. This includes URL Reputation, which identifies threats from domains and URLs known for hosting malicious content such as malware, fraud, phishing, and spam. By performing cloud reputation lookups, URL Reputation prevents access to these known sources of malicious content.

The majority of Browser Prevention detections are related to malicious domain or domain redirect activities. These detections are triggered by SEP Agent application hooks directly within the Web browser, rather than through direct analysis of network packet information. These detections are connectionless and rely on DNS/URL information rather than TCP/IP connection data. When URL Reputation conducts cloud lookups, the IP address information of the URL is not available. Therefore, IP addresses are not involved in the detection process and are not recorded.

For more information regarding URL reputation, please refer to the article below:

SEP URL Reputation FAQ (broadcom.com)

This behavior is as expected and by design.