When browsing incident view, in some case the Target or Source are listed as 0.0.0.0.
Some system rules description says :
"At least 2 accounts at 0.0.0.0 have failed to authenticate within 600 seconds. This might indicate that a malicious user attempted to guess the accounts on the server and gain unauthorized access."
This situation happens when the source event doesn't contains the right information. In some situation the collector cannot map an "IP Source" or IP Destination" if it doesn't exist in the event.
This is working as designed, if the point product collecting from doesn't contain the information the collector cannot map this.
The correlation engine, as this field is blank, replaces it by 0.0.0.0.
This can happens with multiple collectors depending of the source event